Digital protective measures such as network segmentation, zero trust, and multi-factor authentication are standard today. Nevertheless, attackers regularly succeed in circumventing controls because humans are used as an attack vector. Social engineering addresses trust, habit, and cognitive shortcuts. In healthcare, this leads to data leaks, business interruptions, and, in extreme cases, patient endangerment.
Social engineering makes use of psychological principles such as authority, urgency, scarcity, reciprocity, and social proof. These mechanisms lower the inhibition threshold for opening links, passing on access data, or performing actions under time pressure. The BSI explicitly describes social engineering as exploiting human characteristics such as helpfulness, trust, and respect for authority.
The familiar pattern: deceptively genuine messages prompt users to enter their login details on fake websites.
Manipulated QR codes redirect users to phishing sites. The visual opacity of QR codes makes it very difficult to check the destination address. Real-world studies confirm the effectiveness of this method and show that professional design and incentives significantly increase the click-through rate.
SMS and phone campaigns use role impersonation and time pressure to obtain sensitive information or initiate transactions.
Voice and video deepfakes increase credibility. Media reports document successful deceptions resulting in damages amounting to tens of millions.
Attacks on the healthcare sector combine confidentiality, integrity, and availability risks. Patient data, core medical processes, and public trust are all affected. The European Threat Landscape Report continues to classify social engineering as one of the key threats, alongside ransomware and data attacks.
The combination of simple means and psychological patterns explains the high success rate. This is particularly true in areas where mobile devices, shared workstations, shift work, and high cycle times limit attention.
An effective protection program combines technical controls, robust processes, and continuous employee empowerment.
Email filters, caller ID, URL and content analysis for QR targets, hardening of mobile devices, strong authentication, and consistent logging. In addition, QR scanners should be used that display target URLs before opening and check them based on reputation.
Clear incident processes, including reporting channels, emergency plans, and escalations. Regular exercises build confidence in taking action and shorten response times.
Awareness programs with realistic phishing simulations, low-threshold reporting channels, and a constructive error culture. Evidence-based nudging and gamification increase participation and retention and measurably increase the reporting rate of suspicious messages.
Risk analysis with a focus on human vulnerabilities, especially at interfaces with patients, suppliers, and administrative processes.
Consolidate basic technical controls and expand them to include QR security checks.
Define standardized response and emergency processes and test them regularly.
Establish ongoing awareness with simulations, feedback, and leadership role models.
Continuously monitor developments in social engineering and AI abuse and derive lessons learned.
Technical measures are necessary, but not sufficient. Social engineering systematically addresses the human factor and therefore requires integrated defense strategies. Strengthening technology, organization, and people in equal measure measurably reduces the probability of incidents and the extent of damage.
sepp.med, Lecture: Quishing, Smishing & Co. The underestimated gateways into medical infrastructure, October 17, 2025. Vortrag_CySecMed 2025
Federal Office for Information Security: The state of IT security in Germany in 2024. BSI
BSI: Social engineering. Fundamentals and examples. BSI
ENISA Threat Landscape 2024. September 2024. Chapter: Social Engineering, Ransomware, and Data Threats. securitydelta.nl
Geisler M. et al.: Hooked. A Real-World Study on QR Code Phishing, 2024. arXiv
Kowalewski M. et al.: Scanned and Scammed. Insecurity by ObsQRity, USENIX Security 2025. USENIX
Financial Times: Arup lost 25 mn in Hong Kong deepfake scam. 2024. Financial Times
The Guardian: CEO of WPP targeted by deepfake scam. 2024. The Guardian
Note on data availability: The slides cite a BSI figure of 30 percent social engineering incidents in the healthcare sector. This sectoral breakdown is not found verbatim in the published 2024 status report, but the central importance of social engineering is confirmed. A precise percentage for the healthcare sector cannot be clearly substantiated from freely available sources.
Firstname:
Lastname:
E-Mail Address:
Phone:
Subject:
Your message:
Yes, I consent to my personal data being collected and stored electronically. My data will only be used for the purpose of responding to my inquiry. I have taken note of the privacy policy.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.