FMLA Articles

Employee FMLA requests could hide malware


Key to remember: Cybercriminals are taking advantage of FMLA requests sent via email to launch cyberattacks.

Applies to: Employers, particularly those who are covered by the FMLA.

Impact to customers: Employers need to be careful when receiving emails with suspicious attachments that reference the FMLA.

Possible impact to JJK products/services: This information will be in the Leave Manager news feed.

While it may be second nature for company leave administrators to open attachments from employees that appear to be requests for leave under the Family and Medical Leave Act (FMLA), those administrators need to be certain that the email and attachment do not harbor malware. In the earlier days of the pandemic, cybercriminals were sending out suspicious emails to employers that appeared to be from the U.S. Department of Labor regarding the Families First Coronavirus Response Act (FFCRA). Now they are posing as employees asking for leave.

In one example attack, an email launched banking malware designed to steal users’ financial data. A suspicious attached document could also include a COVID-19 reference, as the FFCRA remains effective until December 31. Employees could also take FMLA leave if they have COVID-19, so the requests might seem sincere.

Such attacks have been on the rise as businesses have been reopening and employees have been returning to work. When the pandemic first hit, the number of cyberattacks dropped as businesses, who are often the victim, closed their doors. Now the attacks are on the rise again. Employees, including leave administrators, are often a weak link in the cybersecurity chain.

If you are the point person for employee leave at your company, in addition to not using the same password for multiple logins, to help keep your company safe from cyberattacks of this kind, observe the following steps:

  • If an email is not expected, don’t automatically open it; dig deeper, contact the sender directly to verify its source. 
  • Carefully review the names of any attachments or links, as suspicious ones will often contain mistakes even though they look very similar to recognizable sources. 
  • Hover over any attachments or links to help identify the source. 
  • Avoid opening attachments or clicking links from unexpected emails or emails from unusual sources even if the emails appear to be from someone you recognize. This is particularly true of emails that ask you to act quickly. 
  • Have a reasonable level of suspicion of messages that have random links and/or attachments. 
  • If an email asks you to log into an account or service, log into the account directly through a browser instead of clicking a link or attachment in an email. 
  • Report any suspicious emails to your IT department. 

Attacks may also come in the form of text messages or other messaging service, and employees might use such platforms to request leave. Phishing and smishing continue to be the leading cause of breaches. Phishing is the practice of sending emails that appear to be from a reputable source in order to induce recipients to reveal personal information or to gain access to a system. Smishing is a phishing attack using messaging instead of email. These can all be used to launch ransomware, which is an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

This article was written by Darlene M. Clabault, SHRM-CP, PHR, CLMS, of J. J. Keller & Associates, Inc. The content of these news items, in whole or in part, MAY NOT be copied into any other uses without consulting the originator of the content.


The J. J. Keller LEAVE MANAGER service is your business resource for tracking employee leave and ensuring compliance with the latest Federal and State FMLA and leave requirements.