Over 5,000 affected after employee fell for phishing attack

The personal data of 5,123 individuals may have been exposed after Flexible Benefit Service Corporation (Flex), a Chicago-based general agency and benefit administrator, fell victim to a phishing attack in late 2017. The incident was reported to the U.S. Department of Health and Human Services (HHS) on February 16, 2018.

On December 6, 2017, Flex discovered that phishing emails were being sent from an employee’s email account. Immediate action was taken to prevent further disruption, and an investigation was launched.

The investigation found that the employee had fallen victim to a phishing attack and unwittingly given access to an unauthorized third party. It also found that the email account was searched for terms including “wire transfer”, “wire payment”, and “invoice”. This suggests that the perpetrator was not intentionally looking to gain access to protected health information, although this, and whether any health information within the account was accessed, is unconfirmed.

Flex is not aware of any information misuse, but potentially compromised personal data includes names, addresses, phone numbers, dates of birth, and Social Security numbers.

Those affected by the incident have been informed, and Flex is providing them with complimentary credit monitoring and identity protection services as a precautionary measure.

In a bid to prevent similar incidents in the future, Flex is also enhancing its ongoing employee training.

The most important line of defense against a phishing attack is the email recipient. If your staff can identify and correctly respond to a malicious email, the danger can be mitigated. With phishing attacks on the increase, this example highlights the importance of training staff.

Protect your organization and educate your staff 

Even the most effective spam filter can miss a spoof email, making your staff the last line of defense against fraud. It is vital that they are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training with minimal disruption.

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.

Find out more >>