How social engineering works against medical practices

Medical practices of any size can be a target of social engineering attacks because of the nature or the, the amount of data flow, and the confidential of the work. A payables clerk receives an urgent vendor invoice. A scheduler sees a multifactor prompt she did not initiate. A physician gets an unexpected text from IT support. A front desk employee scans a QR code on an incoming package. Each scenario presents a problem needing an urgent solution.

That is why social engineering works: It turns ordinary work behaviors — helpfulness, speed, trust in colleagues, responsiveness to physicians, and pressure to keep the day moving — into a path to credentials, payment accounts, remote access, or protected health information (PHI). Cyberattackers understand it is easier to convince a system user to open the gate to let them in rather than brute-force attacks on systems with sophisticated defenses.

HHS’ Health Sector Cybersecurity Coordination Center defines social engineering as psychological manipulation that induces people to take actions or disclose confidential information, and notes that phishing remains one of the most effective social engineering attacks used against healthcare organizations.¹     

The psychology at play and what to guard against

Social engineering plays out of human psychology; our desires for an advantage, our desires for a discount or sale, our desires for something to make our job easier, our desires to do quality work for the boss, and our desires to improve our organization.

Ambulatory practices have several risk points that make these schemes credible: handling payer portals, patient balances, vendor invoices, e-prescribing systems, payroll, bank accounts, EHR access and appointment communications. Smaller practices may rely on informal approves and shared inboxes that are efficient most days — until a hacker imitates one of the trusted parties in the workflow.

Urgency and authority: Time pressure creates a sense of urgency which creates a sense of duty to respond, to fix a problem or to get a really good deal. This is often the heart of social engineering criminal schemes.

Attack cycles: The enemies are ruthless, have plenty of time and IT resources, and have a high return on investment from successful attacks. They can afford to be thorough and patient. Some common preparatory work from the scoundrels.

Scouting: Attackers use scouting and surveillance to determine the type and structure of the organization and the names and emails of likely targets. This will be followed up with testing and probing to determine what sort of attack would work and the defenses used by the practice.       

Building trust: Attackers might use free advice or news blurbs to build trust among the readers. These may be followed by surveys or coupons. The name becomes familiar and the source becomes trusted.

Strike and run: Attackers may use volume attacks, that is, attacking many organizations and hoping for even a small response. A low percentage of large numbers can yield larcenous results.

“I am from the government…”: Be wary of claims from purported officials offering to help with tax issues, etc. Never respond to such emails without checking with your accounting professionals.

Policies, procedures, training

Prevention is worth a pound of cure. The practice should have IT and cyber policies for all professionals and employees, and people with responsibility for monitoring and enforcement.

One important policy suggestion — personal email accounts should not be loaded into practice computers or practice smart phones. Many physicians will use their personal smart phone for business purposes, and that creates a major risk. Policing physician conduct is a difficult management issue for many practices.

Once policies and implementation procedures are developed (and updated annually) there is an urgent need for training, retraining, and monitoring of staff. Since many social engineering attacks depend on the good nature and cooperation of target personnel, healthy skepticism should be trained into the staff.

The risks extend beyond suspicious email

While suspicious emails are a prolific example of these types of attacks, healthcare groups also should be aware of threats on other channels, such as fake help-desk calls, malicious QR codes, calls such as “your boss hired us to do a security survey” from fake vendors,  and multifactor authentication (MFA) fatigue attacks. The FBI and HHS have specifically warned healthcare organizations about these sophisticated tactics against IT help desks and recommended not just email security but also MFA, cybersecurity training and centralized log collection as core efforts to mitigate threats.²  

The financial and information security stakes are very real. In its 2025 Internet Crime Report, the FBI’s Internet Crime Complaint Center reported more than $20.8 billion in losses and identified email compromise and tech support scams among the largest loss categories after investment frauds. ³

Sound policies and procedures developed in coordination with your IT advisors and vendors, proper on-board training, regular practice wide training, robust supervision, and regular contact with tech advisors will significantly improve the cyber safety of the practice.

Notes:

1. HHS Health Sector Cybersecurity Coordination Center (HC3). “Social Engineering Attacks Targeting the HPH Sector.” April 11, 2024.
2. FBI and HHS. “Social Engineering Tactics Targeting Healthcare and Public Health Entities and Providers.” Joint Cybersecurity Advisory. June 24, 2024.