How To Construct Phishing Campaigns for Various Healthcare Roles

January 11, 2017 by Sara A.

What Is Phishing?

Phishing is a trick that cyber-criminals use in order to get personal and/or financial information from the person or organization phished. It is a lure that may take the form of an email, webpage, or text in the most common forms of phishing. Negative consequences for the organization can be financial or reputational. The most effective protective measures against phishing for organizations is to raise awareness among the workforce using simulated phishing campaigns.

What Is SecurityIQ Designed to Do?

SecurityIQ, through its PhishSim tool, helps you to create safe but realistic phishing emails in order to teach your workforce to recognize such attacks so that they can avoid them and be tech-savvy. In addition, you can create personalized emails for each of your health care staff category (nurses, doctors, administrators, etc.), PhishSim gives you the ability to create phishing campaigns that include several emails with different techniques and target the same users; from that activity, reports are generated for each user who clicked bad links from the emails sent without checking.

Fish It before It Phishes You

Below are 11 examples that will help you understand what you need to focus on when creating a phishing campaign for your employees.

For Medics, including Nurses, Consultants and Related Roles, such as Social Workers

The IT department is often seen as the superhero when it comes to technical problems related to the use of computer and Internet. The IT team gets a huge amount of trust from all the hospital staff at all hierarchic levels. Receiving an email from the IT team urging the receiver to click a link in order to overcome a security issue would push the recipient to click without thinking twice about the origin of this email and whether it might be a threat to information security or not. Hackers often exploit this vulnerability in order to get what they want.


For Nurses

Being a nurse in the emergency care service is a demanding and very stressful job. Indeed, it requires one to be attentive and react quickly to events. Receiving an email from the head of the service will probably push the nurse to open it because it will be seen as being important (especially when the object of the email contains the mention “IMPORTANT!”). Moreover, the fact that the email is about attending a mandatory meeting to share problems related to work, requires that the nurse not forget it. A reminder would be seen as a great help, so the nurse is tempted to click on a link in order to create this reminder.


For Doctors

In order to do their job properly and in due time, access to patients’ medical information is a must for doctors. Having a lot of patients may be a vulnerability that hackers can use to send a virus to computers by using messages asking doctors to download a patient’s medical records. If the doctor is overwhelmed with all his patient medical records and he does not like working with all of the electronic personal health information (ePHI) because it is “too much technology” for him, he might download such files because he does not know they are unsafe! He will just trust that it comes from the hospital system, especially since the name and address of that hospital is mentioned in the signature.

For IT and Tech Staff

IT and tech staff are the most difficult to phish, because they know all the tricks. The message sent to them should be designed to build as much trust possible since hackers will use the same very subtle tricks to lure them in, such as a website address very similar to the original one (i.e., The phishers would use the identity of real government agencies and they could even communicate real phone numbers to eliminate doubt.

For Administrators and Front Desk Workers

Administrators and front desk workers in a health care facility spend most of their work time at their computers, where they need to be as efficient as possible. For this reason, if they receive an email from the IT department, especially when it is addressed to a specific person, such as Justin in the example above, they will probably click on the link in order to keep their computer performing well, particularly when it comes to important software like JAVA, Microsoft Office, or Adobe Reader.

For Finance

This department is highly subject to threats and cyber criminals’ attacks for the simple reason that it is concerned with money and, if hackers can access the transaction system, they will steal as much money as they can. To do so, they can, for example, lure the department’s staff by asking to check “Past Due Invoice Notifications” that, in fact, is a link to the cyber-criminals’ website. The finance staff would be tempted to click on the link because it is directly related to the department’s task. An employee in the department could be easily convinced to click (even if he used to receive invoices attached to the email) because the message exploits unreal security policy changes that the employee is not aware of.

For Transcriptionists

If the transcriptionist of the hospital is used to working with voice recordings, a very easy way to lure them is to send an email with a voice recording very similar to the one they usually work with (for instance, using the same software, which has a green display). Details such as the date and the length of recording may also be used to make the email more trustworthy, but they should correspond to reality, which requires knowing the routine of the transcriptionist (a cybercriminal in the same office for example). Using mistakes such as “Lenth” in the example above could be a good learning point for your staff because such a message is generated automatically from a pre-existing template, and mistakes like this are probably due to a very quick creation by the cybercriminal.

For Medical Claims Handlers

Let’s suppose that a patient’s health insurance, called HAVE insurance, needs the patient’s hospital bills in order to pay them. If the medical claims handler of the hospital is not aware of new regulations, he can easily trust emails such as the one in the example above, which is false.

For Laboratory Technicians

If the laboratory technician’s work shift is in the afternoon, he does not know what happened earlier in the day and he receives a message from the boss saying that all the results of the day are in one downloadable folder, so he will be tempted to save them to his computer. In fact, he could download malware or a virus that would damage the computer.

For Researchers

Knowing that Pubmed is one of the most used scientific articles database in the medical field, and that it is very important for researchers, it is easy to phish them by using it and putting some pressure on them so that they won’t lose access to the database.


For Healthcare Call Center Workers and Managers

A basic method for phishing as many people as possible using solid and convincing arguments is to send a message asking the staff to fill out a form for the good of the organization. They will do it, especially if it does not take much time and, of course, if a family culture exists in the organization.


You can come up with your own phishing templates and better adapt them to your organization and its specific needs. However, remember that a good phishing campaign should:

  • be as realistic as possible (using websites, email addresses, the cloud, software, signatures, identities, and so forth similar to the real ones);
  • use enough details (but not too much because it can be suspicious);
  • exploit employees’ vulnerabilities and fears (boss requirements, a huge workload, ignorance, etc.)
Posted: January 11, 2017
Sara A.
View Profile

Sara is an eclectic and passionate technical writer, with a high interest in health and information security. Her contribution to InfoSec Institute started in 2016 with a series of articles in Health and IT, from which she extended her expertise to information security in other fields.