Legit or phish? Test your Human Risk IQ.
Most breaches at small practices start with one click — or one phone call. Here are real-world examples aimed at offices like yours: emails, plus the phone scam hitting front desks now. Can you spot the fakes?
Our records show your Dentrix license will be deactivated in 24 hours. To avoid downtime at your practice, verify your account now.
Verify My License →Is this email legit, or a phishing attempt?
Phish. Real Dentrix lives at dentrix.com (Henry Schein) — “dentrix-licensing.com” is a lookalike domain. Add manufactured urgency (“TODAY,” “24 hours”), a lockout threat, and a “verify” link that wants your login. Clinical software is never shut off by a surprise email.
Use this code to reset your password: 482 193. If you didn’t request this, you can safely ignore this email.
Is this email legit, or a phishing attempt?
Legit — and this one trips people up. The domain (accountprotection.microsoft.com) is genuine, it sends a one-time code rather than a link to “confirm your password,” and you only get it right after clicking “Forgot password.” Lesson: not everything is phishing. Just never read that code aloud to someone who calls you.
Your Electronic Filing Identification Number (EFIN) must be re-validated before the filing deadline. Log in to confirm your details and avoid suspension of e-file privileges.
Re-Validate EFIN →Is this email legit, or a phishing attempt?
Phish. The IRS does not email you to log in or “re-validate” credentials, and the only real domain is irs.gov — not “irs-eservices-portal.com.” This one hunts tax pros in filing season with EFIN-suspension fear.
Are you at your desk? I need you to process a payment to a new vendor right away. Send me the company card number and I’ll explain after — I’m in back-to-back patients, so don’t call, just email me back.
Is this email legit, or a phishing attempt?
Phish — classic business email compromise. Urgency + secrecy (“don’t call”) + a request for card details + a free Gmail address impersonating the doctor. The “don’t call me” is the tell: always verify a money request out-of-band, by a number you already have.
This month’s update improves imaging and eClaims handling. No action needed — read the full release notes or register for our webinar on our website.
Is this email legit, or a phishing attempt?
Legit. Correct vendor domain (opendental.com), no urgency, no password request, “no action needed,” and it points you to the known website instead of a login form. When in doubt, go to the site directly rather than clicking — but this one’s fine.
“Hi, it’s Craig with Simon Says Systems — we’re pushing a security update and I need you to approve the Microsoft/Duo prompt about to pop up on your phone. Can you also read me the 6-digit code so I can finish on my end? Thanks, you’re a lifesaver.”
Is this phone call legit, or a scam (vishing)?
Scam — vishing + MFA-fatigue. A partner you actually know never needs you to approve an MFA push you didn’t start, and no one legitimate ever asks for your 6-digit code — that code is the second factor; reading it out hands over your account. The tell: an unprompted push plus a request for the code. Hang up and call us back on the number you already have. (This is exactly why a local partner you know by voice matters — when in doubt, you can just call the real us.)
Your Human Risk IQ
Quizzes are fun; real inboxes aren’t. And under HIPAA and the FTC Safeguards Rule, ongoing security-awareness training for all staff isn’t just smart — it’s an expected safeguard for protecting patient and client data. We pair it with email filtering and MDR that catch most of these before anyone has to decide.
👥 Curious how your team would do? Drop this in your staff chat and compare scores: simonsayssystems.com/tools/phishing-iq-quiz/
Your people are the real firewall.
We pair security-awareness training with managed email security and MDR so one bad click doesn’t become a breach. Book a free 20-minute check — no obligation.