Healthcare is among the most frequent targets of cyberattacks, and alongside ransomware, one of attackers’ most dangerous weapons is social engineering. It doesn’t target programs, but people—their habits, attention, and trust. The talk points out that besides digital threats, there are also physical attacks that are often overlooked.
The most common tricks used by attackers
A classic is phishing: an email with a link, after clicking which credential theft or ransomware may follow. The targeted version is whaling – a message seemingly from a senior executive with an "urgent" task that exploits their authority and higher privileges. In pretexting, the attacker first conducts research and then poses as a known supplier or partner to request a "data update." Manipulation techniques also include baiting and "romance" scams – promises of money or a relationship meant to coax sensitive information from the victim.
Physical and hybrid attacks are also important. Diversion theft redirects a physical shipment with documents to a fake address, allowing thieves to access the data in the package. Tailgating exploits the willingness to help: "Hold the door, I forgot my card," and a stranger gains access to the premises and to unlocked computers. Smishing (SMS phishing) has shifted from simple lures to abusing two-factor authentication messages; a fake "cancel login" link can actually help the attacker. Scareware, meanwhile, triggers panic with a virus alert and offers a "miracle" download, and a watering-hole attack infects a legitimate website that employees regularly visit.
How to defend in practice
Education is the foundation – every employee contributes to the organization’s security, even if they’re not in IT. A culture of verification helps: check the sender and the link address, don’t share passwords, don’t trust unsolicited "urgent" requests, and when in doubt, call a verified contact. For SMS about two-factor authentication, don’t click attached links; use the official app or sign-in instead. And finally, never hold doors for strangers, lock workstations, and report suspicious situations.
Processes must reinforce cautious behavior: rules for receiving shipments and verifying address changes, a clear procedure for changing suppliers’ banking details, and regular phishing tests. Technical measures – from antivirus to multi-factor sign-in – only make sense when paired with informed people. A combination of training, simple checklists, and rigorous physical security greatly reduces the chances that social tricks will work.
