Fish is for dinner. Phish will eat your lunch.

What’s a phish, anyway?

Simply put, phish are fake emails that cybercriminals use to launch 91% of their attacks. Hackers disguise emails to look like they’re from someone you know and trust.

If you take the bait, criminals can disrupt our Houston Methodist computer systems and steal confidential or sensitive information.

Hackers have evolved over the decades, keeping pace as the Internet has expanded to touch just about everything.

Their success rate is alarming, breaching more than 41.4 million patient records worldwide just last year.

Don’t get hooked. Be the one that got away.

You may have heard about the phishing drills HM IT is conducting. With these drills, we can learn to spot dangerous emails, and also know what to do when a real phishing email shows up.

Our first phishing drill took place in September, and the results revealed that we still have some work to do.

Although we improved in the October and November drills, we can do better. If these had been real attacks, they could’ve exposed our patient data.

How to spot a phish. How to stop it.

“We do a lot of work behind the scenes to prevent suspicious emails from getting to your inbox,” said Barry Beckett, chief information security officer. “With all this effort, a small number manage to make their way through.”

When it comes to protecting our HM data, we all play a role. Here are some tips on how to spot a phish. Be wary of emails coming from outside of HM. These emails are branded as “External” when you receive them.

Another clue that you’re looking at a phishing email is when it asks you to click a link or attachment, asks for your confidential info (username, etc.) and has a strong sense of urgency.

How to report a phishing email.

When you run across an email like this, send it to IT Security to help us stay secure. Here’s how.

  • Desktop/Laptop: Click Report Phish – Phish Alarm button on the Outlook toolbar (automatically deletes the email).
  • Mobile: Tap the three dots by the sender’s name and tap the envelope icon at the bottom of the screen (automatically deletes the email).
  • Apps Center: Forward email to
  • Webmail/Office 365: Select the email. In the preview pane, click the three dots. Scroll down and click Report Phish.


We’ve come a long way. We still need your help.

With all the IT security measures that we currently have in place, we still need you to remain on the lookout. Hackers don’t rest, and neither can we.

“It takes all of us, constantly on guard, to protect our patient’s data and our business information,” Beckett said. “Keep an eye out, and report any suspicious emails. This is one critical step we can take as we all do our part to keep our organization safe.”

The phishing drills are helping us stay on top of our game. We need to always pay attention to protect our patients’ information, as well as our business data. Let’s all do our part to be the phish that got away.