If your dealership uses online banking (payroll account transfers, wire transfers, ACH transactions, etc.), you are a target for fraud.
Your dealership has survived the Great Recession. Now you are preparing for battle to protect your dealership in a regulatory and tax environment that grows increasingly hostile. Yet perhaps the biggest risk to your dealership’s financial security does not even come from this country. Russian and Eastern European organized crime syndicates have begun raiding bank accounts of U.S. businesses in a sophisticated and targeted online banking hacking scheme. This threat is real and it is growing.
If your dealership uses online banking (payroll account transfers, wire transfers, ACH transactions, etc.), you are a target.
The new computer attacks are different
In the past, cyber criminals attempted to get a hold of financial and credit card information by sending out mass emails in hopes of tricking individuals and businesses into granting them access. The new attacks target specific businesses, including dealerships. Here's how it works:
- Criminals research the dealership on Google and through other web tools to learn details like names and emails of key managers from the dealer's website. They might even call the dealership and get additional company information from your receptionist.
- Armed with this information, they compose an email to a specific employee that contains enough detailed information to trick them into opening a link to a website. For example, they might email a manager asking them to open a link about a sale going on at a competitor. The link will open a web page that will look real enough to be a competitor's website, and the recipient may keep it open for a minute or so. During that time, malicious software (malware) is loaded onto the person’s computer without their knowledge.
- Once loaded, the malware spreads from computer to computer on your network until it recognizes a user who is making online banking transactions. The malware records keystrokes and sends it back to the hacker. Now the criminal knows the specific keystrokes to make an online banking transaction. Equipped with the correct identification numbers and password, the hacker simply logs into your bank’s online banking site posing as you, and directs an ACH transaction to an offshore account, effectively cleaning out your bank account.
These are not mass emails being sent to get access to a handful of individual bank accounts. These attacks go after more lucrative business accounts, and their targeted nature makes them different. The criminals are spending time doing research on the targeted business to increase their odds of penetration.
Bank and insurance companies may not cover the loss
Who is financially responsible when an attack takes place is currently a disputed area. Banks typically have deemed these attacks to be the fault of the business, arguing it was the computer system of the business that was compromised, not the bank's. There are lawsuits back and forth on the issue, but it is not settled law. Meanwhile, it appears that attempts to get the bank to pay will be a long and possibly fruitless legal battle. This doesn’t change the fact that your account is depleted.
Insurance coverage completely depends on the provisions of each individual policy. This type of risk is relatively new, so specific coverage in your policies is unlikely. Some policies have coverage written broadly enough to protect against the risk, but based on the cases known so far, adequate insurance coverage often is not in place. Many of the businesses that have been hit are simply out the money with no recourse.
Existing controls may not be enough protection
Chances are your information technology (IT) director does a great job maintaining your network and keeping everyone up and running. In our experience, virtually every IT director we have dealt with insists their system is not vulnerable. But in most instances, vulnerabilities exist because dealership IT directors might be wearing multiple hats or need more time and resources to keep up on new security threats and adequately reduce risk from these targeted attacks.
How to protect your dealership
Educate employees
One of the simplest ways to reduce the risk of accidently allowing malware to be opened is to teach your employees to recognize and report suspicious emails and websites. This dramatically reduces the chances of the malware being planted. But this is problematic because the emails can look so authentic.
For example, our team of specialists recently tested a client's vulnerability by sending a fake email that mimicked the type used by criminals to 18 different employees. Seventeen opened the link and kept it open long enough for malware to be deployed. This result is not unusual, reinforcing the critical need for ongoing education on new threats and methods.
Test and strengthen firewalls
Just because the malware was deployed does not mean it will automatically spread. A strong firewall and other protective measures can help prevent the spread of the malware across the network. With this specific threat, the malware must be able to find which computers in your organization are used for online banking transactions. Protective software and other stronger online banking security measures can reduce the effectiveness of the malware.
Talk with your bank and insurance company
Communicate with your bank to make sure enhanced security measures are in place to make it more difficult for malware to operate effectively. Security measures such as multi-factor authentication and ACH white listing (if available from your bank), can be effective. Often the available controls are either bypassed by the user for convenience reasons or are not put in place due to cost. In addition, you should communicate with your insurance company to make sure that these and other similar thefts are covered.
If your dealership uses online banking services, take steps to prevent a potential attack on your business. If you can minimize the risk using your in-house team, get started today. If you need outside help, call on payment fraud protection professionals. These services will be far more valuable as front-end protectors than if called in after the fact to assess damage and reconstruct an attack for potential use in litigation.