Pretexting is the threat healthcare should watch next

Pretexting is a type of social engineering where an attacker constructs a scenario or persona to deceive a victim into divulging confidential information or taking an action. It is often done by pretending to be someone trusted, such as a business partner or someone in senior management, to abuse people's trust. Pretexting is defined by the U.S. Health Department in Social Engineering Attacks Targeting the HPH Sector as "[a] form of social engineering that involves composing plausible scenarios, or pretext, that are likely to convince victims to share valuable and sensitive data. Examples include romance or pig-butchering scams (obtaining fraudulent funds through manipulative means).”

Attackers might, for example, send an email or phone call that appears to be a routine request for patient records or billing updates, using real names, logos and context to make it look legitimate. Pretexting is different from other attacks because it is not about getting victims to click on malicious links (i.e. phishing) or authorize a fraudulent transaction (i.e. BEC). Instead, it lays the groundwork for a future attack through building credibility. Verizon’s 2026 Data Breach Investigations Report (DBIR) notes that pretexting rose sharply in healthcare breaches in 2025, jumping to the number 2 social-engineering tactic behind phishing, as attackers leveraged AI to produce highly believable scenarios. It specifically noted, “This year, we added Pretexting—our second most frequent social action variety—to our tracked list of initial access vectors. Because there is frequently some overlap between Pretexting actions and credential abuse”

See also: Why BEC is today’s biggest email threat

The difference between pretexting, phishing, business email compromise, and impersonation attacks

Pretexting is a bit different than the other attacks mentioned above in terms of intent and execution. Phishing usually consists of mass emailing or SMS to steal credentials or deliver malware. BEC is a scam where criminals impersonate executives or vendors in emails to defraud people of money. Vishing is social engineering over the phone. Impersonation is the broader act of pretending to be someone. Pretexting can be done on any channel but always involves some made-up story or role to establish trust before the actual request.

A study of 62,000 employees in the workplace by Williams, Hinds, and Joinson found that authority cues in spear phishing emails increased the likelihood that a user would click on a suspicious link, showing how a convincing pretext can transform everyday workplace trust into a security vulnerability. In contrast, phishing is the attack and pretexting is preparatory. The main difference between pretexting and phishing is that pretexting sets the groundwork for an attack later, while phishing may be the attack itself.

Who do attackers usually pretend to be in healthcare settings?

Social-engineering training providers note that scammers often adopt roles like IT or HR staff, vendors, auditors, billing personnel, clinicians, or compliance officers. Rajivan and Gonzalez describe phishing as “a common kind of social engineering attack, where criminals impersonate a trustworthy third party.” In healthcare, those trusted third parties can appear as IT staff, HR teams, vendors, auditors, billing personnel, clinicians, or compliance officers, which makes pretexting especially dangerous in busy clinical and administrative workflows.

As IBM explains, to build credibility, “The scammer often impersonates someone with authority over the victim, such as a boss or executive… a coworker, IT staffer, or service provider,” and sometimes even a friend or loved one. Breaches, impersonation were the most damaging email breaches in 2025, often exploiting business messaging systems to appear legitimate.

One of the most damaging of those incidents, impersonation appeared repeatedly, with attackers tailoring their personas to the victim’s context, such as pretending to be a familiar pharmacist contacting clinic staff, a remote login technician or a shared business associate.

What types of information do attackers use to make pretexting feel legitimate?

Attackers mine sources of public and insider information including

• Hospital news releases
• Departmental websites
• Staff directories
• LinkedIn profiles
• Public billing
• Scheduling records.

Corradini explains in Redefining the Approach to Cybersecurity that spear phishing is tailored to specific recipients because attackers “study the behaviour of their targets and collect information to make the attack believable.” Attackers may also adapt messages based on knowledge of internal data such as patient intake forms, insurance information, or lab reports. Healthcare pretexts often involve using real patient or vendor names, real project information, or information about recent events.

Paubox’s 2026 Healthcare Email Security Report analyzed 170 healthcare email-related breaches reported in 2025 and found that 74% of breached domains had weak DMARC protection, exposing a core gap in sender-authentication that attackers can exploit to impersonate and steal PHI. The wider warning from the Verizon 2026 DBIR, mobile-centric phishing simulations had 40% higher click rates compared to email, indicating that attackers are moving beyond the inbox into channels where it is more difficult to verify trusted roles.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

How can organizations prevent and respond to pretexting?

Prevention starts with awareness and verification culture.

Can sender authentication help stop business email compromise?

Sender authentication can help stem spoofed-domain attacks, but since BEC typically involves hijacked legitimate accounts, organizations need to protect accounts, monitor account activity, and educate users.

Yes. HIPAA mandates authentication of sender?

HIPAA does not specifically call out SPF, DKIM, or DMARC, but covered entities and business associates must apply reasonable safeguards.