In addition to being National Cyber Security Awareness Month (NCSAM) in the US, October also marks the beginning of a lucrative two-month phishing season. Over the next two months, the vast majority of companies will have employees review and enroll in benefits, with many organizations also beginning their holiday party and charity campaign planning. These activities provide a window of opportunity for threat actors to strike with phishing attacks that appear legitimate.

Why Benefits Enrollment Periods and Holiday Party Planning Can Be Risky

The email below may look familiar. It’s something you would probably roll your eyes at and begrudgingly complete after you receive a second notice. It usually includes a link, which often sends you to a third-party website, such as a health insurer or financial institution.

Each of these pieces of information is extremely helpful in creating a phishing attack. For example, a threat actor could make a website that looks similar to the one that employees see annually for benefits enrollment. After all, benefits pages for most companies are readily available, which makes cloning them a simple task.

Once employees log in to a malicious site with their credentials, it’s game over. Criminals can use those details to log in to company networks or systems via a virtual private network (VPN), Outlook Web Access (OWA), or some other email web client or employee site, such as a real benefits page.

However, it’s not just benefits enrollment season that makes these next two months phishing gold; it’s also the time of year when planning kicks off for holiday parties and charity campaigns — two more common and highly lucrative phishing targets.

The above email, which came from a real phishing engagement, yielded 29 sets of credentials out of 41 targets. The promise of a gift certificate likely helped increase victim participation.

How to Protect Yourself and Your Organization From Phishing Attacks

How can organizations and individuals defend against these types of phishing attacks? First and foremost, regardless of the type of email, don’t ever click any links in the body.

Visit the website you know — the employee benefits page, for example — and log in there. The same principle applies to credit card fraud — look for the phone number on the back of the credit card and call the credit card company directly.

If you get an email about your company’s holiday party or charity campaigns, especially around the holidays, natural disasters or national tragedies, always verify them through other channels. Typically, companies put this information on their internal homepage, as well as sending out an email. Do a quick check to make sure there really is a food truck survey, for example, especially when a gift is promised. If you don’t find anything on the internal homepage or news update site, ask your manager about the email before clicking any of the links. He or she should be able to tell you if it’s real or not.

For companies looking to prevent that one employee from clicking on a malicious link, penetration testing services can help by conducting phishing scenarios targeted toward company executives and employees using the same tactics, techniques and procedures (TTPs) as criminals.

A test phishing engagement can start important conversations within the organization about how it’s everyone’s job to help protect the company’s data and networks. Practice makes perfect, as they say, so why not practice what would happen if a phishing campaign targeted your business? Not only will it serve as a reminder for employees, it can also test your incident response processes to ensure you’re ready when real phishing attacks come for your data.

Listen to the podcast

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today