Threat Alert: OSHA-Themed Phishing Lures Deliver Malware

• Cybercriminals have launched a series of phishing attacks impersonating the United States Occupational Safety and Health Administration (OSHA).
• While the sender for these emails is OSHA GOV, the sending address does not match a valid US government email address. 
• These OSHA-branded lures distribute a PDF attachment containing a malicious, embedded URL that leads to malware installation.
• These OSHA lures include messaging related to health and safety, as well as the potential for onsite inspections and fines; cybercriminals frequently abuse tactics like this to increase the chances of recipients interacting with the lure. 

Key Actions (at Work and at Home)

• Remain alert to phishing indicators. Mismatches between sending addresses and an organization’s name are always warning signs.  
• Remember cybercriminals take advantage of strong emotions. Emails warning of potential fines or surprise inspections can be extremely stressful. Keep in mind cybercriminals seek to capitalize on moments of anxiety and the difficulty in thinking clearly in such situations. 
• Report ANY suspicious emails using the Phish Alarm button Remember: Our organization occasionally sends phishing simulations.