Employers: See our response to COVID-19 |
Members: See how COVID-19 impacts your accounts

What is Phishing?

Scammers use various techniques to lure individuals into providing sensitive information they can use for fraudulent activity. Phishers often pose as legitimate companies or individuals and reach out to you in a variety of ways, like emails, text messages, phone calls, social media, etc.

Phishers can be very compelling with believable stories and may use personal details obtained from the internet to ‘reel in’ your information, such as:

  • Username
  • Password
  • Social Security number
  • Account number
  • Security questions and answers

Don't get hooked!

HealthEquity is working around the clock to keep our security practices up-to-date, but you are the first line of defense when it comes to keeping yourself off the hook. Here are a few things that you can do to create your own ‘no phishing’ zone:

  • Log in to your account: As soon as your account is open, log in to My.HealthEquity.com and create a secure username and password.
  • Use unique passwords: Create a strong password unique to your HealthEquity account. Be creative! Make it difficult to guess even for people who know a lot about you. Better yet, use words or syllables not found in any dictionary. The longer the password, the stronger it tends to be.
  • Don’t save passwords in your browser: While saving passwords is very convenient, it makes it much easier for an attacker to access your account if your computer is compromised.
  • Don't click on email links that you do not recognize: Some emails from HealthEquity include a link to log in to your member portal. My.HealthEquity.com is our official secure login page. A link in a HealthEquity email may direct you to a specific page in the member portal, such as My.HealthEquity.com/Member/Expenses. If you do not recognize the link, do not click on it or provide any personal information.
  • Learn to identify phish bait: Understand what to look for to uncover an email scam. Here are some common giveaways:
    • Subject line or content is 'urgent' or requires 'immediate action.' Fraudsters want you to act without thinking.
    • Sender name looks odd or unfamiliar
    • Sender name does not match sender email address.
    • The domain name in the link does not match where it claims to be sending you.
    • The greeting is not personalized with your name. Why trust someone who doesn’t know your name?
    • Misspellings, strange wording (including UK spellings) and grammatical errors
    • Links that look modified or unusual (i.e. healthequ1ty.com)
    • Attachments: Never open an email attachment you didn’t request, they may contain viruses or malware
  • Look for secure site indicators in any link: Fake login sites lack certificates of security indicated by a locked keypad icon by most browsers or an 's' added to the url (i.e. https://www...). However, some phishing web pages also use HTTPS, so this does not necessarily mean you’re not getting phished.
  • Enable email notifications to alert you when information changes on your account.
  • Review your transaction history frequently and report any suspicious activity immediately.

Report an attack

If you feel you have received an email from a scammer posing as HealthEquity:

  • Preserve the entire email in its original form, if possible, and send it to phishing@healthequity.com
  • If you provided sensitive HealthEquity information to a suspected scammer, call HealthEquity Member Services immediately at 866.346.5800. We’re available 24/7 to assist you.
  • If it is confirmed phishing, report the email to the Federal Trade Commission by sending it to spam@uce.gov.

83% of global 2019 survey respondents have experienced a phishing attack.


One in 10 URLs are malicious.

Symantec 2019 ISTR, https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf

50% of phishing sites are now using HTTPS encryption.


Email scams cost organizations $1.2 billion in 2018.

FBI's Internet Crime Report, https://pdf.ic3.gov/2018_IC3Report.pdf

The number of phishing websites rose 46% in 2018.