Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Watch out - that 401K statement could be a scam to steal your company logins

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system.

Cybersecurity researchers have warned of an uptick in phishing emails targeting people’s employee credentials.

Experts from Cofense have detected a rise in phishing emails in which threat actors impersonate their victims’ Human Resources department. In the email, the attackers are warning of an important upcoming plan update or an increase in 401k contributions.

401k is a popular personal pension account plan in the United States, sponsored by the user’s employer. Sometimes, employees contribute to the plan directly from their paycheck, which is then matched by their employers.

Fake 401k alerts

In the phishing email, the attackers share a link to a fake login page, designed to steal the victim’s credentials. In some cases, the emails come without a link, in order not to trigger email security solutions that could filter them to the spam folder. Instead, the attackers would embed a QR code, which most email security solutions don’t scan and don’t consider potentially malicious.

Furthermore, the victims are invited to scan the code with their smartphones, which rarely come with proper anti-phishing solutions. 

While phishing emails around 401k plans are popular, they are not the only topic, Cofense’s researchers added. Other email topics include open enrollment, surveys, and salary restructuring communications. 

Open enrollment allows employees to enroll in health insurance or retirement plans, and is usually a hot topic towards the end of the calendar year. 

Employees take these messages very seriously, as failing to enroll before the deadline could mean a loss of eligibility for some benefits until the next enrollment round.

As usual, the best course of action would be to deploy common sense and always be careful when receiving email messages. Everyone should be mindful of the sender’s address, any spelling, grammar, or language discrepancies in the email, links and attachments and finally, messages that are “urgent” or too good to be true.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.