Beware: These Scams Turn Open Enrollment into Open Season for Phishing

Share Now


Last fall, PhishMe® warned you about scams that use phishing to steal your health savings account (HSA) details during open enrollment periods. This year we are seeing a variety of phishing scams that can take advantage of your year-end diligence in managing personal and corporate assets.

We saw this red flag early.

As an enterprise employee you may have several different types of deductions from your paycheck—some to take advantage of tax benefits and some just for convenience. Fraudsters know this, and they are spoofing payroll deduction services. In mid-September PhishMe recorded phishing messages that suggested an employee needed to log in to an “Enterprise Payroll Deduction website.”

Figure 1 Phishing message suggesting recipient log in to manage a payroll deduction

Although the page was down when we viewed it, the same domain is currently hosting phishing pages that spoof a school lunch money deduction service.

Figure 2 Sapphire at School phishing page on volanteportal dot com

Here’s a threat that’s compromised over 100 domains since late last year.

A continuing threat to watch for is found in messages that prompt you to view important payroll documents. Some such messages are out to steal your email address and password. Take the message below, for example, which exhibited the subject line URGENT: SG01- Payroll Update 0917 and spoofed the Amsterdam-based global business service provider TMF Group to entice the recipient into opening an attached PDF.

Figure 3 Message received by employees of a large multi-national manufacturer and of a U.S. money center bank

Once opened, the PDF prompted the victim to click on a link and view the updates to a payroll system reviewed by “the group of executives.” Who wants to let down the big boss?  Better open this up right away! In the view below of the PDF document, the hyperlink is displayed by hovering over the “REVIEW UPDATE” link.

Figure 4 PDF document delivering link to a phishing page

Clicking on the link took the victim to a webmail phishing page that PhishMe has recorded on 110 different compromised domains since November 30, 2016.  The phishing page was built with a criminal toolkit first seen on the same date.

Figure 5 Phishing page reached from phishing message about a payroll update

PhishMe has archived 15 different versions of this kit; the most recent phisher to use it logs into his account at [email protected] to retrieve the credentials stolen from enterprise victims.  First recorded on March 7, 2017, this kit’s final step redirects victims to a red herring document on Google Docs called “Wealth management for business owners.”  Another phisher using this kit during October checks into [email protected] for his ill-gotten gains. The first to use this kit was [email protected], who has been phishing for webmail accounts since at least April 2016.

In related news this week…

Just this week we saw a new type of phishing page that attempts to collect your retirement benefit account details.  The initial phishing message is generic and references an I.T. maintenance issue.

Figure 6 Phishing message leading to a new type of retirement benefits phishing page

After clicking the link to validate a work email account with IT, a phishing page opens that uses a logo very similar to the one used by the National Registry of Unclaimed Retirement Benefits.  The first page of the attack collects an email address and password, while subsequent pages collect name, address, birthdate, name of 401k plan administrator, and 401(k) username and password to “update 401(k) plan records.”

Figure 7 First step of retirement benefits phishing attack on

This time of year, be extra-careful about any benefits emails.

Finally, in the fall when many companies do open enrollment, employees are more likely to check the status of their current benefits as they consider how to configure their accounts for 2018.  Be very suspicious of messages saying that you have a secure message from Fidelity or a pending e-payment in your Charles Schwab account.

When your corporate and personal assets are on the line, don’t let fraudsters trick you into giving up any element of your identity. The threat actors PhishMe has tracked over the years are very patient and will build a portfolio of identities they themselves track over long periods.  Combining your username and password with data available from recent major breaches gives cyber-criminals flexibility. They have many sources from which to correlate the data gained from phishing with other data on the dark web, enabling them to quickly pivot into a larger compromise…one that started with a phishing email.

Train your staff to recognize and report suspicious messages.  Then look to PhishMe Intelligence™ for further support for your incident response and help in hunting, alerting on, and blocking credential phishing attacks.




We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.