If you run a medical practice in the Texas Medical Center area, or a law / accounting / engineering firm in the Galleria or Uptown corridors, your inbox is being studied. The phishing attempts hitting your team in 2026 don't look like the "dear sir, you have won" emails of a decade ago. They look like real correspondence from people and institutions you actually deal with.
What changed in 2026
Two shifts. First, attackers now use generative AI to write convincing English that mirrors industry-specific tone — HIPAA notices that read like real HIPAA notices, court filings that read like real court filings. Second, attackers do their homework. They scrape LinkedIn, company websites, and public filings to learn names, vendor relationships, and project context. The pretext is custom-fit to each victim.
The result: the obvious red flags (typos, generic greetings, bizarre formatting) are largely gone. What's left requires actual judgment.
The three most common 2026 pretexts in Houston
1. The HHS / HIPAA audit notification. Aimed at medical practices in the Medical Center. The email claims to be from a federal investigator, references an actual recent OCR enforcement action for credibility, and asks the practice manager to upload a list of recent breach incidents to a portal. The portal is fake. The credentials entered are harvested.
2. The vendor invoice swap. Aimed at professional services firms with predictable monthly vendor relationships (cleaning, IT, legal research subscriptions). The attacker watches for the real vendor's invoice email, then sends an "updated banking details" email from a look-alike domain a few days later. Your accounts payable team updates the wire. The next real invoice gets paid to the attacker.
3. The court notice. Aimed at law firms and any business that's been in recent litigation. The email impersonates a Texas court clerk and includes a PDF that purportedly contains a subpoena or filing. The PDF is malware or a credential-harvesting link.
What good email security blocks vs. what it doesn't
Modern email filtering (Microsoft Defender for Office 365, Proofpoint, Mimecast, etc.) blocks the vast majority of generic phishing. It catches known-bad senders, known-bad URLs, known-bad attachments, and obvious impersonation patterns.
What it struggles with: spear-phishing from a newly-registered domain that perfectly mimics a real vendor, hosted on infrastructure with no prior reputation. The first wave of a campaign targeting your firm specifically often gets through, especially if it doesn't contain a link or attachment.
The implication: technology blocks the noise. Humans have to spot the targeted attempts.
Why awareness training is now non-negotiable
The single most cost-effective control in 2026 is recurring security awareness training combined with simulated phishing campaigns. Once a quarter, employees receive a fake phishing email designed to test current attacker techniques. Those who click get an immediate teachable moment. Those who report it get positive reinforcement.
Houston-area firms running quarterly simulations typically see their click-through rates drop from 25-35% in the first round to under 5% after a year. That delta is the difference between a breached firm and a not-breached firm.
What to do this quarter
- Enroll every employee in recurring phishing simulation training. Once a quarter is the minimum.
- Implement vendor-payment verification: any change to banking details requires a phone call to a known number, not a reply to the email.
- For healthcare practices: confirm your email filter is tuned to block look-alike domains targeting your firm name.
- Document a reporting workflow. Every employee should know exactly where to forward a suspicious email (most M365 tenants can install a one-click "Report Phishing" button).
If you're not sure where you stand, we offer a no-cost phishing baseline test for Houston-area firms. Book a discovery call and we'll set it up.
Aspendora Technologies provides cybersecurity and managed IT services to Houston-area medical, legal, and professional services firms since 2010.