Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    [Heads Up] Scam Of The Week: Phishing Attacks Using Better Benefits And Pay Raise Bait

    Stu Sjouwerman | Nov 2, 2019

    benefits-4Millions of employees use KnowBe4's Phish Alert Button to report suspect emails, and thousands of organizations share these reports with us. This has become a fascinating threat source, because these phishy emails have made it through all the filters. We see pretty much real-time what the bad guys are up to and which campaigns are live in the wild. So here is the latest Scam Of The Week.

    Bad guys are now capitalizing on the benefits election/enrollment season and the yearly pay raise process which usually gets effective Jan 1st. These criminals are still improving their game, these benefits and pay-themed phishing emails are not quite as convincing as the recent tax-themed phishing attacks.

    However, you and your users need to be aware of the pay raise and benefits enrollment phishes that have been reported to us by customers using the Phish Alert Button (PAB) over the past several weeks, most of which are front doors to credentials phishes. Some of these are simply bad, but some are quite creative and take the shape of a personalized benefits survey. Here is an example:

    benefits-5

    Another form is a phish where your users are invited by their "HR department" to check out their pay increase "as part of a larger organization-wide effort to raise salaries".  The phish has a link that leads to a credentials phishing landing page but looks like a sharepoint document. 

    I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit: 

    ALERT: Internet criminals are now sending phishing attacks related to benefits enrollment and potential pay raises. So, when you get any email or perhaps even a robo-call from "HR" about your "2020 benefits" or "next year pay raise", do not click or open any attachments, but report these suspects email to the IT department. In case you have questions about your benefits or pay, pick up the phone call the HR department using the regular, correct extension.

    NEVER click on any link in these emails, or "reply" and attach personal information because both the "From" and the "Reply" email address may be spoofed and you would send confidential information to criminals. Think Before You Click.

    Let's stay safe out there.

    Warm regards,

    Stu Sjouwerman,

    Founder and CEO, KnowBe4, Inc.

    NewStu-6

    Topics: Social Engineering Phishing Security Awareness Training

    Free Phish Alert Button

    Do your users know what to do when they receive a phishing email? KnowBe4's Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! Phish Alert benefits: 

    home-KnowBe4-Phish-Alert-2Here's how it works:

    • Reinforces your organization’s security culture
    • Users can report suspicious emails with just one click
    • Incident Response gets early phishing alerts from users, creating a network of “sensors”
    • Email is deleted from the user's inbox to prevent future exposure
    • Easy deployment via MSI file for Outlook, Google Workspace deployment for Gmail (Chrome) and manifest install for Microsoft 365

    Get Your Phish Alert Button

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/free-phish-alert

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All