Fake HR department or benefits administrator claiming the target missed open enrollment and must click an emergency re-enrollment link within 24–48 hours or health insurance will be terminated — credential-harvest attack; real open enrollment is managed through authenticated employer HR portals, never cold email emergency enrollment links.

Fake HR department or benefits administrator (impersonating Aetna, Anthem, UnitedHealthcare, CIGNA, Kaiser Permanente, or generic "HR Benefits") claiming the target missed the annual open enrollment window and offering an emergency re-enrollment link that must be clicked within 24–48 hours to restore coverage or health insurance will be terminated — credential-harvest attack exploiting healthcare anxiety. Real open enrollment changes are managed through authenticated employer HR portals under IRS Section 125 and ERISA regulations; cold emails offering a "special emergency enrollment link because you missed open enrollment — click within 24 hours or lose coverage" are credential-harvest attacks that exploit the critical importance of health insurance. The missed open enrollment / emergency enrollment window / click within 24 hours or lose coverage pretext targets the combination of procedural complexity and health insurance anxiety. Distinct from benefits-enrollment-confirmation-phish (generic benefit confirmation pretext) — this targets the HR benefits missed open enrollment / emergency enrollment deadline / lose coverage vocabulary. Detection: missed open enrollment + emergency enrollment link + click within 24-48 hours + or lose coverage + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R30; FTC health insurance scam advisory 2025; ERISA Section 125 open enrollment rules; CISA HR impersonation patterns; HHS employee benefits fraud bulletin.