Why healthcare employees engage with social engineering attacks

Healthcare email security presents unique challenges that extend beyond technical safeguards. Research published in the Journal of Cybersecurity examining phishing vulnerabilities across Germany, the UK, and the USA documented how operational characteristics of healthcare delivery, including time-sensitive clinical decision-making, extensive external communication requirements, and organizational cultures emphasizing collaboration, create conditions where employees engage with sophisticated email attacks despite security awareness. 

A systematic review in the Journal of Medical Internet Research analyzing healthcare cybersecurity between 2012 and 2022 similarly found that as technology advances in healthcare systems, the internet's diverse nature and connection to telehealth services create multiple access points for cyberattacks, with human error representing a significant vulnerability factor.

According to the 2025 Healthcare Email Security Report by Paubox, 180 healthcare organizations reported email-related breaches in 2024 alone, exposing millions of patient records. Perhaps more concerning is that only 5% of phishing attempts are flagged by employees, meaning 95% of sophisticated attacks go unreported until damage occurs. The Journal of Cybersecurity study confirms that this challenge extends globally, analyzing over 1,000 healthcare employees, researchers found that while 61.9% of respondents reported suspicious emails frequently or very frequently, the median open rate for text-based business email compromise (BEC) attacks reached nearly 28%, with 15% of opened malicious emails receiving responses.

A study published in BMJ Health & Care Informatics, examining one UK NHS hospital trust, provides concrete evidence of the scale of threat healthcare organizations face. During a single month, the organization received 858,200 emails, of which 18,871 (2.2%) were identified as potential threats. Of 142.7 million internet transactions, 4.7 million (2.9%) were classified as suspicious. Between January 2024 and January 2025, email security failures led to breach reports filed with the HHS Office for Civil Rights by organizations across the care continuum. The common pattern across these breaches wasn't technical incompetence or untrained staff but rather attackers who understood that in healthcare, operational urgency often overrides security verification protocols.

Learn more: Understanding email threats targeting healthcare

The healthcare attack surface is different

Healthcare organizations face threat actors who conduct detailed operational research rather than sending generic phishing emails. According to the Journal of Medical Internet Research systematic review, attackers study provider directories, analyze referral patterns, monitor social media for organizational announcements, and understand clinical workflow rhythms to craft convincing attacks.

The research above analyzed 70 studies published between 2012 and 2022, and identified five primary vulnerability themes in healthcare systems. The review states, "Cybercriminals exploit health care systems due to the lack of investment, technology advancement as a result of digitalization, human error due to a lack of awareness and training, and old legacy systems, which enable cybercriminals to access valuable health information and sell it on the dark web for money and other gains."

Amy Larson DeCarlo, Principal Analyst at GlobalData, emphasizes the evolving sophistication of these threats: "MFA bypass kits are readily accessible and cost-effective for threat actors to use. The danger for HIPAA-compliant organizations is that cybercriminals can use these kits to capture credentials and session tokens, which in turn can be used to gain access to Personally Identifiable Information of patients and employees."

The systematic review also found that healthcare organizations face increasing challenges as technology advances, with interconnected medical devices and network complexity creating multiple attack surfaces. At least 10 to 15 medical devices are typically linked to each patient's electronic bed in public hospitals, and these complexities increase network susceptibility to cyberattacks. The review documented that between 2012 and 2022, human error accounted for 11% of documented vulnerabilities, with phishing remaining the primary attack vector.

Research on information security culture published in the Journal of Cybersecurity demonstrates that reporting suspicious emails is a distinct behavior requiring supportive organizational processes. The study analyzing over 1,000 healthcare employees across three countries found that information security (IS)-supportive norms, policy awareness, and communication quality significantly influence whether staff report phishing attempts. The quality of IS-related communication emerged as the strongest direct predictor of reporting behavior, with organizations featuring effective two-way communication about security issues seeing substantially higher reporting rates.

The BMJ Health & Care Informatics study emphasized that with increasing perimeter protection and sophistication of automated systems to detect suspicious communications, the risk for healthcare organizations increasingly becomes staff behavior and vulnerability to social engineering. The research noted that phishing typically requires the recipient to perform an action and relies on social engineering techniques, with many contacts appearing to be from trusted sites such as financial institutions or, in healthcare contexts, IT administrators or clinical staff.

Go deeper: What are attack surfaces and how do cybercriminals exploit them?

When clinical urgency becomes a weapon

A large Italian hospital with over 6,000 staff conducted a phishing simulation exercise to assess vulnerability to email attacks targeting healthcare workers. The simulation, published in Digital Health hosted by SAGE Journals, compared staff responses to general phishing emails versus customized messages designed around the hospital's operational context.

In the first campaign, researchers sent two types of emails. The general phishing email appeared poorly crafted with obvious grammatical errors and claimed that a "Microsoft email about pay scales" had been placed in quarantine. The customized email, however, leveraged the hospital's actual ongoing activities; it informed staff they had 48 hours to complete mandatory online training and to click a link to begin.

The difference in response rates was striking. While 64% of staff did not open the general phishing email, only 38% avoided opening the customized version. More concerning is that of those who opened the customized email, 88% clicked on the malicious link, compared to just 18% who clicked on the general phishing link. Overall, 55% of all customized emails resulted in clicks, versus only 7% for general phishing emails.

What made the customized attack so effective wasn't technical sophistication, it was contextual authenticity. The email referenced real hospital activities that staff were already familiar with and concerned about. It created urgency around a task staff knew they needed to complete. The attack exploited operational knowledge to bypass skepticism.

"Social engineering is the more common root cause of breaches," notes Lee Kim, Senior Principal of Cybersecurity & Privacy at HIMSS. The 2024 HIMSS Healthcare Cybersecurity Survey found that general email phishing accounted for 63% of initial points of compromise for significant security incidents, with SMS phishing and targeted spear-phishing each representing 34%, business email compromise at 31%, and various other phishing variants making up substantial portions of attack vectors.

The Italian hospital study documented another critical finding where healthcare staff workload and fatigue significantly impact vulnerability. Research has shown that cybersecurity cannot be prioritized over healthcare demands, especially during high-stress periods. The hospital operated under constant time pressure, with staff managing patient care alongside administrative tasks. When an email appeared to relate to a required duty, such as completing mandatory training, staff acted quickly rather than pausing to verify authenticity.

In a second campaign five months later, the hospital sent another customized phishing email during the Christmas season, this time falsely promising a bonus payment if staff clicked a link to confirm their email address. Despite improved spam filters that directed 59% of these emails to junk folders, providing an additional warning signal, 21% of all sent emails still resulted in clicks. Among emails that reached inboxes and were opened, 87% resulted in clicks.

Modern AI-powered email security addresses this vulnerability through contextual analysis. Paubox's generative AI examines not just keywords but entire message context, sender behavior, communication history, timing patterns, and structural anomalies that indicate fabrication.

In a real-world example stopped by Paubox Inbound Email Security, the system flagged a suspicious email and added this custom header explaining its reasoning:

“This message exhibits characteristics of clinical urgency exploitation - sender domain does not match known communication patterns for this organization, link destination analysis reveals recently registered domain with no established reputation, and timing of communication falls outside normal reporting windows for this test type.”

The Italian hospital study emphasized a critical limitation of traditional security awareness training. While training programs are standard across healthcare organizations, the research found that staff intentions to follow security protocols do not significantly influence actual clicking behavior when confronted with well-designed phishing emails. Healthcare staff fully intended to detect phishing attacks but were unable to do so, with higher workload and fatigue correlating with lower detection rates.

The Journal of Medical Internet Research systematic review found that human error is a significant factor in cyberattack success, with most cybercriminals using phishing methods to execute attacks through deceptive emails. The review noted that human-related threats are responsible for over 70% of data fraud and breaches in business organizations, partly due to the high value of health information.

"We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," said Matt Murren, CEO of True North ITG. "We worked with a medical group that unfortunately became the target of a phishing attack. Their legacy email platform lacked modern security measures like advanced threat detection, multi-factor authentication, and real-time phishing alerts. This vulnerability allowed attackers to compromise user credentials and eventually deploy ransomware across the network. The consequences were severe."

The incident Murren describes illustrates the cascading effects of successful phishing attacks. The ransomware attack rendered the organization's systems inaccessible for nearly two weeks. During this time, the clinic operated at a fraction of its capacity. Scheduling, access to electronic health records, and communication between staff members were all severely hindered. Routine appointments were delayed or canceled, test results couldn't be reviewed in a timely manner, and urgent care cases had to be diverted to other facilities.

"This incident illustrates how outdated email infrastructure isn't just an IT issue—it's a patient safety issue," Murren explained. "The inability to quickly detect and contain the phishing attempt ultimately disrupted critical services, highlighting the essential role secure, modern communication systems play in healthcare operations."

Read more: How AI has successfully stopped email breaches: Real-world case studies

FAQs

What is business email compromise (BEC)?

Business email compromise is a cyberattack where criminals impersonate executives or trusted business partners to trick employees into transferring money, sharing sensitive data, or changing payment instructions. In healthcare, BEC attacks often target billing departments and financial staff.

What is display name spoofing?

Display name spoofing occurs when attackers use the exact name of a legitimate person (like a CEO or physician) but with a different email address. Mobile email clients often show only the display name, making these attacks difficult to detect without careful inspection of the full email header.

How does generative AI detect phishing differently from traditional filters?

Traditional email filters match messages against static lists of known threats or keyword patterns. Generative AI analyzes the entire context of each email, sender behavior, message structure, timing patterns, tone, and deviation from organizational norms, to identify sophisticated threats that keyword filters miss.