Phishing Threatens Agents, Carriers, Insureds Damaged reputations, legal problems may be the result


As if cybercriminals, spam, virus attacks and spyware werent bad enough, theres a new technology threat fast gaining ground that targets just about everyone but could result in damage to business reputations, lawsuits and potential violations of federal privacy regulations for insurance agents and carriers, experts warn.

"Phishing" involves a trap laid for unwary computer users who received spoofed (fake) e-mails or visit fraudulent Web sites and are fooled into divulging personal financial data such as credit card numbers, accout user names and passwords, social security numbers, etc., according to the Anti-Phishing Working Group, based in Menlo Park, Calif. The APWG describes itself as "the global counter-phishing organization of stakeholders" whose members include private companies, government and law enforcement agencies, and sponsors from the security technology vendor community.

The success of phishing efforts depends on the victims trust in the name of the institution or company that seems to be making the request. "By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them," said APWG.

While banks and other financial services firms seem to be a primary target for phishers, "the potential for an insurance-type attack is there," stated Dan Hubbard, senior director of security and research for Websense Inc., a San Diego-based Internet security company. He pointed to the possibility of a "fraudulent insurance scam" that could have an agency or carriers customers revealing sensitive information.

Such intrusions could cause problems with government regulationssuch as Sarbanes-Oxley and HIPAAwhich require insurance companies and agencies to keep consumer financial and health information private, said Mr. Hubbard. "Customer identification information is very important and security is very important for regulated industries where information about people could be compromised via [phishing] attacks," he explained.

The newest trend, said Mr. Hubbard, is for phishers to circumvent encryption and other computer security measures by intercepting vital information from unsuspecting users within an organization before it can be encrypted. The phishers may use malicious code to plant keylogging software on a users computer in order to capture every keystroke, thus capturing passwords and other confidential information. Once that happens to a companys or agents systems, "you lose one of your most important controls," he added.

"The real issue is brand control," stated David Jevans, chairman of the APWG. Carriers and agents have "very little control" over phishers use of their brand names. "You may not even know its happening," he said.

For example, an insured may receive a "special offer" that appears to come from his insurance company, asking him to come to the insurers Web site (actually a bogus site) to fill out personal information, said Mr. Jevans. In such a case, the companys brand is being used to collect information that could later be used for fraud, such as identity theft.

"There are going to be lawsuits, even if the company doesnt know [the phishing attack is] happening," Mr. Jevans asserted. "If it does happen and you find out about it, you have a responsibility to do something about it," he adds. "I would imagine it would be a fiduciary responsibility to have this stuff taken offline. That might be easy with an Internet provider based in the U.S., but its going to be pretty darn difficult on a hacked server sitting in Korea."

Meanwhile, phishing activity continues to increase 10-to-30 percent per month, said Mr. Jevans. Phishing messages constitue approximately 1 percent or less of all spam, "but some people see about 5 percent," he added.

"There are less than 40 organized groups of phishers worldwide, we believe," he continued. "There are always 17-year-old kids trying to get money for college, but [these groups consist of] professional, organized people employing sophisticated, advanced technology." These 40 phishing groups, he noted, generate "80 percent to 90 percent of all the phishing thats happening."

Catching the individuals involved in phishing, however, is not easy. "Its super-difficult," said Mr. Jevans. "The hacking community has zombie machines running all over the world," with people unaware that their machines are being used to propagate phishing schemes.

"Phishing attacks are becoming more sophisticated," warned Mr. Hubbard. "The attackers are evolving at a faster pace than the people who are trying to solve the problem."

In order to reduce phishing, said Mr. Jevans, "e-mail authentication has to happen. That means checking that the domain that sent an e-mail is actually the domain it claims to be." Such a strategy may discourage phishers from claiming they represent a bank or other institution, because the e-mail recipient can verify whether or not an e-mail came from that organizations Internet domain, he explained.

"Theres no real silver bullet technology that you can buy that solves the problem," stated Mr. Hubbard. He advised organizations to use a combination of security technology, education and awareness. "If you believe your brand is valuable, its something you should investigate," he noted. "Most [phishers] will target the weakest links out there."

Reproduced from National Underwriter Edition, February 18, 2005. Copyright 2005 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.