top of page

What does a phishing scam look like in the healthcare sector?

When it comes to cyberattacks, social engineering remains one of the most efficient and effective methods used by criminals. According to the NCSC, phishing accounts for 79% of the reported cyber-attacks in 2023 and the healthcare industry is no exception to this. Private and public healthcare organisations store a massive amount of user data, and the depth and sensitivity of this data makes it highly valuable to threat actors. Criminals may be looking to steal data, cause chaos and disruption, or install ransomware at a cost to the organisation.

The financial and reputational impacts of a successful attack have the potential to be crippling, and so strengthening your cyber resilience before an incident occurs is a very worthy investment.

healthcare worker

What is phishing?

At its most basic definition, phishing is when criminals use various methods to trick victims into clicking or doing the wrong thing. This could be making you follow a link to a malicious website, scanning a QR code, downloading an attachment, or inputting sensitive information. The reason why phishing is an effective method for criminals is because it relies on social engineering. Rather than hacking into complex computer systems, they are essentially hacking you as the victim instead, relying on human error to bite on what can be a very convincing hook. A successful phishing attack see criminals installing malware, stealing user information, shutting down systems as well as a whole host of other damaging and disrupting activities.

What could a phishing attack look like in the healthcare sector?

Phishing is an umbrella term that can present itself in many ways. Whilst it could be as simple as a text on your phone telling you to pay a sum for a missed delivery on a parcel, it can also be a cleverly targeted, convincing email from what looks like your boss, imploring you to urgently pay an invoice. Within the context of healthcare, some common phishing scams are detailed below.

Business Email Compromise (BEC):

These are sophisticated attacks aimed at getting employees to transfer funds or reveal sensitive information. Frequently targeted against finance or accounts departments, criminals may impersonate high-level executives or other authorised personnel, requesting urgent payments, sensitive employee information, or changes to vendor details.

Credential Harvesting Phishing Attacks:

These focus on stealing various log in credentials with the aim of acquiring unauthorised access to healthcare systems. The attacks can use cleverly convincing replicas of legitimate log in pages, including intranets or medical record portals, to make the email request look authentic.

Malware-Laden Phishing Emails:

These emails are designed to trick the recipient into downloading malicious software. This malware is often disguised as a link or an attachment which infects the device once it has been clicked.

Spear Phishing Attacks:

This form of phishing is highly targeted. Attackers will use personal information tailored towards a specific individual or organisation. The use of personal information is used to legitimise the appearance of the email. However, this information has been found through clever research, scraped from social media, public sources or previous data breaches.


Vishing attacks follow the same principles but use voice communication. Attackers may use phone calling to fraudulently impersonate insurance providers, medical staff, or government agencies. Without proper verification these attackers will try and gain sensitive information under the guise of being a legitimate caller.

online scam, phishing email

How can my organisation protect itself?

One of the most effective protective barriers is thorough education for all staff. Making everybody aware of common features in a phishing attack encourages them to stop and think about what they are being asked, before clicking an infected attachment or inputting sensitive information. Any links, attachments or QR codes should be treated with suspicion and verified before access. QR code phishing is becoming more common so everyone should be aware that it is highly unlikely you will ever be sent a legitimate email asking you to follow a QR code.

Some questions to ask yourself include:

  • Who is the email addressed to? Is it you, by name, or does it include a vague address such as ‘valued customer’ or ‘colleague’?

  • Does the email follow the correct format for the company and are any logos or graphics what you would expect them to be?

  • Does the email imply a sense of urgency, encouraging you to do something ‘immediately’ or ‘within 24 hours’?

  • Is the email address of the sender accurate? ignoring the senders name but examining the address itself can help you identify whether it is trying to mimic somebody you know.

  • Are you being asked to supply personal or sensitive information by email? This could include login details or payment information.

Furthermore, your company should employ a robust policy regarding information sharing. Protocols should be enforced regarding what information you can expect to share online and how it will be verified. For example, you could require verbal confirmation between staff before disclosing data to add a layer of protection. Supply chain compromise is another risk factor for cyber-attacks, so staff should be encouraged and supported to ask for help if they are unsure about a request. In the case of vishing, everybody should be trained to verify the identity of callers before sharing any sensitive information. To avoid credential harvesting, organisations should not only implement strong password policies, but require multi-factor authentication (MFA) to add an extra layer of defence.

Finally, organisations should be using robust email-filtering and antivirus software. Good education and policy are one form of protection, but strong systems reduce the chance of awareness becoming the last line of defence. Software updates and patches should be installed without hesitation and any known vulnerabilities should be addressed as a matter of urgency. Conducting regular audits of your company’s cyber hygiene will help protect the finances and personal information of you, your colleagues, and your clients.

How can the ECRC help?

Signing up as a free member of the Eastern Cyber Resilience Centre ensures that your organisation is supported in implementing simple changes that make a massive difference.

When you sign up as a member, you become enrolled on our ‘Little Steps’ programme. This is a weekly email series that drip-feeds you bite-sized practical information, as well as changes you can implement quickly and easily, designed to be followed by a non-technical audience.

Additionally, if you feel as though you would like more thorough support, take a look at the affordable student services we can offer your business. These can help you identify some of the potential vulnerabilities within your organisation.

If you are unsure or simply want to know more about cyber resilience and what we do at the ECRC, why don’t you book a chat with us today?

the eastern cyber resilience centre

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page