Just last month we’ve seen suspicious sites targeting employees of some of the largest corporations. In one particular example, a cybersquatter registered a domain name that closely mimicked the open enrollment benefits page of a Fortune 500 company. To illustrate using a generic company name, the squatted domain was ‘enrollcorporation.com,’ whereas the real company benefits page resided on the subdomain ‘enroll.corporation.com.’ The cybersquatter obviously was anticipating that employees would forget to type the period in the subdomain and land on its fake site.
The squatted site contained numerous links to benefits-related pay-per-click sites (see screenshot). While it may have been the intention of the scammer to generate incremental revenue from employees who clicked through on the links, it is also very possible that the scammer was planning on changing the content to something more malicious – such as a phishing site. We often see scammers employ this tactic to avoid any immediate takedown action and to maximize their ploys.
Fortunately, the Fortune 500 company in this case was actively monitoring for potential attacks on its brand and caught and remedied the situation quickly. (The squatted domain was recovered and now redirects to the company’s real benefits page.) If the site had gone undetected, you can just imagine the havoc this would have created if the site morphed into a phishing site and even a minute percentage of the company’s tens of thousands of employees had unknowingly landed on the site and disclosed their personal credentials.
So, what’s the takeaway from this? While most brand owners know to monitor for online scams associated with new product launches or announcements, they also need to be extra vigilant around recurring company events – such as open enrollment periods, sales events, community events, etc. If an event is predictable, it’s very easy for scammers to devise a socially engineered scam that that preys on customers and employees’ anticipation of the event.