Healthcare Refund Phishing - Abnormal Security

Healthcare Refund Phishing

In this attack, attackers are impersonating a major healthcare company claiming the recipient is entitled to a refund, but the link leads to a page that will steal sensitive information from the recipient.

Quick Summary

  • Platform: Office 365
  • Mailboxes: More than 50,000
  • Email Gateway: Proofpoint
  • Email Security Bypassed: Office 365
  • Victims: Employees
  • Payload: Malicious Link

What was the Attack?

  • Setup: Shelter in place orders due to COVID-19 continue to leave many without work. Attackers have coupled this with another topic front of mind: healthcare. In this attack, the cyber threat actor impersonates a major healthcare company in the hopes of stealing sensitive user information.

  • Email Attack: This attacker crafted a convincing email and landing page that impersonates a major healthcare company. The attacker alludes to the current global health crisis, and states that the user is entitled to a refund payment that is accessible through a link in the email.

  • Payload: The email contains a link to a website that mimics the official healthcare company’s site. The URL is masked, and redirects to a site that attackers likely control which requires recipients to enter their health insurance login credentials, along with other sensitive information.
  • Result: Should recipients fall victim to this attack, their sensitive information is put at risk, including the victim’s social security number and debit card information.

Why is this attack effective?

  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The email was spoofed to appear like an automated notification from the company, using the logo of the company to appear authentic.The landing page was almost identical to the real website of the impersonated party. 
  • Spoofed email: Originating from a no reply email address with brief content in the email body, the user had changed their display name to match the brand name of the healthcare company. At first glance, the email appears to be a notification email from this health care company.
  • Concealed URL: The URL that hosts the landing page of the attack is not affiliated with this healthcare company. However, the attacker had wrapped this URL with text in order to conceal the real URL. This is a tactic frequently seen in email attacks as the attacker is relying on the landing page to be convincing enough that the user does not think to double check the URL.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content