Read Aloud the Text Content

This audio was created by Woord's Text to Speech service by content creators from all around the world.

Text Content or SSML code:

Social Engineering, Phishing, and Technical Support Scams Overview The Financial Services and Insurance Industry continues to be targeted by financially motivated organized crime. Cybercriminals and bad actors continue to attack and target companies with social engineering, phishing, and scam attempts. They continue to leverage current events, social media, and the remote work environment to their advantage. Because of this, employees and financial professionals are often the target of such cyber-attacks and fraud. Continued Phishing and Smishing Phishing Email and Text Messages Emails and text are useful communication tools, but are often exploited by attackers to steal sensitive information through social engineering, most commonly through phishing (emails) and smishing (texts). Targeted (or spear) phishing emails from a compromised email address continues to be the largest threat to Penn Mutual. Interacting with scammers can lead to identity theft, financial loss, and data corruption through leaked sensitive information—causing long-term issues to Penn Mutual and yourself. Tips to Keep You Safe: Be Cautious with Emails. Phishing emails from compromised accounts are a major threat. Scammers use familiar email addresses to gain trust. Be skeptical of unexpected emails, even if from known contacts. Watch for Email Account Compromise (EAC). If an email account is hacked, the criminal can send phishing emails to all of its contacts. These emails are extra tricky because they may appear to come from a trusted source, like a colleague, vendor, client, etc. Beware of Fake Document Sharing Links. Phishing emails may mimic legitimate services like Google Docs, Box, and Amazon WorkDocs, urging you to click a link to access documents. Always verify the source before clicking, otherwise your device or network may become compromised. Stay Alert to Smishing: Phishing can also happen through SMS or text messages (smishing). These messages may seem to come from a trusted contact or Company leader. Be cautious of any unexpected text asking you to click a link, provide sensitive information, purchase gift cards, or process financial transactions. Did You Know ? Because caller ID and phone number verification systems are unreliable, people are more inclined to trust a text. This makes smishing an incredibly popular and successful way to attack. Continued Stolen Credentials and Credential Harvesting Many bad actors often aim to steal your login credentials through phishing threats. If a cybercriminal obtains your username and password, they can access our systems, networks, and any confidential information you can access. Tips to Keep Your Credentials Safe: Never share your passwords. Don't reuse your Company passwords for other accounts. Use strong, unique passwords for every account. Enable multi-factor authentication (MFA) when possible for extra online account security. Continued How to Protect Yourself and Our Company—Be Vigilant! Financial service companies continue to be one of the largest targets for cybercriminals. We must ALL be vigilant against all attempts at all times. Verification Verification is the first step to protect against social engineering. Scammers often use familiar names or organizations to trick you, making emails or calls seem trustworthy. They can compromise email accounts or fake caller IDs (spoofing), known as Email Account Compromise (EAC) and Business Email Compromise (BEC). Always verify any unexpected requests by calling the sender using the phone number on file or from an official website. Protection and Other Precautions Protecting our systems and data is essential, and your role is crucial in this effort. Here are some ways you can help: Avoid Unknown Links and QR Codes. Don't click on links or scan quick response (QR) codes from unknown sources, even if they seem legitimate. They could lead to fake websites or download harmful software. Never assume an email is safe just because you recognize the sender or email address. Be Cautious with Login Credentials. Only enter your login details if you're certain the email is safe. Do Not Download Unauthorized Software. Only download files, software, or applications from trusted sources. All software and applications must be approved before installation on Company devices to prevent malware risks—even if they're free. Handle Email Attachments with Care. Only open attachments if you're expecting them or have verified their source. If you're unsure, double-check with the sender. Report Suspicious Emails. Forward suspicious emails to [email protected](opens in a new tab) or use the "Phish Alarm" button in Outlook if you're a Company employee. Employees All Company employees, including consultants, interns, co-ops, and temporary workers, are held accountable to best practices in place to protect our systems and data when handling suspicious emails (whether simulated or real), including: clicking on a hyperlink; opening an attachment; and/or revealing user credentials. This includes real and simulated emails. If an employee gives up their Company login credentials, they will be terminated. If any of these actions are taken in response to a simulated phishing email, an accountability plan is in place to help the employee learn and improve their behaviors related to suspicious emails. Corporate Employees First Instance: Employee must attend phishing prevention training by the assigned deadline. The employee's leader will be notified of the required training. Second Instance: Employee must attend additional phishing prevention training and will receive a written warning from their leader/HR. Third Instance: Employee will receive an additional written warning and their eligible participation in the Company bonus that year will be reduced by 25%. Fourth Instance: If it occurs within 12 months of the first instance, the employee's eligible participation in the Company's bonus will be reduced by 50%. The employee will be ineligible for a merit increase and will be rated as "development needed" in their review. Additional Instance(s): The Chief Human Resource Officer (CHRO) and the employee's leader will evaluate the facts and circumstances, and may result in additional discipline, including termination based on performance. Consultants, Interns, Co-ops, and Temporary Status First Instance: Individual must attend phishing prevention training with their leader. Second Instance: If this occurs within 12 months of the first instance, the individual will be terminated based on performance. Did You Know ? In 2023, over 100,000 phishing emails were sent to Penn Mutual employees and financial professionals, aiming to steal credentials like usernames and passwords. When in doubt, verify before you click or respond! Continued Tech Support Scams Technical Support Scams Technical support fraud happens when a criminal pretends to be a support representative to trick people into giving up their information or money. They may claim to help with issues like a compromised email, bank account, or software license renewal. These scams can occur via phone, email, pop-up ad, web page, or text message. Typically, you'll get a message saying your device has a virus or error and be directed to a website for technical assistance. Never allow anyone remote access to your Company-issued device, as this could lead to data theft by a bad actor. Cybercriminals often pretend to offer free tech support from companies you know, such as Penn Mutual, HTK, Apple, Microsoft, Comcast, etc., as a way to gain your trust. Remember: Financial professionals using personal devices should contact a trusted vendor for technical help. Never respond to unsolicited offers for support. Employees should contact the Solution Center at [email protected](opens in a new tab) or (800) 523-4860 for all of their technical assistance needs. Continued Social Media Security Social Media Social media can expose your personal and our Company information to cybercriminals. It's important to protect your information, privacy, and online reputation. Tips to Stay Safe on Social Media: Use Strong Passwords. Create complex passwords for your social media accounts. Don't use your Company-issued email or passwords for your business or personal social media accounts. Review Privacy Settings. Regularly update your privacy settings to control who can see your posts, photos, and personal information. Share content only with trusted friends or connections and avoid posting sensitive information publicly. Enable Multi-Factor Authentication (MFA). Turn on MFA for an extra layer of security. This requires a second form of verification, like a code sent to your phone, in addition to your password. Think Before Sharing. Consider the consequences of what you post. Avoid sharing personal details like your home address, phone number, or financial information. Don't share anything that could help someone guess your password or security questions. Be Selective with Connections. Only accept friend or connection requests from people you know and can verify. Be cautious of fake profiles and potential scams. Staying safe on social media requires constant awareness and caution. Always watch for suspicious behavior and be mindful of what you share. MFA is required for remote access to Company-managed networks. This applies to individuals working from home or any location outside of a Company office. Always be vigilant. Verify the sender's identity before clicking links or sharing information to protect yourself and Penn Mutual from cyber threats.