Encrypted Phishing Email

We received an interesting phishing email attack this weekend – something I had never seen before.  One of the property managers at our building sent a number of us at NCIGF an encrypted email with the subject line: “New Message from your email contact  9801210”.  The body of the email contained an encrypted email message with a link to click to get the message – very standard stuff.  Looking at the link, it went to a microsoft.com domain that prompted you to enter your credentials.  The good news is that no one here did that, primarily thanks to the quarterly cyber training and monthly phishing tests.  Presumably, the phishing attack was either an attempt to harvest credentials (username and password) or – and this is the theory I find more plausible – the encrypted email, once decrypted, contained some kind of malware/virus payload.  We don’t know for sure because by the time we started doing analysis, the initial “open message” link redirected to “page not found”.

We reached out to the sender this morning and they confirmed their email had been compromised over the weekend.

I’ve never seen a legitimately encrypted email be used as a vector for phishing.  While we do communicate to the building manager via email from time to time, we’ve never had cause to send PII.  No one in the office was expecting documents or messages from the building that would necessitate encryption.  This is a clever attack because it hijacks the notion that encryption=safe.  That said, if you receive an encrypted email from someone out of the blue, it’s always a good policy to be skeptical.  Reach out to the sender by phone (not email!) and verify that they sent it.

I’ve included a screenshot of the email in question with names redacted to protect the guilty.


NAIC Chief Endorses Web of Trust

I recently received a report from an international insurance regulatory meeting in which U.S. insurance commissioners were participating.  The urgency and assertiveness of our regulators hit me like a ton of bricks.

NAIC president, Eric Cioppa—the Maine director of insurance– opined that cybersecurity regulation cannot be prescriptive, but instead must be principles based because it is too hard for the supervisors to keep pace with industry.  First, cybersecurity engagement must come from the very top of the company.  A culture that prioritizes cybersecurity is critical due to the weakest link phenomenon.  Second, an insurer must focus on total preparedness for when a breach occurs.  Without engaging in table topping, a breach could be devastating to the company.  The supervisors are not looking to second guess a company’s program, but are trying to focus on broad cybersecurity themes.

As we continue to push forward in implementing the Web of Trust, it’s not for nothing to understand how U.S. regulators are approaching the same problems at an industry level and to recognize that it’s not all that different from the work we have been doing and are prepared to do more of.  Given that our members’ claims-paying function is an extension of the insurance industry, what regulators think on the topic should very much matter to us. 

In my view the reasoning transfers to NCIGF’s role in making certain that our members are at the most effective level of cyber security; f regulators can require carriers to “open their kimonos” as part of their consumer protection mission when a company is in business, we should be doing the same on security, also for the purpose of protecting policyholders and claimants. Our goals are even more narrow than the regulator’s.

Beyond the cybersecurity piece, the report should provide a flavor for the scope of discussions at the IAIS and the active role U.S. regulators are playing in it.  This is a global version of the NAIC (and as Keith Bell reminds us, the NAIC actually created the IAIS).  I point this out because while some of our colleagues continue to digest the “international” aspect of insurance regulation and its application to the U.S., this report gives a tiny peek into its tangibility, importance and durability.