It’s a crucial time of the year for the 24 million Americans who rely on health insurance purchased through the public marketplace.
Open enrollment is the season — from Nov. 1 to Jan. 15 — when Americans to choose and lock in a health insurance plan for the following year. For anyone looking to buy health care coverage for 2026, the next few weeks are crucial. Dec. 15 is the deadline for coverage that takes effect on Jan. 1.
But that importance (and urgency) is also what makes it a time of high risk when online scammers may try to exploit you. Consumer attention and anxiety around open enrollment are frequently exploited by sophisticated cybercriminals, leading to identity theft, financial loss and interruption of medical care.
While open enrollment is necessary to keep your coverage going into next year, you need to be vigilant against complex scams that target Medicare beneficiaries and Marketplace enrollees through impersonation, high-pressure sales and benefit fraud.
A few key defensive strategies — paired with some tech tools and services — can help protect you, your personal data and your finances.
Here’s what a cybersecurity expert and a healthcare expert say you can do to keep yourself safe during open enrollment season.
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
Why open enrollment is a prime target for fraudsters
1. Urgency and confusion
The urgency of open enrollment season is built into the structure of the program. There is a deadline, after all.
«Any of these periods where there’s something on the line, if you don’t act, there’s urgency,» says Josh Kamdjou, CEO and co-founder of AI email security company Sublime Security. «It’s very natural for a fraudster to try and take advantage of that.»
This is especially true of open enrollment, because the stakes are so high. «A lot of people are vulnerable to wanting to make sure their health care is enrolled,» says Sharon Auma-Ebanyat, research director for the healthcare industry at Info-Tech Research Group.
There can also be some natural confusion due to the complexity of health coverage in the US. There’s Medicare, Medicare Advantage, Medicaid and various Marketplace tiers. This makes consumers susceptible to «simplistic» offers that might come from scammers promising to make it all easy.
2. High volume of legitimate contact
The official process for open enrollment, even without any bad actors, involves a lot of legitimate communication from government agencies and healthcare providers.
This creates an opening for scammers using phishing techniques like fake calls, emails or texts. Because consumers are already expecting a lot of calls or messages, scammers can try to blend into the chaos.
3. Target demographics
Generally speaking, «most attacks of this kind are indiscriminate,» Kamdjou says. «These are very much untargeted, mass spray-and-pray phishing» attempts.
That said, some demographics might be more vulnerable to scams than others.
Older Americans who may not be as tech savvy, for example, might be more prone to answer a fraudulent call or message, Auma-Ebanyat says.
Lower-income Americans might also be targeted during this time. That’s because, especially for those with Medicaid coverage, «that enrollment process is a bit unstable» from month to month, Auma-Ebanyat says. Scammers look for those gaps and target them, preying on people with a real sense of urgency or a desperate need for care, she says.
Anatomy of open enrollment scams
I asked our experts to pull out the most common scam types to show how fraudsters operate and what tactics they rely on.
1. Phishing/Vishing
The Threat: Unsolicited calls, texts or emails claiming to be from Medicare, HealthCare.gov or a known insurer such as Blue Cross Blue Shield. Scammers demand immediate action, claiming the beneficiary needs a «new card,» that their «coverage is expiring,» or they must «re-verify» their Social Security number or Medicare number.
«Caller ID can lie,» Auma-Ebanyat says, so don’t trust it.
Government agencies usually do not call out of the blue asking for personal information or payment.
2. False benefits and medical supply schemes (Medicare)
«Free» services: Offering free gifts, health screenings, genetic testing or medical supplies in exchange for a Medicare ID number or other sensitive personal information. «Don’t click any ads and freebies,» says Auma-Ebanyat.
Fake discount plans: Selling «medical discount plans» that charge a monthly fee but offer no real insurance or legitimate access to participating providers.
Protecting yourself: Essential defense strategies
These practical steps can help you stay ahead of scammers and safeguard your information during enrollment season.
1. Guard your personal information
Never share your Medicare ID, Social Security number, bank information or credit card info with an unsolicited caller, emailer or visitor.
2. Verify unsolicited contact
Scammers use caller ID spoofing to make calls appear legitimate. If someone calls claiming to be from a government agency or plan, hang up. Call the official number found on the back of your insurance card or use the official government numbers found on any «.gov» website.
«Never trust caller IDs,» says Auma-Ebanyat. «Any time you feel pressured to do anything, always pause … and verify.»
- The official Medicare contact number is: 1-800-MEDICARE (1-800-633-4227)
- The official health insurance Marketplace contact number is: 1-800-318-2596
3. Use official resources only
Only access enrollment portals via the secure, official government websites (HealthCare.gov or Medicare.gov).
Always check for «https://» protocol and the «.gov» domain.
Seek free, trusted help through the official Marketplace Call Center or your State Health Insurance Assistance Program (SHIP). Never pay for enrollment help.
4. Recognize red flags
Any demand to «act immediately» or face losing coverage is a major red flag. Legitimate enrollment processes allow time for review.
«You should never just give out information on the fly,» says Auma-Ebanyat.
Be wary of brokers offering expensive sign-up gifts, cash or free screenings in exchange for your Medicare ID.
5. Be wary of QR codes
A new type of open enrollment scam in recent years has involved the use of QR codes, rather than malicious links, in phishing emails, according to Kamdjou.
Avoid scanning QR codes related to open enrollment. As Kamdjou notes, Medicare.gov probably isn’t going to send you a QR code. «It’s used as a way to bypass security solutions,» he says.
6. Monitor and report
Check your Explanation of Benefits (EOB) statements regularly for unauthorized charges or services you didn’t receive. Immediately report suspected scams to 1-800-MEDICARE or the Federal Trade Commission (FTC).
7. Don’t be too hard on yourself
Even if you do everything right, there’s still a chance you could fall for a scam.
«When it comes to scamming, it’s more of a play on psychology than anything,» which means everyone is susceptible, says Auma-Ebanyat.
«Don’t take it personally; it happens to the best of us,» Kamdjou says. Instead, learn from your mistakes to better protect yourself next time.
8. Watch out for fraud from legitimate broker and agents
The broker or agent you use for your ACA or Medicare enrollment could be a bad actor. Look out for misconduct behaviors such as:
Misrepresenting income (ACA): Rogue agents or web brokers encourage or prompt applicants to purposely misstate household income to qualify for higher subsidies, which is fraudulent.
Unauthorized enrollment: Switching an individual’s health plan without their explicit consent, often to earn higher commissions. This is known as «plan-switching» or «slamming».
Charging for free services: This is when navigators or certified application counselors, who are legally required to provide help for free, illegally charge fees for enrollment assistance.
Consider ID theft or credit-monitoring service
Beyond the basic online security hygiene (strong passwords, verifying all contact, pausing before giving out personal information), you might want to consider ID protection and theft services to guard against healthcare fraud.
The services below have a big range of features, costs and fees. CNET tests and recommends the best identity theft protection services, but here’s a breakdown of some common features.
- Credit monitoring and alerts: The three major credit bureaus (Equifax, Experian and TransUnion) can track your credit report and send you alerts for any key changes, like a big new credit line or loan on your record.
- Dark web monitoring: Scammers, once they steal your information, often try to sell it on the dark web. Dark web monitoring services can alert you if your personal information ends up there, and provide recovery support if that does happen.
- Public records monitoring: Some identity monitoring services include the ability to monitor public records (like court filings or property deeds) to alert you if your information appears somewhere that it’s not supposed to be, indicating potential identity theft.
- Credit freezes/locks: If you do find yourself in the midst of a scam, or you accidentally gave away sensitive information, you can call your banks and credit card companies to «freeze» your accounts, which will prevent scammers from accessing your funds.
- Financial account alerts: Many banks and financial institutions can notify you of unusual activity or large transactions, which might tip you off to potentially fraudulent activity.
- Multi-factor authentication: Enabling two-step authentication on your online accounts is an excellent way to protect against hackers. Even if they’re able to steal a password, it’s much harder to access your account if it requires a verification code sent to your phone number.
- Use a password manager service: A password manager service helps you generate and store strong passwords, which can protect you from scammers trying to access your passwords or your accounts. CNET recommends Bitwarden and a few others.
- Identity restoration services: Some identity theft monitoring and protection products also offer «restoration» services. The best ones offer white glove restoration, which assigns a fraud specialist to your case to do the heavy lifting to restore your identity, according to CNET experts.
- Consider antivirus software: A good antivirus software on your computer can filter out some attempts by hackers to send you fraudulent communications or access your sensitive information.