Phishing Attacks in the Insurance Industry
Mitigating risk is an essential component of the insurance industry, the sector that provides individuals and businesses policies that cover health, life, and property. Yet when it comes to their own cyber security, many insurance companies, overconfident in their protection, are running unnecessary risks.
In 2016, the consulting firm Accenture found that while 4 out of 5 insurers surveyed expressed confidence in their ability to thwart attacks, 1 in 3 targeted attacks on insurance companies resulted in a security breach.
See Infosec IQ in action
Why Target the Insurance Industry?
It is perhaps because of this false sense of security that the industry is now being targeted more aggressively. In spite of their confidence, the truth is many insurance companies and their subsidiary offices use outdated software, have weak internal security measures, and no standard protocols for dealing with breaches.
But what they have in terms of valuable information could be considered the mother lode. This is because not only do insurance companies have personal information and possibly health data on all their customers, but it’s likely they have credit card or bank account numbers for receiving payments; this info can then be used to steal money, make fraudulent claims, be sold on the black market, or all of the above.
In 2015, the breach of Anthem Insurance, exposing the information of 80 million customers, was generally considered a wake up call. The National Association of Insurance Commissioners (“NAIC”) issued 12 principal guidelines for effective regulatory guidance, and many companies have begun to ramp up their efforts. Still, many lag behind and attacks continue to increase.
How is the Insurance Industry Targeted?
Like most industries, insurance companies are targeted both generally through standard phishing attempts, and, increasingly, more focused attacks, often referred to as “spear phishing.” This refers to a tactic where hackers focus on a particular insurance company or branch, and, perhaps, even specific individuals within.
If the target is a C-level executive, it is sometimes referred to as “whaling” – or, if the hacker is impersonating said exec, it’s known as a “fake president” scam. Whatever you call it, it involves making the recipient of a phishing message believe it’s from someone trustworthy and fall for the bait. A current, popular scam involves a fake president asking someone in HR to forward employee W-2 information; believing the request to be real, many comply.
Attacks on insurance are evolving in sophisticated and dangerous ways. In May 2017, an area of DocuSign, an important legal service used by insurers and others, was hacked. Spammers sent a list of email addresses in their database a Word doc with embedded malware. Although DocuSign says it was a “separate non-core” system and no known serious breaches occurred, it shows the levels these criminals are going to in order to deceive and gain access to systems or data.
Infosec IQ’s PhishSim program can create simulated Word document attachment emails for you to send to your co-workers
Education/Awareness Is Key
One of the crucial factors determining the safety of any industry or institution is the ability of personnel to be able to spot a potential phishing email before it’s too late. And, if someone did accidentally click on the link, knowing what steps to take to limit the damage and notify the appropriate department heads.
The most sensible and efficient way to get everyone in your company on board and up to speed is through a two-pronged approach: education and real-world simulations.To this end, InfoSec Institute has created a special platform called Infosec IQ that has apps covering each of these areas.
The first is called AwareEd, and is a program designed to automatically enroll and monitor employees/learners in a security awareness education program; the second is called PhishSim, which is designed to send series of pretend phishing emails to your staff.
Infosec IQ is completely configurable and customizable to your organization’s needs. There are special modules for management as well as new hires or telecommuters. These include interactive modules and exercises that cover everything from malware to social engineering scams to password security. You can create and upload your own videos/tests as well that can be fully integrated into the system.
Administrators can choose a set of employees and send them an invitation to enroll via email. Their progress can be tracked on the dashboard; if they get distracted, reminders will be sent for them to finish the course. Those that complete all the modules can be given some sort of recognition to increase morale or participation.
Education and awareness are crucial, but it’s also essential to see how your staff reacts in a “real world” situation – this can be put to the test with the PhishSim. With this program, you can create a phony phishing email (or choose from dozens of templates) and send them out in bursts (called batteries) over a period of time (called campaigns).
In creating a battery or campaign, it’s a good idea to simulate a wide range of phishing emails – ones that look like communications from a senior staff member or CEO as well as ones that offer “Free Pizza.” Some of these can be paired with data entry templates, requesting usernames and passwords.
If any recipient clicks on the links and/or fills out the form, instead of your company being hacked and information stolen, they are redirected to a web page telling them they’ve goofed (the web page and its message are also completely customizable).
Infosec IQ also has a Quarantine section, where your workers can forward suspicious emails they receive, which can be analyzed by IT or security professionals.
Lower your risk and strengthen the resistance to phishing attacks within your insurance company by joining Infosec IQ today. We have a special offer that allows you unlimited PhishSIM emails and AwareED courses for 30 days.
Sources:
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
http://www.piawest.com/blogpost/1199781/282874/Phishing-Insurance--Some-Help?tag=Insurance+Industry
In this Series
- Phishing Attacks in the Insurance Industry
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
