In addition to being National Cyber Security Awareness Month (NCSAM) in the US, October also marks the beginning of a lucrative two-month phishing season. Over the next two months, the vast majority of companies will have employees review and enroll in benefits, with many organizations also beginning their holiday party and charity campaign planning. These activities provide a window of opportunity for threat actors to strike with phishing attacks that appear legitimate.

Why Benefits Enrollment Periods and Holiday Party Planning Can Be Risky

The email below may look familiar. It’s something you would probably roll your eyes at and begrudgingly complete after you receive a second notice. It usually includes a link, which often sends you to a third-party website, such as a health insurer or financial institution.

Each of these pieces of information is extremely helpful in creating a phishing attack. For example, a threat actor could make a website that looks similar to the one that employees see annually for benefits enrollment. After all, benefits pages for most companies are readily available, which makes cloning them a simple task.

Once employees log in to a malicious site with their credentials, it’s game over. Criminals can use those details to log in to company networks or systems via a virtual private network (VPN), Outlook Web Access (OWA), or some other email web client or employee site, such as a real benefits page.

However, it’s not just benefits enrollment season that makes these next two months phishing gold; it’s also the time of year when planning kicks off for holiday parties and charity campaigns — two more common and highly lucrative phishing targets.

The above email, which came from a real phishing engagement, yielded 29 sets of credentials out of 41 targets. The promise of a gift certificate likely helped increase victim participation.

How to Protect Yourself and Your Organization From Phishing Attacks

How can organizations and individuals defend against these types of phishing attacks? First and foremost, regardless of the type of email, don’t ever click any links in the body.

Visit the website you know — the employee benefits page, for example — and log in there. The same principle applies to credit card fraud — look for the phone number on the back of the credit card and call the credit card company directly.

If you get an email about your company’s holiday party or charity campaigns, especially around the holidays, natural disasters or national tragedies, always verify them through other channels. Typically, companies put this information on their internal homepage, as well as sending out an email. Do a quick check to make sure there really is a food truck survey, for example, especially when a gift is promised. If you don’t find anything on the internal homepage or news update site, ask your manager about the email before clicking any of the links. He or she should be able to tell you if it’s real or not.

For companies looking to prevent that one employee from clicking on a malicious link, penetration testing services can help by conducting phishing scenarios targeted toward company executives and employees using the same tactics, techniques and procedures (TTPs) as criminals.

A test phishing engagement can start important conversations within the organization about how it’s everyone’s job to help protect the company’s data and networks. Practice makes perfect, as they say, so why not practice what would happen if a phishing campaign targeted your business? Not only will it serve as a reminder for employees, it can also test your incident response processes to ensure you’re ready when real phishing attacks come for your data.

Listen to the podcast

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today