The Rise of Social Engineering Across Healthcare

Nobody’s perfect. Even the sharpest among us makes the occasional mistake. And cybercriminals just love that.

As proof, ask yourself, does Nigeria have a monarchy? If you couldn’t answer “no” with certainty, then you can understand how seemingly intelligent people can be deceived by the country’s “princes.” These fictional royals inexplicably need your help to secure (and share with you) their inheritance. Before you can see a dime of their fortune, however, they need your banking details. The alleged noblemen are exploiting your desires, curiosity, and trustworthiness—all basic human instincts—to manipulate you into handing over your personal information. That’s called social engineering.

The “Nigerian prince” scam is so infamous that it’s now a punchline. We’ve all laughed about the absurdity of it, but the humor is lost once you realize that social engineering scams have evolved. The tactics threat actors employ have become so advanced that even the brightest among us might not be able to spot the deception. And, worse yet, these tactics are now targeting healthcare.

The Treacherous Tactics of Social Engineering

Social engineering is the deceitful art of coaxing people into handing over valuable data. Across healthcare organizations—hospitals, pharmacies, regional clinics—cybercriminals will attempt to communicate with countless individuals to gain unauthorized access to sensitive information. The most common tactics are:

Phishing
Business email compromise (BEC)
Vishing

Usually starting as an unsolicited message, social engineering attacks can lead to severe breaches, jeopardizing protected health information (PHI) and financial records. And even disrupting vital medical services. Hackers favor social engineering methods for their simplicity—whether they’re sending 100 or 1,000 emails, the effort is minimal, and all it takes is one recipient caught off guard to succeed.

Phishing

Phishing is the leading cause of healthcare data breaches today. Phishing emails (and the texting equivalent SMSishing) appear to be from a trusted source, usually urging immediate action. In healthcare, threat actors rely on phishing to either steal data or access networks to initiate ransomware attacks. Once ransomware encrypts your data, your ability to conduct business and treat patients is compromised. Because PHI primarily lives digitally, in the midst of a ransomware attack, medical practitioners can’t access patients’ records, and in the ensuing chaos, must rely on pen, paper, and guesswork to provide treatments.

A common phishing scam you’ve likely seen involves an email appearing to be from PayPal. It cites unusual activity on your account and demands you click a malicious link to reset your password. Exploiting your trust in this recognizable brand, the hackers are provoking you into performing a harmful task such as providing your credentials or, worse, running a malicious payload.

The FBI recently alerted the American Dental Association (ADA) of a phishing threat targeting oral surgeons. Threat actors are posing as people seeking to register as new patients. Once they receive their new patient forms online, they’ll contact the practice and claim they’re having trouble submitting them online and request to scan and email them instead. The threat actors then email the “forms” as an attachment, which, when opened, deploy malware.

Gone are the days, however, where a closer look at a message could reveal obvious red flags—grammatical errors, aggressive language, and mysterious links or attachments. Hackers are doing their due diligence on you and your organization. And with the increasing adoption of generative AI tools, they’re getting far better at creating deceptive emails and websites that appear nearly identical to the sources they’re impersonating.

BEC

Business email compromise is just as it sounds—an email account has been compromised. According to our 2024 Cyber Threat Report, our internal threat analysis reveals that nearly 35% of Microsoft 365 threats in healthcare involve malicious inbox rules. Though you may receive a message from someone whom you trust, like your CEO, the account itself is now either spoofed or under the control of an adversary impersonating the account owner. The messages will ask you to perform tasks completely out of the ordinary such as purchasing gift cards or initiating a wire transfer on their behalf. Even though most recipients may see through the ruse, all it takes is one overeager employee desperate to make a good impression.

These emails may also attempt to trick you into providing your own email login credentials. From there, the domino effect continues, as threat actors can take control of your account and email your contacts, misleading them into performing fraudulent tasks or infecting their systems with malware.

Vishing

Though most social engineering is executed by digital means, a simple phone call can be as effective. If you’ve ever been contacted about your car’s extended warranty, then you’ve encountered “vishing” (voice + phishing). In larger healthcare settings, where you may not know all of your coworkers, these calls can come from someone pretending to be from another department in need of your personal info such as your login credentials. The U.S Department of Health and Human Services (HHS) is warning healthcare orgs that hackers are directly targeting IT help desks. Calling with local area codes, the hackers pretend to be employees from the finance department. Claiming their work-issued smartphones are broken, they request a new device under their control be enrolled. If successful, these tactics can allow attackers to gain administrative privileges, redirect bank transactions, and access sensitive patient data.

And with the rise of AI-generated voice-replication tools, someone may call you sounding just like a trusted colleague or a high-level executive, and you’d be none the wiser. So if you ever receive an unexpected call requesting personal credentials, regardless of who you think is on the other end of the line, remember, mum’s the word.

‍

Healthcare Is a Gold Mine for Hackers

Across healthcare organizations, there’s an endless amount of data. And data is how hackers get paid. Whether they hold it hostage through ransomware or simply sell it on the black market, data is valuable. UnitedHealth recently learned this the hard way, paying a ransom of roughly $22 million. Though hackers once had an unwritten code that life-saving institutions were off limits, this payment only incentivized the worst threat actors to set their sights on healthcare organizations of all sizes.

This is unfortunate because one thing’s always been clear—healthcare is an easy target. Doctors, nurses, and other medical staff are always on the move, multi-tasking at all hours of the day. In this high-pressure, fast-paced environment, it's easy to lose focus for a moment and click on an email without a second thought. But there are plenty of consequences from that click, including:

Your organization's reputation suffers
Patients' data is exposed, increasing the risk of identity theft
Critical systems are disrupted, compromising patient care
Trust in your services erodes, leaving patients anxious and fearful
IT and security resources are overwhelmed and overstretched
Doctors and nurses are unable to access vital information
Financial losses escalate through legal fees, compliance penalties, and lost revenue

‍

Three-Letter Solutions, One Objective: How MFA, MDR, and SAT Can Outwit Social Engineering

Threat actors want one thing—money. So much so that they’ll invest considerable time and resources to research you and your specific role. This means the emails, texts, and calls you receive can appear far more legitimate and trustworthy, making it easier to deceive you and your colleagues.

The rise of social engineering highlights the need for a "defense in depth" approach, a holistic strategy creating barriers of protection to mitigate potential breaches. Multi-factor authentication (MFA) and a security awareness training (SAT) program can ensure your people are alert and serve as your first line of defense. And should any threats slip through, you can bolster your defenses with managed detection and response (MDR).

MFA

MFA adds a layer of security to your standard login processes. For instance, if you’ve ever tried to get into your banking app, but first had to input a code sent to a separate device, then you’re already familiar with MFA.

In a healthcare setting, enabling MFA helps reduce the risk of phishing and BEC attacks. If a cybercriminal obtains your password, they may attempt to use it to gain unauthorized access to your other accounts. After all, many people tend to reuse the same usernames and passwords across accounts. However, with MFA, even if the attacker has your credentials, they’d still need an additional factor, such as a temporary code sent to your personal phone, to successfully authenticate and access the account. This additional layer of security makes it much more difficult for attackers to gain unauthorized access and helps protect against fraudulent activities.

Because healthcare organizations handle so much sensitive patient data, MFA helps protect it by reducing the risk of unauthorized access. Of course, MFA alone can’t be your only line of defense.

MDR

To defend your healthcare organization from social engineering tactics such as BEC and phishing, you must be able to protect individual identities. An MDR solution can collect and analyze information from logs, events, networks, endpoints, and user behaviors. Coupled with a team of cybersecurity analysts who can validate incidents, MDR solutions can escalate critical events and provide you with an action plan to remediate threats quickly.

Microsoft 365 delivers a suite of features and services that help medical professionals better communicate and collaborate, making it a popular tool across healthcare organizations. As a result, it’s also a popular target for cybercriminals. Huntress MDR for Microsoft 365 secures your Microsoft 365 users, applications, and environment by leveraging our 24/7 Huntress Security Operations Center (SOC). Our SOC experts meticulously monitor and promptly respond to real-time security threats, including anomalous login activities, email tampering, unauthorized forwarding, and attempts at privilege escalation. In short, Huntress MDR for Microsoft 365 can effectively thwart account takeovers.

SAT

It can’t be overstated, your people are your first line of defense. While sophisticated cyberattacks target systems, phishing and BEC go straight for human vulnerabilities. That’s why it’s so important that all individuals across your organization can identify potential threats. This is where a SAT program comes in handy.

SAT programs educate individuals across your organization on how to recognize and respond to potential cybersecurity risks. A good SAT program delivers regular lessons, tests, and phishing simulations, all designed to help your people better identify and defend against social engineering risks.

Every tactic taught in a SAT program must become second nature to the learner. To enhance knowledge retention, Huntress designed a SAT solution that fuses vibrant animations, memorable episodes, and science-based learning principles. A core component of Huntress SAT is the phishing simulations, which are created, curated, and deployed by our own experts.

Our Phishing Defense Coaching feature supports your users who may have fallen victim to phishing simulations. Instead of having the user repeat training (or admonishing them as failures), a Huntress cybersecurity analyst coaches them through key elements in the email that were overlooked, such as fake links or unusual interfaces. This method helps individuals across healthcare organizations better understand why they’re being targeted and enables them to prevent real attacks moving forward.

‍

Real-World Incident: An Email-Based Attack Uncovers Larger Crimes

When a Midwest-based managed service provider (MSP) rolled out Huntress MDR for Microsoft 365, Huntress’ SOC quickly uncovered a sinister plot unfolding for a client. Suspicious inbox rules had been created in the CEO’s email account, redirecting senders to various bank domains.

The MSP sprang into action, alerting the unsuspecting CEO of the covert activities. Huntress automatically dismantled the shady inbox rules and reinstated MFA, shutting down the cybercriminal’s access to the CEO’s account. But the story didn't end there.

Reflecting on how his electronic mail had been impacted, the CEO realized he hadn’t received physical mail in weeks. A call to his bank revealed a darker scheme: multiple attempts were made to add new users to his account, which would’ve allowed the attackers to make wire transfers on a whim.

The hackers had siphoned valuable data from the CEO’s email and tried to use it to their advantage. But Huntress MDR for Microsoft 365 detected the most subtle behavioral anomalies and averted a financial catastrophe for the client.

To learn more about how the digital and physical worlds became intertwined, read the case study here.

‍

Human Error Is Inevitable. Huntress Can Help Minimize Its Impact on Healthcare.

Human error can bring down any organization, but the fallout can be especially brutal for healthcare. A single click on a suspicious email can lead to financial disaster, reputational damage, and worst of all, compromised patient care. That’s why it’s critical your people know how to remain vigilant against potential cyber threats.

With our 24/7 SOC and swift threat neutralization, Huntress managed solutions are tailored for healthcare. In fact, we already secure more than 10,000 healthcare organizations. Given our track record of protecting millions of endpoints globally, we help your org prioritize what matters most—patient safety.