By Aaron Cummings, — PEAKE Technology Partners | March 2026
Phishing attacks have changed. They're no longer the obvious, typo-filled scam emails asking you to wire money to a Nigerian prince. Today's attacks clone real websites, replicate legitimate emails, and use platforms your staff already trusts — like DocuSign, SharePoint, and Microsoft Teams to deliver malicious links.
For healthcare practices, the stakes are uniquely high. A compromised account isn't just an IT headache. It's a potential HIPAA breach, a disruption to patient care, and a billing and revenue risk, all from one click, by one staff member, on one convincing email.
This is happening right now across the healthcare sector. If your practice handles electronic health records or uses any cloud-based file sharing, here's what you need to know, and what to do about it today.
Why DocuSign Links Are the New Attack Vector
Most people assume that a link from DocuSign is safe because it looks like it comes from DocuSign. Attackers know this. They've learned to use the brand trust that platforms like DocuSign, SharePoint, and Dropbox have built — because links from those domains are harder for email filters to flag, and more likely to be trusted by the person receiving them.
The attack works like this: a staff member receives an email that appears to be a DocuSign signature request. The branding is correct. The sender name looks legitimate. The link goes to a real DocuSign URL — but that URL redirects to a credential-harvesting page designed to steal their Microsoft 365 or Google Workspace login.
It's not a flaw in DocuSign. It's a flaw in our shared assumption that familiar platforms are automatically safe.
How to Spot a Spoofed DocuSign Request
Train your staff to pause before clicking any file-sharing link. Here are the specific red flags that often signal a phishing attempt masquerading as DocuSign:
- The email arrived unexpectedly — you weren't waiting for a document from this person or organization.
- The sender's email domain doesn't match the organization they claim to represent (e.g., @gmail.com instead of @organizationname.com).
- Hovering over the link shows a destination URL that doesn't match docusign.com or a known vendor's domain.
- The message creates urgency — 'Your document expires in 24 hours' or 'Action required immediately.'
- The request asks you to enter your Microsoft or Google credentials to view the document.
The simplest rule: if you weren't expecting a DocuSign link, verify it with a quick message or call to the sender before clicking. Ten seconds of friction is worth it.
The Two Layers of Protection Every Practice Needs
Technology should be doing most of the heavy lifting here — not staff vigilance alone. There are two foundational protections that every healthcare practice should have in place.
1. Healthcare-Grade Spam Filtering
Not all spam filters are equal. A tool like Proofpoint Essentials is specifically built to catch the kind of sophisticated, brand-impersonation attacks targeting healthcare organizations today. It filters malicious emails while still letting legitimate ones through, and it can be configured for healthcare-specific workflows, so your clinical staff aren't constantly chasing false positives.
Generic spam filtering that came bundled with your email provider is usually not sufficient for the threat level healthcare practices face. If you're not sure what you have, ask your IT provider.
2. Multi-Factor Authentication (MFA) on Every Account
MFA is your safety net when everything else fails. Even if a staff member clicks a phishing link and their username and password are stolen, MFA means the attacker still can't get in without a second verification factor — an app code, a physical token, a fingerprint, or Face ID.
Under the updated HIPAA Security Rule requirements taking effect in 2025 and 2026, MFA is no longer optional for systems handling electronic protected health information (ePHI). If your practice hasn't implemented MFA across all staff accounts, this is the most urgent action item on your IT list.
The One Question to Ask Your IT Provider
"If someone on my staff clicks a phishing link and their credentials are stolen, what happens next?"
The answer should walk you through both a prevention layer and a recovery layer. Your provider should be able to tell you specifically: what tools are in place to catch the phishing email before it reaches your staff, what happens if a credential is compromised, how quickly they would detect it, and what the containment and recovery process looks like.
If your provider can't answer that question clearly and specifically, that's important information about whether your practice is adequately protected.
What a Healthcare-Focused IT Partner Does Differently
General-purpose IT providers manage technology. Healthcare-focused IT partners manage technology in the context of HIPAA compliance, patient data protection, and the operational realities of clinical environments.
That means spam filtering is configured with healthcare workflows in mind. MFA is deployed without disrupting clinical staff. Security Risk Assessments are conducted with HIPAA requirements, not just generic cybersecurity frameworks. And when an incident happens, the response considers the regulatory implications alongside the technical ones.
Most breaches start with one click. Technology reduces the risk. Awareness closes the gap. The right IT partner handles both.
