Phishing attacks are the one of the top reasons insurance agencies get hacked.
Phishing refers to the method of sending fraudulent emails to encourage recipients to reveal confidential information, such as login names, passwords, credit card and social security numbers.
These emails can be very convincing, using reputable company names, logos, spoofed email sender properties, fraudulent addresses, and seemingly legitimate links. Let’s discuss how agency owners and managers can help protect their organization from Phishing.
Let’s go over some best practices.
Phishing Best Practices
Never provide your password over the phone or in response to an unsolicited internet request.
Employees should be trained to not respond to any email requesting personal or confidential information. Instead, they should go directly to the website using their browser, and login to their account, to determine if the applicable company is requesting information or validation.
Most files can be easily shared through services like Dropbox without the need for emailing – this is a much more secure solution than emailing files.
Check URLS to make sure they are not suspicious. Look for URL misspellings (like bankofamorica.com) and suspicious domains (like microsoft.repairaccount.com).
Check attachments before downloading.
Never download the following attachments: ISO, EXE, ZIP, RAR, R09, GZ, TAR, ARC, DMG.
Be wary of downloading doc, docx, xls, xlsx, ppt, and pptx files. They can contain small programs that wreak havoc on your system. Don’t open any document without ensuring it is from a legitimate source.
There are many common and convincing fraudulent document types including invoices, resumes, and receipts. These phishing emails are sent in the millions, so don’t be surprised if one arrives relating to your actual bank, payment service vendor or large client.
Phishing is a numbers game, so when 2 million emails are sent, the hackers realize that even 1/10th of 1% is equal to 2,000 correctly associated companies.
In addition, never download a file with a file format you do not recognize unless you have confirmed who is sending it and why.
Recognize Common Phishing Attempts
- Emails saying they’ve noticed some suspicious activity or log-in attempts. They will provide a URL that leads to a fake login page, and these login pages can look just like the real thing.
- Emails stating there is a problem with your account or your payment information. They will ask you to log in to fix the issue.
- Validation emails, asking you to confirm some personal information.
- Inclusion of a fake invoice link asking you to click on a link to make a payment.
- Inclusion of a payment notification, often using a link to see the status.
- Notification that you can register for a government refund.
- Coupons or other free offers.
Spoofed phishing emails may look like they originated from your own agency, perhaps even your CEO. Beware, be cautious, be diligent, and provide ongoing training to protect your insurance agency and employees from phishing!