10 Nov 2020
Cybersecurity for Agents and Brokers: Avoiding Phishing Scams
By Rafael Pelaez, Chief Information Security Officer, Pan-American Life Insurance Group
Eastimated read time: 4 minutes, 21 seconds
Cybersecurity has always been important, but now, it’s an urgent priority. We are all conducting more business online now—and, by no small coincidence, so are cybercriminals.
At PALIG, we’ve escalated our cybersecurity practices and will continue to do so. Because you interact directly with current and future policyholders on a daily basis, agents and brokers also play a critical role in protecting our mutual clients’ personal information.
Increasingly-common cybercrimes include online impersonations, social network fraud, cyberbullying, cyber extortion, identity theft, and unauthorized access to institutional systems.
Some of the main threats that we are seeing today are Ransomware and theft of sensitive data, including protected health information (PHI) and personally identifiable information (PII).
In order to achieve this, bad actors tend to exploit the weakest link, people, and therefore they tend to employ social engineering techniques, including phishing (email), vishing (phone call), and smishing (text) scams
As we all undertake our ongoing digital transformation, cybercriminals are developing new methods of attack, many times trying to exploit vulnerabilities in updated processes or cloud environments. Needless to say, it’s important for all of us to stay up-to-date.
In addition to communication initiatives that we offer to PALIG colleagues, we are launching a cybersecurity blog series designed for you, our agents and brokers. We will periodically update you regarding the threats that we are seeing and, just as importantly, provide you with strategies for reducing your risk profile.
For our first blog in this series, we have chosen to tackle email phishing scams. Our Information Security team has determined that phishing is one of the attack vectors that you are most likely to encounter while conducting business online. Unfortunately, phishing scams are becoming more sophisticated and convincing by the day. Don’t be a victim—be vigilant and ready.
Phishing Scams Have Become More Dangerous
Not too long ago, phishing emails were relatively easy to spot due to their poor grammar and spelling, as well as their odd content. However, these days, some phishing emails look dangerously authentic. They may look professional and may appear to be related to some of your legitimate business activities.
In a nutshell, phishers use proven social engineering tactics to trick you into opening an attachment or clicking on a link. Once you do so, the cybercriminals often download a malicious file onto your PC or system, or otherwise access your credentials.
How to Identify Phishing Emails
The best way to thwart phishing attempts is to combine strong technical controls (like anti-malware and antivirus software) with intentional behavioral changes. As a rule of thumb, assume all outside emails are suspicious, especially from unknown sources.
Never accept such emails at face value. Examine them carefully for their appearance and their content. In addition:
- Keep your emotions under control. Phishers deliberately try to elicit fear and curiosity to compel their victims to open attachments or click a bad link.
- Look for grammar errors, typos, inconsistent capitalization, etc.
- Pay close attention to the sender’s domain name. Phishers sometimes modify or shorten a trusted domain name slightly, so it appears legitimate at a quick glance.
- Examine embedded links by HOVERING (not clicking) your mouse over the hyperlinks. This may reveal the true URL. If you question a link but aren’t sure, do not click it. Instead, contact the sender separately and verify its legitimacy.
- Remember, reputable companies will never ask you for your password or your personal information.
- Be aware of unsolicited emails or texts that leverage current events such as politics, sports, and viral videos. Right now, COVID-19 is a popular topic for phishers, who may go so far as to pose as the CDC or other health authorities.
- Include an external email banner that easily flags those emails coming from the outside of your organization
- Make sure that you have a strong spam filter in place to block many of the spam and non-sophisticated phishing attempts
Be on Guard against Spear-Phishing Emails
While phishing campaigns are general scam attempts sent to random emails, spear-phishing emails are targeted to specific individuals or employees of particular organizations. They are highly specific and personalized, which makes appear more genuine.
Many organizations have suffered data breaches as a result of spear-phishing campaigns. Attackers gained unauthorized access to the organizations’ systems when one or more recipients unknowingly clicked a malicious link.
How do you identify spear-phishing emails? Look for these red flags:
- Emails stating your password has been stolen or needs to be changed.
- Emails marked URGENT that direct you to click on a link.
- Emails from unknown senders.
- Emails asking you to transfer money.
- Emails with encrypted attachments.
Should you receive such an email, don’t let your alarm or curiosity get the best of you. That’s exactly what spear-phishers want. Instead, every time you check your emails, be mindful of the potential threat. In time, good cybersecurity habits will soon become second nature.
We Are in This Together
In addition to your individual cybersecurity, it’s our shared responsibility to protect our policyholders’ valuable information. Because you—along with our colleagues —serve on the frontlines with the public, you are also our first line of defense. Our policyholders have entrusted us with their personal data. Let’s work together to earn that trust every day.
About the author: Rafael Pelaez is PALIG’s Vice President and Chief Information Security Officer. In his role, he is responsible for leading our information security strategy to make way for innovative new efforts such as cloud integration and migration as well as establishing balance between security measures and business growth. Rafael has over 20 years of dedicated experience in cybersecurity. He served as a leader for E&Y’s Risk Management & Cyber Security practice. Prior to his tenure at E&Y, he held notable leadership roles at Pfizer, Accenture, Carrefour Group and Schneider Electric.