The Rising Threat of Phishing and Social Engineering

Share This TechTip

Insurance agencies have seen a dramatic rise in phishing and social engineering attacks in recent years.

According to a recent survey, the percentage of agencies experiencing email phishing and social engineering attacks has risen from 32% to over 55% in just the past two years. And the frequency of attacks has grown as well, with many agencies reporting attempted breaches on a near-daily basis.

This increase in attacks is likely due to the high-value data that insurance agencies maintain. With access to sensitive customer information, financial records, and claims data, insurance agencies have become a prime target for cybercriminals looking to profit off stolen data. In particular, healthcare and financial information is in high demand on the dark web, and insurance agencies have a trove of this data ripe for the taking.

In addition, many agencies have relatively immature cybersecurity programs compared to other industries. Lacking resources and awareness around social engineering, insurance workforces have proven vulnerable to well-crafted phishing emails and other attack vectors. With hackers realizing the opportunity, they have ramped up efforts to penetrate insurance networks through these techniques.

Without greater investment in training and awareness, insurance agencies will likely continue to struggle with this rising threat. As phishing and social engineering attacks proliferate, agencies must prioritize building a culture of cybersecurity and resilience throughout their workforce. Identifying these threats as a top risk is the first step toward better protecting sensitive data.

How Phishing And Social Engineering Works

Phishing and other forms of social engineering rely on psychological manipulation and deception to trick users into taking actions that can compromise security. Phishing emails often appear to come from a legitimate source and will urge the user to click on a link or provide sensitive information like login credentials. The emails are carefully crafted to create a sense of urgency or importance to get the user to bypass normal security precautions.

Some common phishing techniques include:

  • Spoofing a legitimate email address or website in the sender info or link text. This makes the email appear to come from a trusted source.
  • Threatening dire consequences if the user does not act, such as account suspension. This pressures the user to click without thinking.
  • Promising a benefit if the user provides info, like a coupon or gift card. This incentivizes the user to lower defenses.
  • Impersonating leadership or IT teams within the company to request sensitive data from employees. This exploits familiarity and authority.
  • Directing users to fake login pages to harvest passwords and usernames. The spoofed sites look identical to the real ones.

Other social engineering attacks can come via phone, SMS text messages, or in-person. For example, an attacker may call posing as tech support and ask for remote access or passwords to “fix an issue”. Or they may pretend to be a vendor and email a fake invoice to initiate a funds transfer. Social engineering exploits natural human tendencies to comply with authority, reciprocate, or fail to verify before acting.

Why Insurance Agencies Are Vulnerable

Insurance agencies handle highly sensitive customer data including personal information, financial records, and medical history. This valuable data makes the insurance industry a prime target for cybercriminals using phishing and social engineering tactics.

Many insurance agencies also have outdated security awareness and training. Employees at these agencies may not be well-versed in spotting sophisticated phishing emails or identifying social engineering attacks. Hackers exploit this knowledge gap, counting on employees to fall for tricks like opening infected email attachments or providing login credentials.

Additionally, the customer service nature of insurance agencies means employees are used to helping people. This makes them vulnerable to social engineering attacks that prey on their inclination to be helpful. A cybercriminal may pose as an IT contractor, executive, or even customer in need, manipulating staff into handing over valuable data and account access.

Agencies need to prioritize cybersecurity training to protect against ever-evolving phishing and social engineering threats targeting their workforce.

Impacts And Damages From Successful Attacks

A successful phishing or social engineering attack can have devastating consequences for an insurance agency. Perhaps the most damaging impact is a potential data breach that exposes sensitive customer information. Personally identifiable information, health records, and financial data in the hands of criminals can lead to identity theft, financial fraud, and untold harm to customers.

These types of data breaches damage an agency’s reputation and erode customer trust. Insurance customers provide some of their most private information and expect it will be protected. A breach destroys that trust, harming the agency’s brand and leading customers to switch providers.

Phishing emails are also a common vector for ransomware infiltration into an agency’s systems. The encryption of data and computer systems until a ransom is paid disrupts operations.

Ransomware attacks cost an average of $133,000 according to research from cybersecurity firm Sophos.

Beyond the ransom, there are costs for forensics, restoring systems, lost productivity, and reputational harm.

Ultimately, a successful phishing scam or social engineering attack results in business interruption and costly recovery efforts. The impacts of data breaches, identity theft, ransomware, and fraud mean insurance agencies must remain vigilant against email and social engineering threats. Proactive education, training, and cybersecurity defenses are essential.

Best Practices To Defend Against Phishing

Phishing remains a persistent threat, but insurance agencies can protect themselves through the right digital security practices. Here are some key areas on which agencies should focus:

  • Employee training and simulated phishing testing: Agency staff are the first line of defense when it comes to identifying suspicious emails. Conducting regular security training so employees can better spot phishing emails is crucial. Simulated phishing attacks sent internally also reinforce this knowledge.
  • Email security filters and multi-factor authentication: Technical controls like spam filters and DMARC authentication help automatically detect and block many phishing attempts before they reach employees’ inboxes. Enabling multi-factor authentication adds another layer of protection should passwords become compromised.
  • Policies for verifying suspicious requests: Educate staff on policies for verifying any suspicious money transfer or data requests received by email or phone. Require verification either in-person or through a secondary channel.
  • Ongoing security awareness: Phishing scams evolve constantly, so keep employees informed through newsletters, lunch-and-learns, posters, and other reminders on how to recognize the latest phishing techniques and report suspicious emails. A vigilant security culture is key.

By taking proactive measures focused on training, technical controls and secure policies, insurance agencies can shield both their business and client data from devastating phishing attacks.

Stay relentless! 🛡️

More TechTips To Explore

Cybersecurity

Pitfalls to Avoid in Your Cyber Journey

Many businesses are sitting down right now to finalize budgets and lay out their plans and goals for the new year. For those focused on creating a more formal cybersecurity approach to address cyber risk, Ryan Smith shares a few tips to help you through the process.

Read More »

Unleash Your Agency's Potential

Check out our Platinum & Premium Solution Providers.

Forgot Password?

Forgot Password?

Sign up for your free 30-day free trial!

 

Let's do this

Together

We’re thrilled to invite you into Catalyit. Fill out the form to get your free, limited access – your community awaits!

Already a Basic or Full Access Subscriber?

ALERT!

Vault videos are only visible to Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content and watch this webinar on-demand.

ALERT!

This content is only visible to Catalyit Full Access subscribers!

Sign in or upgrade now to unlock all Catalyit content.

ALERT!

This content is only visible to Catalyit subscribers!

Sign in, get started free, or upgrade now to unlock all Catalyit content.

ALERT!

Vault videos are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and watch this webinar on-demand.

Let's do this

 

Let's do this

Fill out the form below to get free Basic Access to Catalyit and activate your Trava account.

 

ALERT!

Solution Provider Profiles are only visible to Full Access subscribers!

Upgrade now to unlock all Catalyit content and learn more about this Solution Provider.