Signing Up for Benefits? Beware of Phishing Attacks

In addition to being National Cyber Security Awareness Month (NCSAM) in the US, October also marks the beginning of a lucrative two-month phishing season. Over the next two months, the vast majority of companies will have employees review and enroll in benefits, with many organizations also beginning their holiday party and charity campaign planning. These activities provide a window of opportunity for threat actors to strike with phishing attacks that appear legitimate.

Why Benefits Enrollment Periods and Holiday Party Planning Can Be Risky

The email below may look familiar. It’s something you would probably roll your eyes at and begrudgingly complete after you receive a second notice. It usually includes a link, which often sends you to a third-party website, such as a health insurer or financial institution.

Each of these pieces of information is extremely helpful in creating a phishing attack. For example, a threat actor could make a website that looks similar to the one that employees see annually for benefits enrollment. After all, benefits pages for most companies are readily available, which makes cloning them a simple task.

Once employees log in to a malicious site with their credentials, it’s game over. Criminals can use those details to log in to company networks or systems via a virtual private network (VPN), Outlook Web Access (OWA), or some other email web client or employee site, such as a real benefits page.

However, it’s not just benefits enrollment season that makes these next two months phishing gold; it’s also the time of year when planning kicks off for holiday parties and charity campaigns — two more common and highly lucrative phishing targets.

The above email, which came from a real phishing engagement, yielded 29 sets of credentials out of 41 targets. The promise of a gift certificate likely helped increase victim participation.

How to Protect Yourself and Your Organization From Phishing Attacks

How can organizations and individuals defend against these types of phishing attacks? First and foremost, regardless of the type of email, don’t ever click any links in the body.

Visit the website you know — the employee benefits page, for example — and log in there. The same principle applies to credit card fraud — look for the phone number on the back of the credit card and call the credit card company directly.

If you get an email about your company’s holiday party or charity campaigns, especially around the holidays, natural disasters or national tragedies, always verify them through other channels. Typically, companies put this information on their internal homepage, as well as sending out an email. Do a quick check to make sure there really is a food truck survey, for example, especially when a gift is promised. If you don’t find anything on the internal homepage or news update site, ask your manager about the email before clicking any of the links. He or she should be able to tell you if it’s real or not.

For companies looking to prevent that one employee from clicking on a malicious link, penetration testing services can help by conducting phishing scenarios targeted toward company executives and employees using the same tactics, techniques and procedures (TTPs) as criminals.

A test phishing engagement can start important conversations within the organization about how it’s everyone’s job to help protect the company’s data and networks. Practice makes perfect, as they say, so why not practice what would happen if a phishing campaign targeted your business? Not only will it serve as a reminder for employees, it can also test your incident response processes to ensure you’re ready when real phishing attacks come for your data.

Listen to the podcast

Chris Sethi

Sr. Managing Security Consultant, X-Force Red

Chris has over 18 years of professional security experience. She specializes in OSINT and social engineering.