Insurance and the New Ransomware Attack: How to Make Employees Your First Line of Defense

It is possible to reduce the chances of becoming a phishing victim by safeguarding your employees and vendors and making them aware of the danger.

(Image credit: Adobe Stock.)

Targets run the gamut from government and educational institutions to finance and healthcare providers and everything in between. In fact, any organization that holds personal and financial data on its clientele is at risk. This makes insurance companies especially vulnerable to would-be hackers. And a successful attack can be devastating, both reputational and financial—not just figuring investment in restoring systems, but also in terms of legal compensation for the class action suit that generally follows.

The most a company can provide to policyholders who have had their private information posted online is standard identity theft protection. That means if someone tries to leverage exposed content to access bank accounts, the attempt will either be stopped or a record of the breach will restore any lost funds. But this is protection after the fact. It’s helpful, but not fully restorative. After an auto accident, motorists appreciate getting the dents removed and the engine fixed, but they would prefer any action that could have helped to avoid the accident in the first place.

Insurance organizations should also focus on preventative measures. To combat would-be scammers and thieves, forward-thinking companies are taking steps to protect their policyholders and personnel before a cyber attack strikes. The first step in this process is determining how hackers are gaining access to IT systems. There will be renewed focus on servers, unpatched software, and brute-force credential attacks, and such standard security reviews should certainly be implemented. But these are not the primary methods they’re using to get in these days. At many firms, the easiest means to deliver a ransomware payload is through a phishing email with a malicious link.

Why phishing? Phishing emails have mostly preyed on the greedy and the vulnerable. A Nigerian prince wants to transfer millions into my bank account? Great! FedEx has a package for me? I didn’t order anything, but I don’t want to miss out! Such clumsy, transparent scams still victimize thousands of people every year.

Today’s more sophisticated phishing attacks are succeeding due to the voluminous amount of personal identifying information available about everyone online and the incorporation of artificial intelligence, which is revolutionizing and reshaping the phishing threat landscape.

Here is what an old phishing attack looks like:

(Click to enlarge.)

Your personnel, having been trained to detect emails like this, will likely just move them directly to the Trash. But what about an email like this?

(Click to enlarge.)

How could it not be authentic? It uses a nickname for the recipient that a stranger wouldn’t know. It includes a familiar photo and references to the person’s family or friends. A penetration test revealed that nearly 5 percent of employees would be convinced this was a real email and would click on a link—and once that happens, the hackers have won.

The capabilities of AI have allowed even novice cybercriminals to launch highly convincing, personalized scams with ease.

No wonder such phishing attacks are up more than 55 percent.

How do they know your personal information? In most cases we willingly surrendered our personal data. As internet access became pervasive, we were eager to take advantage of its many conveniences shopping online, paying bills online, downloading apps to save money on groceries, or making a reservation at a restaurant. All that was asked for in return was a few personal detailsto register for an account: your home address, your phone number, your email address, and your date of birth.

Perhaps the entities originally collecting these personal details had no motivation other than to provide better service. But as they built a database of names and addresses, they realized that if they also had the names and addresses of other people, they could market their products or services to them. So, lists were sold or exchanged, and data brokers began appearing online, offering home addresses and other once-private information to anyone willing to pay for them – no questions asked.

As of 2023, there are more than 5,000 data broker companies worldwide. These brokers use secret algorithms to unknowingly build profiles on every American.

What is public can be private again. What if hackers sought that personal content about your personnel, but couldn’t find it – or at least could not find enough to implement a successful attack? If that happened, they would likely look elsewhere for their next victim.

Since AI feeds on information, this vector of attack can be interrupted by cutting off the pipeline of personal information about your employees online. A corporate account that monitors and eliminates the types of personal information that fuels attacks can cost just a few dollars per employee per year. These services not only lower the volume of available content, they can also replace authentic information (home address, cell phone number) with alternatives that cannot be traced back to their user.

In addition to reducing the likelihood of ransomware and phishing, there is another benefit to online privacy protection, particularly for your front-line employees and public-facing personnel. When rates go up, policies are canceled and claims are denied, creating another form of risk. People get angrier a lot faster these days and are more likely to act upon that anger when it is directed at a specific target. Keeping the home addresses and other private content of your personnel off the internet can also enhance their personal safety against threats, harassment, and even violence.

Obviously, it is also important to continue educating your employees on these new and more convincing forms of phishing emails and why they should verify any suspicious communication before clicking on a link that will infect a work computer.

Finally, stop treating the danger of ransomware as an IT issue. This is now a C-suite issue that should command corporate attention toward asset protection and risk management.

There’s not much anyone can do about those who would weaponize publicly available private information for revenge or profit. However, it is possible to reduce the chances of becoming a phishing victim by safeguarding your employees and vendors and making them aware of the danger.

Ron Zayas // Ron Zayas is an online privacy expert, speaker, author, and CEO of IronWall360, an Incogni company. IronWall360 provides online privacy protection to both the public and private sector. For more insight into online privacy laws, proactive strategies, and best online data practices, visit ironwall360.com. Connect with Ron at ron.z@360civic.com or LinkedIn.

Leave a Comment

(required)