Most people think of phishing as suspicious emails asking you to click a link. While email phishing still exists, attackers now use many different communication channels that feel more personal and harder to question. Text messages, voicemails, QR codes, and even fake benefits notices are increasingly common because they look routine and urgent.
For HR and benefits teams, this matters. Payroll data, benefit elections, Social Security numbers, and banking details are highly valuable to attackers. The more realistic the message appears, the more likely someone will respond before stopping to verify it.
Below are common phishing methods employees are encountering today and what to watch for.
Text Messages (Smishing)
Attackers send texts pretending to be HR, payroll, a carrier, or an administrator.
Examples
These messages often include shortened links or unfamiliar web addresses and create urgency so the recipient acts quickly.
Red flags
Voicemail and Phone Calls (Vishing)
Fraudsters now leave convincing automated voicemails or call directly, posing as HR staff, IT support, or a benefits carrier.
Examples
They rely on employees returning the call and volunteering information.
Red flags
QR Code Scams (Quishing)
QR codes appear harmless because people associate them with menus and quick access. Attackers use them in printed flyers, emails, and mailed notices to bypass traditional link inspection.
Examples
Once scanned, the code directs you to a fake login page designed to capture credentials.
Red flags
Fake Benefits and Payroll Notices
Because benefits communications are routine, they are frequently impersonated.
Examples
These messages look legitimate because attackers copy logos, signatures, and formatting from real communications.
Red flags
How Employees Can Protect Themselves
Before clicking, scanning, replying, or calling back:
Remember, legitimate HR or benefits administrators will not ask for sensitive information through unexpected messages.
Why Reporting Matters
Even if you did not interact with the message, reporting it helps prevent others from falling victim. Many attacks target multiple employees at once, and early reporting allows organizations to block and warn quickly.
Phishing attempts now look routine and familiar. Taking a moment to verify before responding remains one of the most effective ways to protect personal and company information.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.