Mobile-centric social engineering in healthcare

Healthcare organizations have spent years strengthening email security, training staff to spot phishing emails, and deploying secure email gateways. However, attackers are evolving faster than many healthcare security strategies.

More and more cybercriminals are moving away from traditional email-based phishing and targeting healthcare workers directly through mobile devices using SMS phishing (smishing), voice phishing (vishing), MFA fatigue attacks, and mobile-based pretexting. For the first time, the 2026 Verizon Data Breach Investigations Report (DBIR) included a large-scale analysis of voice and SMS phishing simulations, revealing that phone-centric phishing campaigns generated click rates 40% higher than traditional email-based attacks.

The trend affects healthcare organizations, such as hospitals, clinics, insurers, laboratories, and telehealth providers. These entities rely on mobile communication for tasks like patient coordination, physician interaction, scheduling appointments, remote work facilitation, and authentication processes. Furthermore, healthcare staff work in high-pressure environments where speed often takes priority over caution, making them ideal targets for mobile-centric social engineering.

What is mobile-centric social engineering?

Mobile-centric social engineering refers to cyberattacks that target users through smartphones and mobile communication channels such as SMS messages, phone calls, mobile apps, and MFA push notifications.

Why attackers are targeting healthcare mobile devices

More and more healthcare workers are incorporating smartphones for daily operations. Physicians use mobile devices for patient messaging and EHR notifications. As noted in the review, Prevalence and patterns of mobile device usage among physicians in clinical practice, there is “an increasing prevalence of smartphones and medical apps in clinical practice, especially among junior physicians.” The review also states that mobile device use can be “subdivided into four categories: Communication and Organization, Documentation and Monitoring, Diagnostic and Therapeutic Decision Support, and Education.”

In a clinical setting, healthcare providers may receive scheduling updates and authentication prompts on their phones. Administrative staff coordinate appointments, insurance verification, and vendor communication through mobile apps and text messages. Attackers understand this reality.

Unlike corporate email systems, mobile devices often lack the same visibility, filtering, and monitoring controls. SMS messages rarely receive the same scrutiny as email. Users also tend to trust phone calls and text messages more than emails because they feel more personal and immediate. The Verizon DBIR noted that attackers are increasingly targeting mobile devices to bypass traditional enterprise phishing defenses.

Healthcare environments amplify this risk because employees are often multitasking under pressure. A nurse rushing between patients or a physician responding during an emergency may approve a suspicious MFA prompt or click a malicious link without fully evaluating the message.

Related: What is social engineering, and why is healthcare vulnerable?

How cybercriminals are exploiting mobile devices in healthcare

Smishing

Smishing attacks use fraudulent SMS messages to trick users into revealing credentials, clicking malicious links, or downloading malware. In healthcare, these attacks often impersonate IT support teams, electronic health record vendors, HR departments, insurance providers, delivery notifications, MFA verification systems, and hospital executives.

In smishing, attackers know healthcare employees are accustomed to receiving urgent mobile communications. A message stating that an account will be locked unless immediate action is taken can easily create panic.

In March 2025, the FBI released a warning about a nationwide surge in smishing attacks targeting mobile users through fake toll notices, delivery alerts, and account verification requests. Additionally, according to the study Short Message Service (SMS) Phishing Attacks and Defenses: A Systematic Review, smishing caused approximately $470 million in financial losses for U.S. users in 2024 alone.

Healthcare organizations are especially vulnerable because many employees use personal devices for work-related communication. Bring-your-own-device (BYOD) environments often create inconsistent security standards, outdated software, and limited visibility into mobile threats.

Read also: Smishing threats and the challenge of staying HIPAA compliant

Vishing

Voice phishing, or vishing, is another rapidly growing threat in healthcare. Unlike email phishing, vishing attacks leverage real-time human interaction. Attackers impersonate trusted individuals such as IT administrators, executives, vendors, or healthcare partners to manipulate employees into revealing credentials or approving MFA requests.

Healthcare organizations are particularly susceptible because clinical environments rely on urgent verbal communication. Employees are trained to respond quickly to requests involving patient care, system outages, or operational disruptions.

Modern AI tools are making these attacks even more convincing. Threat actors can now use generative AI to improve scripts, mimic communication styles, and scale multilingual attacks more efficiently. Verizon’s 2026 DBIR noted that generative AI is not necessarily introducing new cyberattack techniques, but rather helping threat actors execute familiar attacks more efficiently and at greater scale. As the report explains, “AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect.” The report further notes that organizations do not necessarily need to reinvent their defenses yet, but they “do need to keep pace with faster, more adaptive execution.”

MFA fatigue

“MFA fatigue occurs when an attacker spams a target victim with MFA push notifications,” writes the University of Tennessee. This tactic is designed to overwhelm or frustrate users until they eventually approve a login request, often assuming it is legitimate or simply attempting to stop the repeated notifications. In healthcare settings, where clinicians and staff frequently receive authentication prompts during busy shifts, MFA fatigue attacks can be especially effective because employees may approve requests quickly without fully verifying them.

Pretexting

The DBIR also identified pretexting as an increasingly important initial access vector. Pretexting involves creating a believable scenario that convinces a target to trust the attacker. Mobile communication channels make pretexting more effective because conversations feel immediate and conversational.

Pretexting examples in healthcare may include:

• Fake calls from the hospital IT department requesting password resets
• Text messages claiming to be from pharmacy systems
• Vendor impersonation scams
• Fraudulent MFA verification requests
• Fake telehealth platform alerts
• Executive impersonation attacks targeting finance staff

Healthcare organizations often work with numerous third-party vendors, making it easier for attackers to impersonate trusted partners. Verizon reported that third-party involvement in breaches rose to 48% in 2026, representing a 60% increase from the previous year. This interconnected environment gives attackers multiple opportunities to exploit trust relationships through mobile communication.

Impact of mobi-centric social engineering

Recent healthcare breaches continue to demonstrate how devastating these incidents can become. For example, the Covenant Health breach ultimately exposed nearly 500,000 patients’ data after attackers reportedly stole highly sensitive information, including treatment histories and insurance details.

This demonstrates that mobile-centric social engineering attacks do not just threaten data privacy. They can directly disrupt patient care. A successful attack may lead to:

• EHR downtime
• Delayed diagnostics
• Appointment cancellations
• Diversion of emergency patients
• Interrupted laboratory services
• Loss of access to imaging systems
• Exposure of sensitive patient records

With healthcare organizations operating continuously, attackers know operational pressure may increase the likelihood of paying ransoms or making rushed security decisions during incidents.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why are healthcare organizations increasingly targeted by mobile-based attacks?

Healthcare organizations store highly valuable sensitive data, including protected health information (PHI), insurance records, financial information, and patient identities. Attackers use mobile-focused tactics to exploit busy healthcare workers and gain access to systems containing this data.

How can healthcare organizations improve mobile security awareness?

Organizations can improve awareness through regular security training, smishing and vishing simulations, clear reporting procedures, and education on recognizing suspicious mobile activity.