When we think about vishing (voice phishing), the usual suspects come to mind: fake refund scams impersonating Norton, PayPal, or Geek Squad.
When one of our security researchers brought this campaign to my attention, I knew right away it was something different.
This wasn’t your typical refund scam or tech-support vishing attempt. Instead, it was targeting something much more personal—healthcare appointments.
It’s smart. It’s subtle. And it works because it feels personal.
Let’s break down how this attack plays out.
IT Security Admins: If you’re thinking this doesn’t concern you because it sounds personal, not corporate, stick with me. I’ll explain why these attacks still matter to you.
Actually, the email is nothing flashy. It’s a polite confirmation for an upcoming medical appointment. No links. No malware. Just a friendly heads-up that you’ve got something on the calendar, with an attachment that holds the details.
But open that attachment, and here’s what you’ll see:
Here's what it includes:
Unlike a business email compromise (BEC) attack, there’s nothing inherently malicious in the email itself. No links to fake or shady websites. No suspicious attachments to scan. The danger is all in the social engineering, and the phone number in that PDF.
Here’s why this kind of thing works so well:
Let’s be honest...most of us feel a little uneasy about healthcare billing. It’s confusing, stressful, and when an unexpected charge shows up, the instinct is to fix it right away.
No links? No malware? No keywords to match a filter? There’s nothing to trigger traditional defenses. It's a perfect example of what I talked about in my analysis of almost 2,000 customers' SEG gaps (Barracuda, Cisco IronPort, Mimecast, and Proofpoint SEGs).
This one’s about manipulating behavior, full stop.
With your name in the message and familiar healthcare brands in the mix, it feels authentic. The attackers aren’t rushing or threatening, they’re relying on trust.
It’s easy to dismiss this kind of attack as personal—something that lands in an employee’s private inbox, not their work email. But attackers don’t think that way.
Personal attacks often spill into the workplace:
Employees use the same devices for personal and work email.
Personal stress impacts professional decision-making.
Social engineering doesn’t stop at home—it often pivots into corporate networks once trust is established.
Most importantly, for IT Security Leaders, this is an opportunity to teach and empower employees to recognize these types of attacks. A tactic like this could easily pivot to business targets—and because it feels personal and relatable, employees are more likely to pay attention. When it hits close to home, it feels more real.
Let me walk you through the sequence:
The email hits the inbox
Just an appointment confirmation, nothing jumps out.
You open the attachment
Now you’re staring at a fee for an appointment you don’t remember scheduling.
You call the number
Wanting to clear things up, you dial and land right in the attacker’s lap.
They work their script
From here, they can ask for payment details, personal info under the guise of verifying insurance or resolving the issue.
All of this happens without a single piece of malware hitting your system.
I’ve seen vishing attacks combine email and phone before, but the healthcare angle adds a new layer. It plays on the same techniques we’ve seen for years, emotional triggers, urgency, and trust—but in a space where people are often more vulnerable.
And that’s the point...attackers don’t always need a link or attachment to capture personal data, they just need you to pick up the phone.
I know no one wants to hear “train your users” again, but this kind of attack really leans on people, not just technology.
This attack stood out to me because it’s just...simple. A convincing setup and a phone number—that’s all it takes. It works because it feels real.
Want to learn more about how DMARC works and how it can help defend your brand? Check out our overview here.