ICICI Lombard General Insurance is one of India’s leading private sector general insurance companies. The Company provides an array of comprehensive and well-diversified non-life insurance products and risk management solutions to secure customers and their family against unexpected and untoward events. It has a strong, diversified and seamless distribution channel both online and offline to serve the needs of its individual, corporate, MSMEs and government customers.
The insured company is a global pharmaceutical conglomerate. Operating in multiple countries with a workforce of ~ 15,000 individuals from diverse nationalities, this case study highlights insurer’s efforts to combat insured company’s phishing threats with the aid of a dedicated yearlong simulation exercise.
The insured company’s employees fell victim to a recent phishing attack, during which threat actors gained access to several emails, particularly those associated with invoices. Exploiting this access, the threat actors orchestrated a series of payment frauds that resulted in financial losses amounting to approximately INR 1 Crore.
The insurer initiated a comprehensive approach to tackle phishing threats within the organization. The initial assessment revealed a high phishing rate of approximately 25%, indicating a lack of employee awareness regarding these threats. To address this, a year-long phishing simulation exercise was devised, comprising two key components: assessing employee awareness through monthly simulations and enhancing their knowledge about phishing threats and vigilance.
In light of the exercise's success, the insurer proposed a forward-looking strategy to ensure the organization's ongoing safety. This included the deployment of an end-to-end email security solution to establish a trust enforcement platform for email recipients and implement measures for identifying look-alike domains. The insurer also recommended conducting periodic phishing simulations to maintain and further enhance cybersecurity resilience.
After a rigorous 12-month exercise, the organization's phishing rate saw a substantial reduction to approximately 6%. The workforce became considerably more adept at identifying and mitigating phishing threats, significantly decreasing the risk of successful phishing attacks.
