Close this search box.

Phishing is six times more common a cause of data leakage than classic database hacking.

Phishing is still the top threat to healthcare. How not to be fooled?

Every day, approx. 3.4 billion phishing messages are sent. Some end up in the spam box, and some we delete because we have learned to recognize them. Still, phishing is a favorite and effective form of cyberattack, including healthcare. What to watch out for?

Emails about an inheritance from a rich uncle abroad are hardly fooled anymore or are sifted out automatically by email inboxes before we have time to read them. The same is true of information about an undelivered package by a courier, which often looks suspicious at first glance.

And while we think we won’t be fooled, the facts are scary: according to Proofpoint’s 2022 State of the Phish report, 83% of organizations fell victim to a phishing attack last year. 25% of all data breaches involve phishing. All it takes is an inattentive click on a link or opening a PDF in an infected email, and a malicious program is installed on the computer – a gateway to data for hackers is opened.

Statistics leave no illusions: phishing is still one of the biggest threats to cyber security, even though it has been used for years, and we have become accustomed to it.

According to the Healthcare Cybersecurity Survey, phishing attacks are the top healthcare threat. They account for 45% of all cyberattacks, followed by ransomware attacks (17%) and breach or data leakage (7%).

Phishing messages are hard to spot

Hackers have perfected phishing messages. The best ones no longer contain easy-to-recognize language errors, typos, or strange colored fonts. They can deceptively resemble the graphic identification of a bank or courier company.

Here are some of the most important rules to help you successfully distinguish a phishing message from a genuine email:

  • The message informs you that you need to take action immediately. Otherwise, you risk losing your data, having your account blocked, being fined, etc. Banks or government offices never send such messages. Financial threats are meant to make you act quickly and emotionally, turning off rational thinking. Why? Because the longer you think about the matter, the more suspicious it seems to you;
  • The message suggests that you must enter sensitive data, such as your bank account number, online banking PIN, or credit card number, or log in to a service to verify your identity. Therefore, regardless of phishing, you should always log in to sites you have saved or can search for in a search engine. Links in emails can lead to duplicate, fake sites;
  • Phishing messages often contain links or attachments that we don’t expect;
  • It still happens that the message’s text is poorly written, and the graphics are dissimilar to previously sent emails. The text might contain different fonts or incorrect special language-specific characters;
  • The phishing message often includes an impersonal introduction, such as “dear customer” or “sir/madam.” However, it’s not the case in personalized phishing;
  • The message does not contain contact information.


A mythos of secure websites and other traps

Just as hacking methods change, healthcare professionals must update their cybersecurity skills.

For example, some might still be convinced that trusted sites start with “https://,” which guarantees a secure connection to a trustworthy site due to an SSL certificate. Unfortunately, phishing scammers sometimes use SSL certificates to increase the effectiveness of the attack.

When technical safeguards can be misleading, double verification of suspect messages remains the best protection. Experts suggest developing a few simple habits to increase cybersecurity significantly.

The first principle is checking links in emails and social networks before clicking on them. But with great vigilance – fake sites can have very similar website addresses, differing only by a few characters. Anyone can buy a domain address, even if it is similar to a well-known institution like a bank or courier service.

Secondly, messages from either government institutions or a bank can be verified by calling the institutions. Another way is to copy the fragment of the suspicious email and paste it on Google to see if there are warnings against such messages.

Thirdly, be very cautious when opening attachments received from unknown email addresses. These could be an invoice, a call for payment, an important message from your bank, etc. If you log in to a bank account or another service, open the page directly in your browser, as you customarily do, rather than clicking on the link. Fourth, check who the message’s sender is, and just to be sure, search Google to see if the email address belongs to the institution it claims to be.

What to do after receiving a phishing email?

  • Never click on any links or attachments in suspicious emails. If you receive a suspicious message but are unsure whether it is real or fake, verify it by logging into the original page from your browser, calling the institution, and typing the first few sentences from the email into Google.
  • Report the message to the institution it impersonates.
  • Report it to the IT security department in your organization.
  • Click the “mark/submit as SPAM” option in your email inbox, which allows spam filters to perfect their fraud detection skills.
  • Delete the message (including from the trash).

Phishing is still the most effective way for hackers to get access to data they want to steal. They use social engineering principles to persuade us to provide data voluntarily so they don’t have to break passwords or IT security systems, which is much more complicated and requires time. It only takes one click made by the cheated employee for a hacker to take control of an IT infrastructure, gain access to electronic health records, or block the entire health information system.

Get ready for even more perfected phishing methods like vishing (phone calls that can be today also performed by AI), callback phishing (for example, a message about a subscription that you didn’t know about but there is a possibility to cancel it by contacting customer service), business email compromise and whiling (personalized phishing targeting senior executives), deepfake phishing (AI-generated fake video and voice messages). In healthcare, phishing is especially difficult to identify as healthcare workers are willing to help; they act empathetically and trust others.


ICT&health World Conference 2024

Experience the future of healthcare at the ICT&health World Conference from May 14th to 16th, 2024!
Secure your ticket now and immerse yourself in groundbreaking technologies and innovative solutions.
Engage with fellow experts and explore the power of global collaborations.

Share this article!

Read also
Navigating Digital Maturity in Healthcare IT
Digital maturity vs. Reality. How to rethink the IT staff role in a hospital
Online health care icon application on smart phone
End-users of mobile health apps expect far more than a good design
Mayo Clinic started with its innovations for its ten million patients and demonstrated that its model worked, and that data could be ethically and responsibly used to drive innovations.
John Halamka: 'Create the Fear of Missing Out'
Balancing regulatory compliance with seamless adoption, healthcare navigates the integration of AI solutions.
A guide to implementing AI in healthcare amid the EU AI Act
Futurist Amy Webb claims that wearables will evolve into "connectables"
Digital health solutions empower patients to better manage their health and integrate care into their daily lives.
How to improve Digital Patient Engagement to streamline workflows
For people with diabetes, inaccurate blood glucose measurements can lead to errors in diabetes management, including taking the wrong dose of insulin, sulfonylureas, or other medications that can rapidly lower blood glucose.
Smartwatches measuring glucose level: Harmful but easy to buy fake innovations
How to introduce innovation and AI in healthcare organizations if there is no business model for prevention and quality – Our interview with Professor Ran Balicer, the Chief Innovation Officer at Clalit Health Services and founding Director of Clalit Research Institute.
I see no legitimate rationale for delaying the digital transformation in healthcare
Pioneering Cardiac Arrest Detection for Enhanced Survival.
CardioWatch Revolutionizes Cardiac Arrest Detection
Dr. Oscar Díaz-Cambronero, Head of Perioperative Medicine Department at La Fe Hospital, spearheads innovative telemonitoring initiatives revolutionizing patient care
Smartwatches Saving Lives Inside and Outside the Hospital
Follow us