Publish date: 8 September 2025
NHS organisations and staff are increasingly being targeted by pretexting scams.
Pretexting is a type of social engineering attack where someone pretends to be a trusted person to trick you into sharing information or carrying out an action. These scams aren’t limited to the online world - they can also happen over the phone or in person. For example, a caller might pose as a family member or even a police officer, telling a convincing story to gain your trust and persuade you to hand over sensitive details, such as a telephone number.
Pretexting Techniques
Attackers often use a mix of techniques to carry out pretexting scams, including:
- Phishing - Impersonating a person or organisation by email to steal information. These emails can look very genuine and may seem to come from someone you know, but the sender’s address is fake. They may also include attachments or links which, if opened, can install harmful software (malware).
- Vishing / Smishing - Vishing uses phone calls to trick you into giving away sensitive details. Smishing works in a similar way, but through SMS or text messages.
- Tailgating - Attempting to gain physical access to a building by following someone through a secure door. An unauthorised visitor may walk closely behind you or catch a door before it closes. Allowing this puts the organisation at risk by letting someone access areas they shouldn’t.
Further information and support
To protect against these threats, stay vigilant and always follow cyber security best practice and Information Governance (IG) policies and guidelines.
Before you act, stop and think:
- Verify who you’re dealing with.
- Only share information if you’re certain it’s safe.
- Never allow anyone to tailgate into a secure area.