Fake health insurance open enrollment or COBRA continuation phishing — fraudulent email impersonating an employer benefits portal, COBRA administrator, or ACA marketplace claiming the recipient's open enrollment period is ending, their COBRA coverage is expiring, or their health coverage will lapse — directing them to click a link to enroll, verify identity, provide SSN, or update payment information to continue coverage — a credential-harvesting and personal information fraud targeting employees during enrollment periods

Phishing emails impersonating employer benefits portals, COBRA administrators, health insurance marketplaces, or ACA enrollment assisters — claiming an employee's open enrollment period is ending, their COBRA continuation coverage is about to expire, or their health coverage will lapse — then directing them to click a link to enroll, select a plan, verify their identity, provide SSN, or update payment information. These attacks precisely time their delivery to coincide with legitimate open enrollment periods. Key facts: (1) Health insurance phishing peaks during the ACA open enrollment window (November–January) and during annual employer benefits enrollment (typically October–November); targeted timing dramatically increases click rates compared to off-season phishing; (2) COBRA continuation fraud specifically targets recently separated employees — attackers obtain employee separation data (from LinkedIn or data broker lists) and send fake COBRA notices within days of separation, when victims are genuinely anxious about health coverage gaps; (3) The data collected (SSN + health plan enrollment = insurance identity) enables medical identity theft — fraudulently billing health insurance using a victim's identity and member ID to obtain prescriptions, procedures, or fraudulent reimbursements; (4) Legitimate COBRA administrators (HealthSmart, WEX Health, COBRA Administrators) always send official notices by first-class mail per federal law (ERISA), never solely by email; ACA marketplace enrollment is done at healthcare.gov with no unsolicited outreach. Warning signs: enrollment deadline urgency from non-employer/non-insurer domain, SSN or payment info requested via email, COBRA notice delivered only by email.