Phishing Attacks in the Insurance Industry

Stephen Moramarco
October 20, 2017 by
Stephen Moramarco

Mitigating risk is an essential component of the insurance industry, the sector that provides individuals and businesses policies that cover health, life, and property. Yet when it comes to their own cyber security, many insurance companies, overconfident in their protection, are running unnecessary risks.

In 2016, the consulting firm Accenture found that while 4 out of 5 insurers surveyed expressed confidence in their ability to thwart attacks, 1 in 3 targeted attacks on insurance companies resulted in a security breach.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Why Target the Insurance Industry?

It is perhaps because of this false sense of security that the industry is now being targeted more aggressively. In spite of their confidence, the truth is many insurance companies and their subsidiary offices use outdated software, have weak internal security measures, and no standard protocols for dealing with breaches.

But what they have in terms of valuable information could be considered the mother lode. This is because not only do insurance companies have personal information and possibly health data on all their customers, but it’s likely they have credit card or bank account numbers for receiving payments; this info can then be used to steal money, make fraudulent claims, be sold on the black market, or all of the above.

In 2015, the breach of Anthem Insurance, exposing the information of 80 million customers, was generally considered a wake up call. The National Association of Insurance Commissioners (“NAIC”) issued 12 principal guidelines for effective regulatory guidance, and many companies have begun to ramp up their efforts. Still, many lag behind and attacks continue to increase.

How is the Insurance Industry Targeted?

Like most industries, insurance companies are targeted both generally through standard phishing attempts, and, increasingly, more focused attacks, often referred to as “spear phishing.” This refers to a tactic where hackers focus on a particular insurance company or branch, and, perhaps, even specific individuals within.

If the target is a C-level executive, it is sometimes referred to as “whaling” – or, if the hacker is impersonating said exec, it’s known as a “fake president” scam. Whatever you call it, it involves making the recipient of a phishing message believe it’s from someone trustworthy and fall for the bait. A current, popular scam involves a fake president asking someone in HR to forward employee W-2 information; believing the request to be real, many comply.

Attacks on insurance are evolving in sophisticated and dangerous ways. In May 2017, an area of DocuSign, an important legal service used by insurers and others, was hacked. Spammers sent a list of email addresses in their database a Word doc with embedded malware. Although DocuSign says it was a “separate non-core” system and no known serious breaches occurred, it shows the levels these criminals are going to in order to deceive and gain access to systems or data.

Infosec IQ’s PhishSim program can create simulated Word document attachment emails for you to send to your co-workers

Education/Awareness Is Key

One of the crucial factors determining the safety of any industry or institution is the ability of personnel to be able to spot a potential phishing email before it’s too late. And, if someone did accidentally click on the link, knowing what steps to take to limit the damage and notify the appropriate department heads.

The most sensible and efficient way to get everyone in your company on board and up to speed is through a two-pronged approach: education and real-world simulations.To this end, InfoSec Institute has created a special platform called Infosec IQ that has apps covering each of these areas.

The first is called AwareEd, and is a program designed to automatically enroll and monitor employees/learners in a security awareness education program; the second is called PhishSim, which is designed to send series of pretend phishing emails to your staff.

Infosec IQ is completely configurable and customizable to your organization’s needs. There are special modules for management as well as new hires or telecommuters. These include interactive modules and exercises that cover everything from malware to social engineering scams to password security. You can create and upload your own videos/tests as well that can be fully integrated into the system.

Administrators can choose a set of employees and send them an invitation to enroll via email. Their progress can be tracked on the dashboard; if they get distracted, reminders will be sent for them to finish the course. Those that complete all the modules can be given some sort of recognition to increase morale or participation.

Education and awareness are crucial, but it’s also essential to see how your staff reacts in a “real world” situation – this can be put to the test with the PhishSim. With this program, you can create a phony phishing email (or choose from dozens of templates) and send them out in bursts (called batteries) over a period of time (called campaigns).

In creating a battery or campaign, it’s a good idea to simulate a wide range of phishing emails – ones that look like communications from a senior staff member or CEO as well as ones that offer “Free Pizza.” Some of these can be paired with data entry templates, requesting usernames and passwords.

If any recipient clicks on the links and/or fills out the form, instead of your company being hacked and information stolen, they are redirected to a web page telling them they’ve goofed (the web page and its message are also completely customizable).

Infosec IQ also has a Quarantine section, where your workers can forward suspicious emails they receive, which can be analyzed by IT or security professionals.

Lower your risk and strengthen the resistance to phishing attacks within your insurance company by joining Infosec IQ today. We have a special offer that allows you unlimited PhishSIM emails and AwareED courses for 30 days.


Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.