Unfortunately, Cyber criminals don’t take time off to celebrate the holidays. The holiday season is a prime time for all kinds of phishing attacks. During this time of year, many companies send out open enrollment emails for health insurance and retirement programs, so hackers take advantage by creating their own counterfeit messages to steal credentials and other confidential information. If your employees view these malicious emails on your network, your company could be at risk of a major breach.

Just between November 11 and 30, PhishMe reported 70 distinct cyber-attacks.

These attacks are particularly dangerous because they deal with highly confidential information. Cyber criminals can easily sell this information on the black market for a high value, resulting in identity theft, which can cause huge long-term problems.

Health Savings Accounts

Some of the most detrimental phishing attacks occur with health savings accounts (HSA). Cyber criminals use email-based phishing attacks to steal HSA credentials and gain access to a victim’s account. The amount of money involved in this type of hack can be enormous. According to Devenir Research, 18.2 million health savings accounts hold $34.7 billion in assets. So far, Optum Bank and Fidelity have already seen these types of phishing attacks take advantage of their customers.

18.2 million health savings accounts hold $34.7 billion in assets.

In both instances, victims receive an email encouraging them to login to their HSA for a variety of reasons. Once the victim clicks on the link, they are redirected to a convincing counterfeit login page. Users login and unknowingly provide their credentials to the hackers, giving them full access to their account. However, if users looked very closely at the webpage URL they might realize that it does not belong to their bank. Unfortunately, even saavy users get busy and can fall for well-crafted phishing domain.

Medicare and Medicaid

These end-of-year emails target eligible seniors looking to enroll in Medicare or Medicaid. Fake emails and phone calls claim to come from the Centers for Medicare and Medicaid stating that new cards are being issued and a Medicare ID number is needed to complete the process. This is where things get complicated. Medicare ID numbers are the same as an individual’s social security number, so victims provide more information to the hacker than they may realize. Once the criminals have social security numbers and other information, identify theft can be easily accomplished.

Cybercriminals steal social security numbers by claiming Medicare is issuing new cards and a Medicare ID number (same as SSN) is required for verification.

Some other common Medicare scams including selling fake supplemental policies, insurance calls and emails to “verify information”, and opportunities for free checkups or medical supplies by providing your Medicare ID number. All of these scams are completely bogus whether they come through phishing emails or phone calls.

Don’t Forget Malware…

These end-of-year scams aren’t just coming in the form of phishing attacks to steal confidential information, there are dangerous malware and ransomware attacks too. Socially engineered emails with the subject “Action Required: 2017 health insurance contract” have been making the rounds. The email contains a new insurance contract for the victim to look over. In reality, the zip filed attachments contain JavaScript code for Locky ransomware. This ransomware can quickly infiltrate and encrypt an entire network.

Ransomware made up 97% of phishing emails so far in 2016.

Not Just a Problem for your Employees

If employees are receiving these emails in their work inboxes, chances are they are opening them on your network. This leaves your organization vulnerable to attacks and breaches that could cause major damage.

Your Email Security is Probably Inadequate

What’s worse is that standard filter-based email security systems such as EOP, Barracuda, McAfee, and Proofpoint cannot reliably stop these attacks. You need specialized email security that can stop spear phishing attacks and zero-day malware. In short, you need artificial intelligence powered security such as Vade Secure.

Want to protect your organization from all types of cyber threats? Contact us to find out more about our solutions or get a FREE 15-day evaluation!