Fake HSA/FSA plan administrator claiming unspent Health Savings Account or Flexible Spending Account funds will be forfeited at the rollover deadline unless banking details are submitted or rollover is confirmed via email link — credential-harvest; real HSA/FSA rollover communications come from authenticated plan administrator portals, never cold email banking-detail requests.

Fake HSA or FSA plan administrator (impersonating Optum Bank, HealthEquity, WEX Health, Further, Lively, or generic "Health Benefits Administrator") claiming the target's Health Savings Account or Flexible Spending Account has unspent funds that will be forfeited at the year-end rollover deadline and requiring them to submit banking details or confirm a rollover transfer via email link before the deadline — credential-harvest attack targeting health benefit account holders. Real HSA/FSA rollover communications are delivered through authenticated plan administrator portals and employer benefits systems; cold emails claiming "your HSA/FSA unspent funds will be forfeited — click to confirm rollover or submit banking details" are bank-account-takeover attacks. FSA "use-it-or-lose-it" rules create genuine year-end anxiety that attackers exploit. Distinct from hsa-fsa-benefit-expiry-phish (batch 13 — benefit/card expiry pretext) — this targets the HSA/FSA rollover deadline / unspent funds forfeiture / confirm rollover or submit banking details pretext. Detection: HSA/FSA/health savings account + unspent funds forfeited + rollover deadline + confirm rollover or banking details vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R29; IRS HSA rollover rules (Rev. Proc. 2021-25); FTC health benefit fraud advisory; CFPB FSA account-takeover patterns; DOL health benefit plan phishing guidance.