top of page

What does a phishing scam look like in the social care sector?

When it comes to cyber-attacks, social engineering remains one of the most efficient and effective methods used by criminals. According to the National Cyber Security Centre (NCSC), phishing accounted for 79% of the reported cyber-attacks in 2023 and the social care industry is no exception to this. Social care organisations store a massive amount of service-user data. The depth and sensitivity of the information makes it highly valuable to cybercriminals who will look to steal it, cause chaos and disruption, or install ransomware at a cost to the organisation.

The financial and reputational impacts of a successful attack have the potential to be crippling, and so strengthening cyber resilience before an incident occurs is a significant must-do.

What is phishing?

At its most basic definition, phishing is when criminals use various methods to trick victims into clicking or doing the wrong thing. This could be making you follow a link to a malicious website, scanning a QR code, downloading an attachment, or inputting sensitive information.

The reason why phishing is an effective method for criminals is because it relies on social engineering. Rather than hacking into complex computer systems, they are essentially hacking you as the victim instead, relying on human error to bite on what can be a very convincing hook. A successful phishing attack see criminals installing malware, stealing user information, shutting down systems as well as a whole host of other damaging and disrupting activities.

What could a phishing attack look like in the social care sector?

Phishing is an umbrella term that can present itself in many ways. Whilst it could be as simple as a text on your phone telling you to pay a sum for a missed delivery on a parcel, it can also be a cleverly targeted, convincing email from what looks like your boss, imploring you to urgently pay an invoice. Within the context of social care, some common phishing scams are detailed below.

Business Email Compromise (BEC):

These are sophisticated attacks aimed at getting employees to transfer funds or reveal sensitive information. Frequently targeted against finance or accounts departments, criminals may impersonate high-level executives or other authorised personnel, requesting urgent payments, sensitive employee information, or changes to supply chain details.

Credential Harvesting Phishing Attacks:

These focus on stealing various login credentials with the aim of acquiring unauthorised access to social care systems. The attacks can use cleverly convincing replicas of legitimate login pages, including intranets or medical record portals, to make the email request look authentic.

Malware-laden Phishing Emails:

These emails are designed to trick the recipient into downloading malicious software. This malware is often disguised as a link or an attachment which infects the device once it has been clicked.


 Spear Phishing Attacks:

This form of phishing is highly targeted. Attackers will use personal information tailored towards a specific individual or organisation. The use of personal information is used to legitimise the appearance of the email. However, this information has been found through clever research, scraped from social media, public sources or previous data breaches.


Vishing attacks follow the same principles but use voice communication. Attackers may use phone calling to fraudulently impersonate insurance providers, medical staff, or government agencies. Without proper verification these attackers will try and gain sensitive information under the guise of being a legitimate caller.

How can my organisation protect itself?

One of the most effective protective barriers is thorough education for all staff. Making everybody aware of common features in a phishing attack encourages them to stop and think about what they are being asked, before clicking an infected attachment or inputting sensitive information. Any links, attachments or QR codes should be treated with suspicion and verified before access.  QR code phishing is becoming more common so considering whether the sender, if legitimate, would likely include a QR code or whether it should be flagged as a phishing attack. 


Cyber security training is key to increasing employees’ knowledge and awareness of cyber safety, boosting resilience. And now, thanks to Welsh Government funding, regional social care organisations can access this training programme for FREE (the programme runs until the end of March), enrolling individuals working within the industry to undertake the Cyber Ninjas social care training. 

For more information and to enrol staff onto the free training programme, please contact the WCRC team.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page