As if cybercriminals, spam, virus attacks and spyware werent bad enough, theres a new technology threat fast gaining ground that targets just about everyone but could result in damage to business reputations, lawsuits and potential violations of federal privacy regulations for insurance agents and carriers, experts warn.
“Phishing” involves a trap laid for unwary computer users who received spoofed (fake) e-mails or visit fraudulent Web sites and are fooled into divulging personal financial data such as credit card numbers, account user names and passwords, Social Security numbers, etc., according to the Anti-Phishing Working Group, based in Menlo Park, Calif. The APWG describes itself as “the global counter-phishing organization of stakeholders” whose members include private companies, government and law enforcement agencies, and sponsors from the security technology vendor community.
The success of phishing efforts depends on the victims trust in the name of the institution or company that seems to be making the request. “By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them,” says APWG.
While banks and other financial services firms seem to be a primary target for phishers, “the potential for an insurance-type attack is there,” states Dan Hubbard, senior director of security and research for Websense Inc., a San Diego-based Internet security company. He points to the possibility of a “fraudulent insurance scam” that could have an agency or carriers customers revealing sensitive information.
Such intrusions could cause problems with government regulationssuch as Sarbanes-Oxley and the Health Insurance Portability and Accountability Actwhich require insurance companies and agencies to keep consumer financial and health information private, says Hubbard. “Customer identification information is very important and security is very important for regulated industries where information about people could be compromised via [phishing] attacks,” he explains.
The newest trend, says Hubbard, is for phishers to circumvent encryption and other computer security measures by intercepting vital information from unsuspecting users within an organization before it can be encrypted. The phishers may use malicious code to plant keylogging software on a users computer in order to capture every keystroke, thus capturing passwords and other confidential information. Once that happens to a companys or agents systems, “you lose one of your most important controls,” he adds.
“The real issue is brand control,” states David Jevans, chairman of the APWG. Carriers and agents have “very little control” over phishers use of their brand names. “You may not even know its happening,” he says.
For example, an insured may receive a “special offer” that appears to come from his insurer, asking him to come to the insurers Web site (actually a bogus site) to fill out personal information, says Jevans. In such a case, the companys brand is being used to collect information that could later be used for fraud, such as identity theft.
“Theres going to be lawsuits, even if the company doesnt know [the phishing attack is] happening,” Jevans says. “If it does happen and you find out about it, you have a responsibility to do something about it.
“I would imagine it would be a fiduciary responsibility to have this stuff taken offline. That might be easy with an Internet provider based in the U.S., but its going to be pretty darn difficult on a hacked server sitting in Korea,” he adds.
“Where is the liability?” asks Ann Purr, second vice-president of Atlanta-based LOMA, who formed LOMAs Council of Chief Information Security Officers in the insurance industry. “If somehow our data gets compromised, where did it happen and how do we protect ourselves?