In addition to being National Cyber Security Awareness Month (NCSAM) in the US, October also marks the beginning of a lucrative two-month phishing season. Over the next two months, the vast majority of companies will have employees review and enroll in benefits, with many organizations also beginning their holiday party and charity campaign planning. These activities provide a window of opportunity for threat actors to strike with phishing attacks that appear legitimate.

Why Benefits Enrollment Periods and Holiday Party Planning Can Be Risky

The email below may look familiar. It’s something you would probably roll your eyes at and begrudgingly complete after you receive a second notice. It usually includes a link, which often sends you to a third-party website, such as a health insurer or financial institution.

Each of these pieces of information is extremely helpful in creating a phishing attack. For example, a threat actor could make a website that looks similar to the one that employees see annually for benefits enrollment. After all, benefits pages for most companies are readily available, which makes cloning them a simple task.

Once employees log in to a malicious site with their credentials, it’s game over. Criminals can use those details to log in to company networks or systems via a virtual private network (VPN), Outlook Web Access (OWA), or some other email web client or employee site, such as a real benefits page.

However, it’s not just benefits enrollment season that makes these next two months phishing gold; it’s also the time of year when planning kicks off for holiday parties and charity campaigns — two more common and highly lucrative phishing targets.

The above email, which came from a real phishing engagement, yielded 29 sets of credentials out of 41 targets. The promise of a gift certificate likely helped increase victim participation.

How to Protect Yourself and Your Organization From Phishing Attacks

How can organizations and individuals defend against these types of phishing attacks? First and foremost, regardless of the type of email, don’t ever click any links in the body.

Visit the website you know — the employee benefits page, for example — and log in there. The same principle applies to credit card fraud — look for the phone number on the back of the credit card and call the credit card company directly.

If you get an email about your company’s holiday party or charity campaigns, especially around the holidays, natural disasters or national tragedies, always verify them through other channels. Typically, companies put this information on their internal homepage, as well as sending out an email. Do a quick check to make sure there really is a food truck survey, for example, especially when a gift is promised. If you don’t find anything on the internal homepage or news update site, ask your manager about the email before clicking any of the links. He or she should be able to tell you if it’s real or not.

For companies looking to prevent that one employee from clicking on a malicious link, penetration testing services can help by conducting phishing scenarios targeted toward company executives and employees using the same tactics, techniques and procedures (TTPs) as criminals.

A test phishing engagement can start important conversations within the organization about how it’s everyone’s job to help protect the company’s data and networks. Practice makes perfect, as they say, so why not practice what would happen if a phishing campaign targeted your business? Not only will it serve as a reminder for employees, it can also test your incident response processes to ensure you’re ready when real phishing attacks come for your data.

Listen to the podcast

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…