Site icon IMK

Phishing Email Text Scam Targeting Covered California Consumers and Agents

Covered California consumers, past and present, including Certified Insurance Agents are the target of a phishing email scam. If you receive a suspect email, DO NOT CLICK on any of the links. Covered California does not send emails that contain personal information. They always direct you to access the secure email box of your Covered California account. This does not mean that Covered California has had a data breach.

Phishing and text message scam directed at Covered California consumers and agents.

On May 2, 2024, I received an email, allegedly from Covered California, requesting I update my information for their store front program. The first clue that this was a phishing scam was that I never applied to the Covered California store front program.

Covered California Email Phishing and Text Message Scams

A phishing email scam purportedly comes to you from a trusted source. The fraudsters, impersonating the trusted source, are hoping you will click on an embedded hyperlink for requested information. The link can trigger the downloading of harmful malware that infects your computer. The fraudsters are phishing for victims to catch.

Red Flags of Phishing Email

The body of the email I received was impressive for its use of the Covered California logo and formatting of the information. They had most of my personal information correct. However, there were a couple of clues that indicated that the phishing email came from nefarious actors.

  1. They used the term “Frontstore” in the title. The proper term is “Store Front.”
  2. My first name was wrong. While Julaine is a nice name, my first name is Kevin.
  3. Click was spelled CLCIK in the body of the email.
  4. The sender email was from @icloud.com. Covered California never sends emails from an icloud account.
Covered California phishing email will have incorrect names and never come from an icloud account.

Depending on the device you are using, you can check to see if the sender email is legitimate. I take my cursor and hover over the senders email address and it showed admin@hbex.ca. That almost seems legitimate, except hbex stands for website of California Health Benefits Exchange that is associated with the Board of Directors.

The body of the email may look legitimate with much of the information correct. My first name was incorrect and they misspelled click.

Official emails sent by Covered California will have the extension of @covered.ca.gov.

The link of the hyperlink goes to a dev site, that anyone can set up and is not public facing.

If you like to live on the edge, you can hover your cursor over the suspected link and learn the url of the hyperlink. When I did that, it showed dev-hbex-ca-gov.pantheonsite.io. The “dev” would indicate a development website that would not necessarily be accessible to the public.

The spoof email may be admin@hbex.ca.gov to help the scam Covered California get into you Inbox and not sent to spam.

Regardless, do not click on any link in the phishing email sent to you purportedly from Covered California.

Emails from Covered California will always have the @covered.ca.gov extension.

Covered California has reported that consumers are also receiving text messages requesting them to call a phone number and provide personal information. Do not reply to the text message.


Covered California Agent Alert

Yesterday [May 3] we informed our network of an email phishing scam targeting Covered California enrollment partners. Today we have become aware of a similar phishing attempt, this time directed at Covered California consumers through text messages. These messages ask consumers to call a false Covered California phone number and provide personal details. We urge you to advise consumers to be cautious and ignore these misleading text messages.

As a reminder, the email phishing attempts appear to come from admin@hbex.ca.gov and request the recipient click on a secure link to verify or update personal information. Please disregard these emails as they are not real; do not click on any links within the email. Emails from Covered California will always have @covered.ca.gov email addresses. Please confirm the sender’s actual email address is correct before opening messages. Many phishing scams will feature familiar contact names with fake email addresses.

If you need to report suspected or actual security or privacy incidents, please contact Covered California’s Information Security or Privacy Office:

Informationsecurity@covered.ca.gov

PrivacyOfficer@covered.ca.gov


Did Covered California Have A Data Breach?

There are many ways fraudsters can get email addresses and phone numbers without the targeted organization having a data breach. Several of the health plans associated with Covered California have had data breaches. It is just a matter of sorting through the data to connect individual information with an organization like Covered California.

A sign that the information being used is not complete is that my first name is incorrect in the body of the phishing email. The fraudsters were able to identify me as a Covered California Certified Insurance Agent. They then concocted ruse of the “Frontstore” program to send me an email hoping I would click on the link.

Covered California has been very security conscious. They never send personally identifiable information in email or text messages. If there is a hyperlink in a Covered California email, it is usually to a published press release. They never ask you to click on a link to update your information.

Unfortunately, we can expect that the fraudsters will not stop sending out text messages and phishing emails. They will refine their operations based on their success or failure. If their site or server gets shut down, they will just move their internet operations.


Exit mobile version