Fact-checked by the SnapMessages editorial team
According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a phishing-related breach reached $4.88 million in 2025, nearly a 10% jump over the prior year. That figure gets cited in enterprise boardrooms, but it rarely reaches the inbox of a wellness coach, a private practice owner, or an independent nutritionist. Yet small business email security is precisely where the threat has migrated: attackers have largely given up on hardened corporate targets and are quietly pivoting to smaller, less-defended organizations that hold valuable client data and run with no dedicated IT support.
The numbers behind this shift are striking. Small businesses with fewer than 100 employees are 350% more likely to be targeted by phishing attacks than employees at larger enterprises, and the 2025 Verizon Data Breach Investigations Report found that 60% of all breaches involved the human element, including phishing, stolen credentials, and social engineering. Phishing served as the initial attack vector in 16% of all breaches investigated in 2025. Health and wellness businesses sit at a particularly exposed position: they collect sensitive personal data through intake forms, coaching notes, and appointment systems, yet most operate with budgets and IT infrastructure more comparable to a small retail shop than a hospital network.
This guide gives wellness business owners a practical, honest roadmap for closing the most dangerous email security gaps. By the end, you will understand what a modern phishing attack actually looks like in 2025, which technical controls are non-negotiable, how to evaluate tools within a real budget, and exactly what to do in the first 24 hours if an attack gets through.
Key Takeaways
- Phishing-related breaches cost an average of $4.88 million in 2025, a nearly 10% year-over-year increase, according to IBM’s Cost of a Data Breach Report.
- Small businesses with under 100 employees face a 350% higher phishing targeting rate than staff at large enterprises.
- Multi-factor authentication blocks over 99.2% of account compromise attacks, yet only 27% of small businesses with under 25 employees have turned it on.
- 60% of businesses that experience a cyberattack close within six months; one in five would face closure from a $10,000 damage event alone.
- AI-generated phishing emails now achieve significantly higher click-through rates than human-written campaigns, and over 82% of current phishing emails use some form of AI-generated content, making traditional “look for spelling errors” advice actively misleading.
- Healthcare holds the most expensive breach costs of any industry at an average of $7.42 million per incident, now for the 14th consecutive year, which means any wellness business storing client health data is holding high-value criminal-market material.
In This Guide
- Why Wellness Business Owners Are Being Targeted More Than They Realize
- What a Modern Phishing Attack Actually Looks Like in 2025
- The Three Technical Foundations Every SMB Email Setup Needs
- Choosing an Email Security Layer That Fits a Small Business Budget
- Training Yourself and Your Team Without Burning Everyone Out
- The Vendor and Supply Chain Risk Most Wellness Businesses Overlook
- What to Do in the 24 Hours After a Phishing Attack
- Building a Secure-by-Default Email Culture Without Becoming a Tech Person
Why Wellness Business Owners Are Being Targeted More Than They Realize
The most dangerous assumption in small business cybersecurity is the one that sounds the most reasonable: “I’m too small to matter.” Attackers have done the math, and that logic runs exactly backwards. Larger organizations have dedicated security teams, enterprise-grade filtering, and incident response protocols. They also often refuse to pay ransoms, having prepared for that scenario. Small wellness businesses have none of that, and they are sitting on data that commands a premium on criminal markets.
Health-related data is consistently the most valuable category of personal information in underground markets, fetching far more per record than financial data alone. A client intake form from a nutrition practice, a set of coaching notes from a mental health adjacent wellness coach, or a hijacked appointment booking system can expose sensitive personal details about dozens or hundreds of individuals. The breach doesn’t have to be sophisticated to be damaging; it just has to happen once.
The Specific Attack Scenarios Wellness Businesses Face
Most generic small business security content talks about phishing in the abstract. The attacks that actually hit wellness operators look specific: a fake email from what appears to be your EMR or practice management platform asking you to re-authenticate; a spoofed invoice from a supplement supplier with updated bank details; an impersonated insurance reimbursement notification asking you to click and verify your provider credentials. Each scenario is designed around the real workflows of this type of business.
Understanding how social engineering tactics work in practice helps explain why these targeted campaigns succeed. Attackers research their marks. They know which scheduling platform your industry favors, which insurance names appear frequently in healthcare billing, and which supplier names recur in wellness business forums. The result is a message that looks entirely routine until money has already moved or credentials have already been handed over.
Small businesses with fewer than 100 employees are 350% more likely to be targeted by phishing attacks than employees at large enterprises, according to industry research cited by Paubox.
Healthcare holds the most expensive breach costs of any sector, averaging $7.42 million per incident according to IBM, now for the 14th consecutive year at the top. Even a wellness business that does not classify itself as a healthcare provider may store data with healthcare-adjacent sensitivity: weight, medical history snippets, mental health disclosures shared during coaching. That data has real market value, and attackers know it.
What a Modern Phishing Attack Actually Looks Like in 2025
Stop telling employees to look for spelling mistakes. That advice was useful in 2010. In 2025, more than 82% of phishing emails use some form of AI-generated content, and AI-generated campaigns achieve dramatically higher click-through rates than human-written ones. The grammar is perfect. The tone matches the vendor it impersonates. The logo is scraped directly from the real company’s website.
The tactics that are actually gaining ground in 2025 are less about volume and more about precision. Attackers are spending time on reconnaissance before sending a single message, and the payoff is a campaign that bypasses both automated filters and human skepticism simultaneously.
Business Email Compromise and Thread Hijacking
Business Email Compromise (BEC) refers to attacks where a criminal impersonates a trusted entity, typically a supplier, insurance provider, or senior colleague, to request a wire transfer, credential submission, or sensitive file. For a wellness business, the most common BEC scenarios involve fake supplier payment changes, fraudulent insurance reimbursement claim updates, and impersonated software vendors asking for login credentials to “resolve a billing issue.”
The harder-to-detect variant is thread hijacking. Here, an attacker first compromises a vendor’s email account, reads the existing conversation history, then replies into an ongoing thread with a malicious request. The email arrives from the real vendor’s actual address, references real prior conversations, and contains nothing visually suspicious. Thread hijacking now accounts for roughly 28% of all BEC attacks, and neither humans nor standard filters catch it reliably, because from every measurable signal, it looks like a legitimate continuation of a real conversation.
Thread hijacking, where attackers compromise a vendor’s account and reply into an existing email conversation with a malicious request, now accounts for approximately 28% of all BEC attacks. Because the email arrives from a known contact with real conversation history, it bypasses both human suspicion and automated filters.
Session Token Harvesting: The Attack That Beats MFA
Most small business security guidance ends at “enable multi-factor authentication.” That is necessary advice, but there is a documented gap that almost no wellness-facing content addresses: session token harvesting. Once you successfully log into your email platform and complete the MFA check, your browser stores an authentication cookie confirming the session. Attackers using adversary-in-the-middle phishing kits (like the widely-documented Evilginx framework) can intercept and steal that cookie, then replay it from their own machine. The platform sees a valid, already-authenticated session and lets them in without triggering another MFA prompt.
This does not mean MFA is not worth enabling. It absolutely is. But understanding that credential theft has evolved past the password layer explains why MFA alone cannot be the last word. Session token harvesting is the reason phishing-resistant hardware keys and conditional access policies exist, and it is the reason even MFA-protected accounts occasionally get breached. If you want to understand how hardware authentication fits into this picture, the guide on whether a hardware security key is right for your accounts covers the practical tradeoffs in detail.
QR code phishing, sometimes called “quishing,” is a related tactic worth understanding. Attackers embed malicious URLs inside QR codes on invoices, appointment confirmations, or printed materials because most email filters scan text links but not the destination of a QR code image. For more on how this specific vector works, see how cybercriminals use fake QR codes to steal information.

The Three Technical Foundations Every SMB Email Setup Needs
Before evaluating any paid tool, three free configuration controls need to be in place. They are not optional. Skipping them and debating which email security platform to buy is like debating alarm systems while the front door is unlocked.
SPF, DKIM, and DMARC Explained Without Jargon
SPF (Sender Policy Framework) is a DNS record that lists which servers are authorized to send email on behalf of your domain. If someone spoofs your domain address to send phishing email, SPF tells receiving servers to reject it. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outgoing emails, allowing the recipient’s server to verify the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits on top of both: it tells receiving servers what to do when SPF or DKIM checks fail, whether to quarantine the message, reject it outright, or just report it.
In practical terms, DMARC with a “reject” policy means that if an attacker tries to send a phishing email impersonating your domain, it never reaches the recipient. It is also one of the most under-deployed controls in small business email. Research suggests a significant majority of breached healthcare-adjacent email domains lacked proper DMARC protection at the time of compromise. Configuring all three records costs nothing beyond the time to access your domain’s DNS settings, and both Google Workspace and Microsoft 365 have step-by-step documentation to walk through it.
Start DMARC in “p=none” mode (monitoring only) to collect reporting data on who is sending email on behalf of your domain. After two to four weeks, review the reports using a free tool like MXToolbox or dmarcian, then move to “p=quarantine” and eventually “p=reject” once you have confirmed all legitimate senders are properly authorized.
Multi-Factor Authentication: The Highest-Return Action Available
Microsoft’s own published data shows MFA blocks over 99.2% of account compromise attacks. Yet only 27% of small businesses with under 25 employees have implemented it. That gap is the most defensible argument in this entire article: the solution to the overwhelming majority of account takeover attacks is already included in your Google Workspace or Microsoft 365 subscription and takes roughly 20 minutes to enable across the organization.
The honest concession is that these three controls, SPF, DKIM, DMARC, and MFA together, are a floor, not a ceiling. They will not stop a well-crafted AI-generated phishing email that does not impersonate your own domain, and as noted above, session token harvesting can bypass MFA under specific conditions. But they eliminate the largest, most common categories of attack. Any wellness business that has not deployed all four has larger gaps to close than which paid security tool to evaluate next.
| Control | What It Stops | Cost | Time to Implement |
|---|---|---|---|
| SPF | Domain spoofing; fake “from” addresses using your domain | Free (DNS record) | 15-30 minutes |
| DKIM | Message tampering in transit; forged email content | Free (DNS record) | 20-40 minutes |
| DMARC | Policy enforcement when SPF/DKIM fail; provides reporting | Free (DNS record) | 30-60 minutes + monitoring period |
| MFA | 99.2%+ of account compromise attacks | Included in Google/M365 | 20 minutes per user |
Choosing an Email Security Layer That Fits a Small Business Budget
Once the four free controls are in place, the next question is whether additional tooling is warranted. For a wellness business that collects client health data through any channel, including informal coaching notes or intake forms, the answer is almost always yes.
Basic Spam Filter vs. Behavioral Security Layer
A basic spam filter was designed to block bulk junk mail: obvious sender patterns, known malicious domains, mass-sending IP addresses. It was not designed to detect a BEC attack sent from a legitimate domain that has never appeared on any blocklist, or a thread hijacking reply from a real vendor’s compromised account. Around 65% of health-adjacent organizations still rely on a basic spam filter as their primary defense, according to industry estimates, which is why BEC succeeds as often as it does.
Behavioral email security platforms work differently. They build a baseline of normal communication patterns for your organization, then flag messages that deviate from that baseline even when they come from legitimate-looking domains. A finance request from a supplier who normally sends order confirmations would be unusual behavior. A login prompt from your EMR platform at 2 AM would be flagged. These tools are not foolproof, but they close the gap that basic filters leave wide open.
The average Business Email Compromise attack costs $160,000 in direct losses. One in five small US businesses would face closure from just a $10,000 damage event, and 60% of businesses that experience a cyberattack close within six months.
A Practical Tiered Framework for Wellness SMBs
Not every wellness business needs the same solution. The framework below reflects realistic budget and risk tiers:
| Tier | Best For | Tools | Approximate Monthly Cost |
|---|---|---|---|
| Tier 1: Free Built-In | Solo practitioners, minimal client data | Google Workspace phishing alerts, Microsoft Defender built-in rules, DMARC reporting | $0 (included in existing subscription) |
| Tier 2: Add-On Layer | Practices with client health data, staff of 2-15 | Proofpoint Essentials, Microsoft Defender for Business, Abnormal Security SMB | $3-$8 per user/month |
| Tier 3: Managed Security | Growing practices, HIPAA-adjacent operations, multiple locations | Managed security service provider (MSSP) with email security included | $50-$200+/month depending on scope |
The budget objection deserves a direct answer. At $3 to $8 per user per month for a solid Tier 2 tool, a five-person wellness practice spends $15 to $40 per month on email protection. Compare that to the $160,000 average cost of a successful BEC attack, or to the reality that 60% of attacked small businesses close within six months. The math is not complicated. The more honest challenge is that these tools require someone to actually configure and monitor them, which brings up the training question.
Training Yourself and Your Team Without Burning Everyone Out
Security awareness training, when done well, reduces phishing susceptibility from an industry baseline of roughly 33% to under 5%, an 86% reduction. When done poorly, meaning once per year during an obligatory onboarding module, it does almost nothing. Phishing tactics shift week by week, particularly as AI-generated campaigns evolve rapidly. An employee trained in January is working with pattern recognition that may be genuinely outdated by March.
Annual Training Is Not Enough
Research suggests that 57% of health-sector organizations train employees on phishing only once per year. That schedule would have been marginal in 2019. In 2025, against AI-generated campaigns that contain no traditional red flags and are tailored to specific industries, it is functionally ineffective. The visual cues most annual training modules describe, misspelled domains, urgent language, poor formatting, are specifically what modern phishing tools are designed to eliminate.
The solution is not longer training sessions. It is more frequent, shorter ones. Monthly 15-minute micro-modules focused on one current attack type outperform quarterly 90-minute courses on every measurable metric. The goal is to keep pattern recognition current, not to check a compliance box.
Role-Based Scenarios and Blame-Free Reporting
The attack scenarios a practice owner faces are different from those targeting a front-desk employee. The owner is most likely to receive a fake wire transfer request, a spoofed supplier invoice with updated banking details, or a fraudulent insurance reimbursement email. A reception employee is more likely to encounter a fake scheduling software login prompt or a client impersonation attempt. Training that treats both as the same audience misses the specificity that makes scenarios feel real and memorable.
One factor almost no competitor content addresses is the behavioral dimension. Research has found that 47% of employees who fell for a phishing scam cited workplace distraction, not lack of awareness, as the reason. This is a meaningful finding for wellness business owners: your team does not need to be uninformed to click the wrong link. They need to be protected by systems that work even when attention is divided, and they need a culture where reporting a suspicious email or admitting a mistake does not feel shameful.
47% of employees who fell for a phishing scam cited workplace distraction as the reason, not a lack of security awareness. Building a blame-free reporting culture, where any team member can flag a suspicious email without embarrassment, is one of the most practical defenses a small practice can implement.
Creating a blame-free reporting environment has a concrete structure: a shared email address or Slack channel where anyone can forward suspicious messages, explicit communication from ownership that clicking a suspicious link by accident is a recoverable event, and a brief weekly or monthly acknowledgment of any phishing attempts the team caught. This turns reporting into a routine professional behavior rather than an admission of failure.
Free phishing simulation tools, including Google Workspace’s built-in phishing simulation and the free tier of KnowBe4’s platform, allow a practice owner to send realistic test phishing emails to staff and see who clicks. Run one per month. When someone clicks, treat it as a training moment, not a disciplinary one.
The Vendor and Supply Chain Risk Most Wellness Businesses Overlook
Your email security is only as strong as the security practices of every vendor connected to your workflow. For a wellness business, that chain includes your EMR or practice management platform, your scheduling software, your supplement suppliers, your email newsletter provider, and possibly a billing or bookkeeping service. Supply chain attacks, where the entry point is a compromised vendor rather than your own network, account for approximately 15% of small business breaches.
Why Vendor Email Is Particularly Dangerous
The mechanics of thread hijacking make vendor email the highest-risk category. An attacker who compromises your scheduling software’s email system does not need to spoof anything. They read your prior conversations, understand the context of your relationship, then insert a message that appears to continue a real exchange. There is no unfamiliar sender address to flag. There is no suspicious attachment warning. There is a reply to a thread you recognize from a name you trust, asking you to update payment details or verify credentials.
Most small businesses have no established protocol for verifying these requests. A verbal verification call to a known phone number for any invoice change, payment update, or credential reset request is the most reliable defense against thread hijacking, because it moves the verification out of the compromised channel entirely.
Never verify a payment change, new bank account detail, or credential reset request exclusively through email, even if the message appears to come from a vendor you know well. Call a verified phone number to confirm. Thread hijacking works precisely because the email looks entirely legitimate.
Three Questions to Ask Every Software Vendor
Most small wellness businesses do not vet their vendors’ security practices at all. Fifty-three percent of small businesses do not require vendors to follow any cybersecurity standards. The following three questions, asked before signing any contract involving client data, change that dynamic without requiring legal expertise:
- What data do you store on my clients’ behalf, and how is it encrypted at rest and in transit?
- Have you experienced a security incident in the past 24 months, and if so, how was it handled and disclosed?
- What is your process for notifying customers in the event of a breach affecting their data?
A vendor who cannot or will not answer these questions clearly is a vendor who should not hold your clients’ data. The answers also help you understand your own liability in the event of a downstream breach. If your EMR platform is compromised and client health data is exposed, you may have notification obligations regardless of whose fault the breach was.

What to Do in the 24 Hours After a Phishing Attack
Most small business security content stops at prevention. That is an incomplete service to the reader, because prevention fails sometimes. A business owner who has been phished and has no idea what to do next is in the most dangerous position: under pressure, potentially embarrassed, and making reactive decisions without a plan.
The Immediate Response Sequence
The first priority is containment, not communication. Within the first hour, the compromised device should be disconnected from the network, all passwords for the affected account should be changed from a separate, clean device, and active sessions should be revoked through the admin panel of your email platform. Both Google Workspace and Microsoft 365 allow administrators to sign a user out of all active sessions from a central dashboard. Do that before changing the password, not after, to close any sessions an attacker may currently be in.
Notify any clients whose data may have been accessed as quickly as accurate information allows. Waiting until you have a complete picture before saying anything is understandable, but it can also expose you to legal and reputational risk. A brief, factual acknowledgment that you are investigating a possible security incident and will provide updates is better than silence.
Legal Obligations Wellness Businesses Often Miss
If your business collects health information in any form, including informal intake forms, coaching notes, or supplement protocols tied to medical conditions, a breach may trigger obligations beyond general data protection. Formal healthcare providers covered by HIPAA have a 60-day notification window for breaches affecting protected health information. State data breach notification laws apply broadly across most US states and cover personal data more generally, often with shorter notification timelines. Check your state attorney general’s office website for the specific requirements in your jurisdiction.
Reporting the incident to the FBI Internet Crime Complaint Center (IC3) and to CISA is a routine professional act, not an admission of failure. These agencies use reports to track attack patterns and issue warnings to other potential victims. Filing a report takes about 15 minutes and contributes to a broader early warning system for other small businesses.
Under HIPAA, formal healthcare providers have 60 days to notify affected individuals of a breach. Many state laws require faster notification, sometimes within 30 days or less. Do not assume you have unlimited time to communicate a breach to clients; consult your state’s attorney general website or a legal advisor promptly.
The Psychological Reality of a Breach
A phishing attack triggers real stress, shame, and decision paralysis in the people it hits. This is not a character flaw; it is a predictable stress response. Wellness business owners who are accustomed to thinking carefully about mental and emotional wellbeing should extend the same framework to themselves in this moment. The shame response after a breach is the primary reason small businesses delay reporting, delay notifying clients, and delay taking the remediation steps that limit damage.
Print a one-page incident checklist and keep it somewhere accessible. Having a physical reference breaks the paralysis by converting an overwhelming situation into a series of concrete, completable steps. A minimal checklist covers: isolate device, revoke sessions, change passwords, preserve evidence, notify clients, report to IC3, contact your attorney if health data was involved.
Building a broader personal digital security routine before an incident happens is the best preparation for handling one calmly. The guide on building a personal digital security routine that actually sticks offers a practical framework for making these habits durable rather than reactive.
Building a Secure-by-Default Email Culture Without Becoming a Tech Person
Security does not need to be a project you complete once and set aside. For a wellness business, it works better as a hygiene routine: a low-effort, repeatable habit that compounds over time rather than an intensive initiative that decays after the first month.
The Monthly Habit Loop
A practical monthly cadence for a wellness business of any size looks like this: one technical setting reviewed (check that DMARC reporting is still active, verify MFA is enabled on any new accounts), one phishing simulation sent to staff if applicable, and one short conversation about any suspicious messages the team has noticed. Total time: 30 to 45 minutes per month.
That is not a demanding standard. It is a realistic one. The wellness business owners who are quietly getting this right are not doing anything sophisticated. They have set up the four free controls, enabled a behavioral email filter appropriate to their budget, trained their team on current attack types, and established a verbal verification rule for any financial request. Five unglamorous basics, applied consistently, while most competitors do none of them.
The Solo Practitioner Checklist
For practitioners without staff, the attack surface is smaller but the defense is entirely personal. There is no team to catch what you miss. A workable solo-owner baseline:
- A dedicated business email domain (not a personal Gmail account) with SPF, DKIM, and DMARC configured
- MFA enabled on all accounts, with hardware key authentication for high-risk accounts where practical
- A password manager with unique passwords for every service, eliminating credential reuse across platforms
- A standing personal rule: any financial request, payment change, or credential reset that arrives solely by email is verified by phone before acting on it
- A brief monthly check of login activity in your Google or Microsoft admin console, looking for unfamiliar locations or devices
If you travel frequently and need to keep business communications secure across different networks and devices, the guidance on securing your messaging apps before international travel covers some of the same cross-device security principles in a mobile context.
Passkeys, the passwordless authentication method now supported by Google, Apple, and Microsoft, eliminate the entire password phishing vector by design. Because a passkey cannot be typed into a fake login page, it defeats credential harvesting attacks regardless of how convincing the phishing email was. Understanding why passkeys are replacing passwords across major platforms is worth 10 minutes of reading for any wellness business owner.
Perfect security does not exist, and anyone who tells you otherwise is selling something. The honest position is this: most small wellness businesses are currently doing zero of the five basics, which means the gap between their current exposure and a defensible baseline is closable in an afternoon. The goal is not invulnerability. It is making your business a harder target than the one next door, because attackers, operating at scale, will move to the next easier option.

Real-World Example: How a Thread Hijacking Attack Hit a Small Nutrition Practice
Consider an illustrative example: a registered dietitian running a solo private practice with eight active clients per week and a supplement supplier she had worked with for two years. In late 2024, she received what appeared to be a reply to a prior order confirmation email from the supplier. The email was grammatically perfect, referenced her most recent order number accurately, and explained that the supplier had switched payment processors and asked her to update her saved payment details via a linked portal. She clicked the link, entered her business bank login credentials to “verify the account change,” and submitted the form. Within 48 hours, $4,200 had been withdrawn from her business account in two transactions.
The mechanics were straightforward: the supplier’s email account had been compromised two weeks earlier. The attacker read through prior correspondence, identified the dietitian as a regular paying customer, and inserted a fraudulent request into a real email thread. Her email provider’s basic spam filter saw a message from a known sender replying to a known thread and flagged nothing. She had no DMARC policy, no behavioral email filter, and no verbal verification protocol for financial requests.
After the attack, she contacted her bank immediately and recovered $2,800 of the stolen funds through the bank’s fraud dispute process. The remaining $1,400 was unrecoverable. She spent approximately 22 hours over two weeks managing the incident: filing a police report, filing an IC3 report, working with her bank, notifying the supplier, and auditing which client data may have been accessible in her email account during the window the attacker had access.
In the six months following the incident, she implemented DMARC at the “reject” policy level, enabled MFA on all accounts, subscribed to a Tier 2 behavioral email security tool at $5 per month, and established a rule requiring a phone call to any supplier before acting on payment change requests. Her monthly security overhead is now approximately $5 in tool cost and 30 minutes of review time. The contrast with the 22 hours, $1,400 direct loss, and significant stress of the breach is not subtle.
Your Action Plan
-
Configure SPF, DKIM, and DMARC for your business email domain
Log into your domain registrar’s DNS settings and add SPF and DKIM records following your email provider’s specific documentation (Google Workspace and Microsoft 365 both have step-by-step guides). Add a DMARC record starting with “p=none” to collect reporting data. After two to four weeks of monitoring reports, advance to “p=quarantine” and then “p=reject.” This process takes two to three hours total and costs nothing beyond your existing domain and email subscriptions.
-
Enable multi-factor authentication on every account
Start with your primary email platform, then extend to your EMR, scheduling software, banking, and any other service holding client or financial data. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based codes where possible, as SMS codes can be intercepted through SIM-swapping attacks. For your highest-risk accounts, consider adding a hardware security key as a second layer. The total setup time for a five-account MFA deployment is under an hour.
-
Deploy a behavioral email security tool appropriate to your budget
If you are currently relying only on your email provider’s built-in spam filter, add a Tier 2 behavioral security tool from the framework above. For most small wellness practices, this means spending $3 to $8 per user per month on a tool that analyzes communication patterns and flags anomalous requests. Configure it, set the alert sensitivity to medium-high, and review flagged messages weekly for the first month until you understand what it catches.
-
Establish a verbal verification rule for all financial requests
Create and communicate a standing policy that no payment change, new bank account detail, wire transfer, or credential reset request will ever be acted upon based solely on an email, regardless of who it appears to come from. Verification requires a phone call to a number independently sourced (not a number provided in the email itself). Post this policy visibly in your practice management system and communicate it to any staff members who handle billing.
-
Run a phishing simulation for your team
Use a free tool such as the phishing simulation feature in Google Workspace or KnowBe4’s free tier to send a realistic test phishing email to anyone on your team who handles email. Note who clicks, but treat the results as training data, not performance evaluations. Debrief the results in a short team meeting and update your training to focus on the specific scenario type that generated the most clicks. Repeat monthly.
-
Audit your vendor chain for security practices
List every software platform and service provider that has access to your email, client data, or financial systems. For each one, answer the three vendor security questions outlined in the vendor risk section of this guide. If a vendor cannot provide satisfactory answers and holds sensitive client data, assess whether an alternative service with clearer security practices is available. At a minimum, document your vendors and know how to reach each one through a verified phone number rather than email alone.
-
Create and store an incident response checklist
Print a one-page checklist covering the immediate response sequence: isolate the compromised device, revoke active sessions from admin panel, change passwords from a clean device, preserve screenshots and email headers as evidence, notify affected clients, file a report with FBI IC3, and contact legal counsel if health data was involved. Store a physical copy somewhere accessible. Having this reference eliminates decision paralysis in the event of an incident and ensures the first 60 minutes are spent on containment rather than uncertainty.
-
Build a monthly security review habit
Block 30 minutes on the first Monday of each month for three tasks: review DMARC reports or email security dashboard alerts from the prior month, send one phishing simulation to staff, and spend 10 minutes on a current phishing awareness resource (CISA, KnowBe4’s blog, or similar). This cadence keeps your pattern recognition current against rapidly evolving AI-generated attack styles and ensures that your security posture does not decay between incidents.
Frequently Asked Questions
How do I know if my business email domain already has SPF, DKIM, and DMARC configured?
Use a free lookup tool such as MXToolbox (mxtoolbox.com) to check your domain’s DNS records. Enter your domain name and run the SPF, DKIM, and DMARC lookups individually. The tool will show you whether each record exists and whether it is correctly formatted. If any record is missing or returns an error, your email provider’s help documentation will walk you through adding it. Most DNS changes propagate within a few hours, though DMARC can take up to 24 to 48 hours to appear in reports.
Is a personal Gmail or iCloud account acceptable for running a wellness business?
No, and the reason is specific: personal email accounts cannot be configured with business-level DMARC enforcement, do not support the same administrative controls, and are not governed by the data processing agreements that business subscriptions include. If you are collecting any client health information, even informally, and storing it in a personal email account, you may have compliance exposure. A Google Workspace Business Starter plan costs $6 per user per month and includes the administrative tools needed for proper email security configuration. It is one of the clearest cost-benefit choices available to a solo wellness practitioner.
What is the difference between a spam filter and a behavioral email security tool?
A spam filter works primarily by matching inbound emails against known patterns: blocklisted domains, mass-sending IP addresses, and structural signals of bulk mail. It was designed to stop newsletter spam and obvious scam attempts. A behavioral security tool builds a model of your organization’s normal communication patterns over time, then flags messages that deviate from that baseline even when they come from clean, unlisted addresses. Thread hijacking from a compromised vendor account, for example, would pass most spam filters but would register as an anomaly in a behavioral tool because the request type is inconsistent with prior communication history.
Can phishing attacks bypass multi-factor authentication?
Yes, under specific conditions. Session token harvesting attacks, conducted via adversary-in-the-middle phishing kits, can steal the authentication cookie your browser stores after a successful MFA login. The attacker replays that cookie from their own device, bypassing the MFA prompt because the session is already authenticated. This is not an argument against enabling MFA, which blocks the vast majority of attacks. It is an argument for adding phishing-resistant authentication methods (hardware security keys, passkeys) for high-risk accounts, and for treating MFA as a necessary floor rather than a complete ceiling.
My practice is just me. Do I really need all of this?
The attack volume targeting solo practitioners has increased precisely because they represent single points of failure without backup staff to catch what they miss. A solo practitioner holds all client data, all financial access, and all administrative credentials in one person’s hands. If that person’s email account is compromised, there is no second employee to notice, no IT department to escalate to, and no backup approver to question a suspicious wire transfer. The minimum viable solo-practitioner baseline is a business email domain with DMARC, MFA on all accounts, a password manager, and a verbal verification rule for financial requests. That combination takes a few hours to set up and provides meaningful, durable protection.
How do I handle phishing if I have staff who are not tech-savvy?
The most effective approach is to reduce the reliance on individual human judgment and build in structural protections instead. Configure your email security tool to automatically quarantine high-risk messages before staff ever see them. Establish a single shared channel for reporting suspicious emails so the behavior is normalized. Run brief, scenario-based training monthly using realistic examples from your own industry rather than generic examples. Most importantly, remove the shame from making mistakes: a team that reports suspicious emails immediately, even after clicking a link, is vastly more valuable than one that hides mistakes out of embarrassment.
What legal obligations apply to a wellness business after a phishing attack exposes client data?
This depends on the type of data exposed and your jurisdiction. If you are a formal healthcare provider covered by HIPAA, a breach affecting protected health information triggers mandatory notification to affected individuals within 60 days and potentially to the Department of Health and Human Services. If you are a wellness coach, nutritionist, or fitness business not subject to HIPAA, state data breach notification laws typically apply and vary significantly by state. Most states require notification within 30 to 90 days of discovering a breach. Consulting an attorney familiar with health-adjacent privacy law within the first 48 hours of a significant breach is advisable.
Is ransomware a separate concern from phishing, or are they connected?
They are directly connected. Phishing is the most common delivery mechanism for ransomware. A successful phishing email that gets an employee to download an attachment or click a link can install ransomware that encrypts your practice’s files and demands payment for decryption. The defenses against phishing that this guide covers also reduce your ransomware exposure, since eliminating the initial access vector prevents the ransomware from ever reaching your systems. For more detail on what happens once ransomware gets onto a device, the guide on how ransomware spreads on mobile devices and what happens after explains the mechanics clearly.
How often should I update my email security setup?
A thorough review once per quarter is a reasonable standard for a small wellness business. This includes checking that all DNS records are still correct and active (DNS records can be accidentally overwritten during domain transfers or renewals), verifying that MFA is active on all accounts including any new ones created in the past quarter, reviewing your email security tool’s alert logs for any patterns worth investigating, and confirming that your incident response checklist is still accurate and accessible. Monthly phishing simulations and awareness check-ins sit on top of this quarterly review cadence.
What is the most important single action to take today if I have done nothing so far?
Enable multi-factor authentication on your primary email account. It takes less than 20 minutes, costs nothing if you are already on Google Workspace or Microsoft 365, and blocks over 99.2% of account compromise attacks according to Microsoft’s own data. It is the single highest-return security action available to a small business owner and the one with the largest gap between its effectiveness and its actual deployment rate. After that, check whether your domain has a DMARC record using MXToolbox. Those two actions in a single afternoon close more of your attack surface than any paid tool purchased without them.
Sources
- Huntress, Phishing Attack Statistics 2025 (citing IBM Cost of a Data Breach Report)
- Varonis, Cybersecurity Statistics 2025 (citing IBM breach vector data)
- Huntress, Verizon 2025 Data Breach Investigations Report: 60% of breaches involve the human element
- Paubox, 2024 Phishing Statistics: Small businesses 350% more likely to be targeted
- FBI Internet Crime Complaint Center (IC3), Report Cybercrime
- FTC, Cybersecurity for Small Businesses
- MXToolbox, Free DMARC Record Lookup Tool
- Verizon, 2025 Data Breach Investigations Report
- IBM, Cost of a Data Breach Report 2025
- Proofpoint, 2025 State of the Phish Report
- KnowBe4, Phishing Security Resource Center and Free Simulation Tools






