Open Enrollment Is Phishing SeasonFraudsters Target Those Signing Up for Health Insurance
Open enrollment has begun for Obamacare as well as for health insurance plans offered by many employers. And that means it's prime time for fraudsters to target consumers with phishing scams, disguised as official-looking open enrollment messages, in an attempt to steal personal information.
Privacy and security experts stress the need to remind those participating in open enrollment about the dangers of phishing, including avoiding clicking on links in suspicious e-mails that bring individuals to fake websites designed to gather information.
"Open enrollment is just one of the mechanisms fraudsters use to scam people, and it often comes down to education and awareness to prevent that," says David Kennedy, CEO of TrustedSec, a security consulting firm.
Health Benefits Ploy
The open enrollment scams typically involve e-mails that purport to be official communications about health insurance but link the user to a fake employee or government web portal designed to collect personal information that can be used to commit fraud. In some cases, simply clicking to open the e-mail or a link it contains can lead to an immediate malware infection, Kennedy says."People freak out when they receive e-mails about their health benefits or new regulations, and the possibility of losing [coverage] if they don't act," Kennedy says. That's why so many consumers fall for the ploys.
In addition to spear-phishing e-mails targeting employees at specific companies during open enrollment season, scammers are also targeting consumers who are interested in shopping for insurance on new state health insurance exchanges and seniors looking for supplemental Medicare plans.
Security firm TrendMicro reports that even before new state health insurance exchanges under Obamacare launched on Oct. 1, scammers began sending consumers spam containing the terms "Medicare," "enrollment" and "medical insurance." The spam contained links taking users to nefarious websites containing surveys asking for personal information in exchange for a chance to win prizes, such as iPhones, TrendMicro explains in a blog about phishing.
Steps to Take
To prevent employees from becoming victims of these scams, organizations must educate them to avoid opening e-mail from unrecognized senders and refrain from opening attachments or clicking on links that look suspicious.
Companies can also use security controls, such as Internet filtering, that prevent employees from accessing unauthorized sites, Kennedy says.
But that tactic typically only works with company-issued devices, says Robert Siciliano, an online security expert at security vendor McAfee. If individuals are using their personal devices to read e-mail in their corporate account, for instance, corporate Internet filtering generally won't stop them from accessing an unauthorized or fake website via a link, he points out.
Employers also should take the extra step of alerting employees in advance that the company, or its outside benefits contractor, will be sending employees messages about open enrollment information, Kennedy says.
Another important step is to remind employees to notify the IT team or other company officials when they receive suspicious e-mails.
Siciliano says basic security measures, such as keeping web browsers, anti-malware software, and firewalls updated, also can help fight phishing attacks.
J.D. Sherry, a vice president at TrendMicro, says companies should also remind employees to be mindful of scams on social media. That includes professional networking sites such as LinkedIn, where there have been incidents of fraudsters posting false profiles in attempts to entice individuals to disclose information about themselves or to access corporate systems.
"We're seeing an uptick in incidents around social media," he says. Fraudsters try to use the "trust factor" of social media sites to trick individuals, he says.
And while open enrollment is a favorite season for fraudsters to use phishing to prey on unsuspecting users, Siciliano says it's important to remember that cybercriminals will look for any occasion to benefit from their scams.
"Holidays are a hot time for this sort of thing, but so too are any natural disasters, political events or even celebrity births," he says. In fact, McAfee has found that within 22 hours of a big breaking news story, fraudsters begin new campaigns for digital scams, he says.
Recent Spear-Phishing Incident
A recent healthcare-related spear-phishing incident at St. Louis University demonstrates that the scams can hit at any time.
The scam e-mail about a systems update sent to 180 SLU employees, including physicians at the university's medical group, contained a link to a fake site that looked like the SLU's employee portal, says David Hakanson, CIO. Several employees were fooled into entering personal information related to their direct deposit accounts.
The phishing e-mail contained the university's logo and was well-written, Hakanson says. However, a keen eye would have noticed that the link in the e-mail contained an incorrect URL for the university's employee portal, he says.
The university's investigation found that 10 employees had direct deposit information changed, although no unauthorized financial transactions had occurred. However, the university also learned that the incident resulted in unauthorized access to about 20 SLU e-mail accounts that contained personal health information for approximately 3,000 individuals. and Social Security numbers of about 200 people. So far, it looks like the fraudsters were targeting direct deposit account information, and not the personal information in the e-mails, Hakanson says.
SLU is offering affected individuals a year's worth of free credit monitoring and identity theft protection services.
Five workers at nearby Washington University in St. Louis also recently apparently fell victim to a similar scam, Hakanson says.
As a result of the phishing incident, SLU is ramping up employee education, Hakanson says. "We will work with our professionals and develop resources to help them to identify phishing e-mail," he says. SLU is also considering making changes to its IT infrastructure that can improve its cybersecurity protections without disrupting the workflow of its users, he says.