As if cybercriminals, spam, virus attacks and spyware werent bad enough, theres a new technology threat fast gaining ground that targets just about everyone but could result in damage to business reputations, lawsuits and potential violations of federal privacy regulations for insurance agents and carriers, experts warn.

“Phishing” involves a trap laid for unwary computer users who received spoofed (fake) e-mails or visit fraudulent Web sites and are fooled into divulging personal financial data such as credit card numbers, account user names and passwords, Social Security numbers, etc., according to the Anti-Phishing Working Group, based in Menlo Park, Calif. The APWG describes itself as “the global counter-phishing organization of stakeholders” whose members include private companies, government and law enforcement agencies, and sponsors from the security technology vendor community.

The success of phishing efforts depends on the victims trust in the name of the institution or company that seems to be making the request. “By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them,” says APWG.

While banks and other financial services firms seem to be a primary target for phishers, “the potential for an insurance-type attack is there,” states Dan Hubbard, senior director of security and research for Websense Inc., a San Diego-based Internet security company. He points to the possibility of a “fraudulent insurance scam” that could have an agency or carriers customers revealing sensitive information.

Such intrusions could cause problems with government regulationssuch as Sarbanes-Oxley and the Health Insurance Portability and Accountability Actwhich require insurance companies and agencies to keep consumer financial and health information private, says Hubbard. “Customer identification information is very important and security is very important for regulated industries where information about people could be compromised via [phishing] attacks,” he explains.

The newest trend, says Hubbard, is for phishers to circumvent encryption and other computer security measures by intercepting vital information from unsuspecting users within an organization before it can be encrypted. The phishers may use malicious code to plant keylogging software on a users computer in order to capture every keystroke, thus capturing passwords and other confidential information. Once that happens to a companys or agents systems, “you lose one of your most important controls,” he adds.

“The real issue is brand control,” states David Jevans, chairman of the APWG. Carriers and agents have “very little control” over phishers use of their brand names. “You may not even know its happening,” he says.

For example, an insured may receive a “special offer” that appears to come from his insurer, asking him to come to the insurers Web site (actually a bogus site) to fill out personal information, says Jevans. In such a case, the companys brand is being used to collect information that could later be used for fraud, such as identity theft.

“Theres going to be lawsuits, even if the company doesnt know [the phishing attack is] happening,” Jevans says. “If it does happen and you find out about it, you have a responsibility to do something about it.

“I would imagine it would be a fiduciary responsibility to have this stuff taken offline. That might be easy with an Internet provider based in the U.S., but its going to be pretty darn difficult on a hacked server sitting in Korea,” he adds.

“Where is the liability?” asks Ann Purr, second vice-president of Atlanta-based LOMA, who formed LOMAs Council of Chief Information Security Officers in the insurance industry. “If somehow our data gets compromised, where did it happen and how do we protect ourselves?

“Its a customer issue; thats what I hear insurance companies saying,” she says. “Were dealing with customer service and trying to give them excellent service. We know people may receive messages that seem to be from your company but are not.” At that point, opening an executable file or sharing confidential information could cause significant problems for insureds, she notes.

“People know they should be careful, but this looks like something legitimate,” says Purr. “Think about it: Why should my bank want my account number or Social Security number? They should already have it. But then, how many times have people asked you for that information, just to verify your identity?”

Purr expresses concern about “what other people could do to our good names and our good reputation.” To prevent such problems, she advises “good business practices, including good security measures.” She notes that agents, as well as carriers, could be subject to a phishing scam, “so education and awareness are critical.”

She adds, however, that “no matter what kind of policies you put in place, theyre only as good as the people who implement them. If theyre not protecting their workspace, we need to make them aware.”

Meanwhile, phishing activity continues to increase by 10% to 30% per month, says Jevans. Phishing messages constitute about 1% or less of all spam, “but some people see about 5%,” he adds.

“There are less than 40 organized groups of phishers worldwide, we believe,” he continues. “There are always 17-year-old kids trying to get money for college, but [these groups consist of] professional, organized people employing sophisticated, advanced technology.” These 40 phishing groups, he notes, generate “80% to 90% of all the phishing thats happening.”

Catching the individuals involved in phishing, however, is not easy. “Its super-difficult,” says Jevans. “The hacking community has zombie machines running all over the world,” with people unaware their machines are being used to propagate phishing schemes.

“Phishing attacks are becoming more sophisticated,” warns Hubbard. “The attackers are evolving at a faster pace than the people who are trying to solve the problem.”

In order to reduce phishing, says Jevans, “e-mail authentication has to happen. That means checking that the domain that sent an e-mail is actually the domain it claims to be.” Such a strategy may discourage phishers from claiming they represent a bank or other institution, because the e-mail recipient can verify whether or not an e-mail came from that organizations Internet domain, he explains.

“Theres no real silver bullet technology that you can buy that solves the problem,” states Hubbard, who advises organizations to use a combination of security technology, education and awareness. “If you believe your brand is valuable, its something you should investigate,” he notes. “Most [phishers] will target the weakest links out there.”


Reproduced from National Underwriter Edition, April 29, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.