An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.