Dealerships Are at Growing Risk of the Latest (and Most Devious) Cybercrimes
Cybercrimes have reached a whole new level of insidiousness and sophistication. They are so sophisticated, in fact, that many schemes can make you and your dealership’s employees unknowing participants in the crime, tricking you into handing over money and personal information without your awareness. Every business is a target — that means your dealership, too — and your first line of defense is to acknowledge that fact.
Growing risk of cybercrime against dealerships
Many industries have already been considerably impacted by cybercrimes, but dealerships as a group have not experienced quite those levels of devastating security breaches — yet. According to the Verizon’s 2019 Data Breach Investigations Report, retail is the second most-targeted industry segment, behind only banking. Dealerships maintain a good deal of personal information about both employees and customers, which is attractive to fraudsters; just think of the data that flow in and out of your finance and insurance department alone. They also make significant payments via wire transfers or ACH transactions — lucrative targets for cybercriminals. As these crimes become more prevalent, dealerships will inevitably become part of the growing pool of victims.
Cyberattacks can not only rob you of funds and information, they can damage your reputation and customer trust. Many businesses have been crippled or forced to close up shop after the ravages of cybercrimes, but the good news is that most of these attacks are preventable.
Knowing all you can about online banking scams, malware, and ransomware, as well as what you can do to keep them at bay, can help limit your dealership’s vulnerability.
Online banking scams
Online banking scams are common these days, and they work best when employees are tricked into unwittingly participating in the fraud.
In one type of the scam (also known as “phishing”), an email that appears to come from a high-ranking individual within the dealership (such as the owner or general manager) is sent to the controller, office manager, or an employee in accounts payable with online payment capabilities, requesting urgent payment of an invoice. Everything about the email appears legitimate: the address, the sender’s signature, and the supporting attachments with amounts due and payable — but it in fact is sent from the scammer posing as the company executive. The employee processes the payment without giving it a second thought, unknowingly depositing the dealership’s money into a fraudulent account. Usually he or she is eager to accommodate the “urgent” request from a ranking individual and responds dutifully and quickly.
In another method, a scammer impersonates a vendor who an employee directly transacts with on a regular basis. The imposter-vendor and the employee exchange niceties via email, possibly discussing personal details specific to that employee, then the “vendor” requests payment of an invoice attached to the email. The sham vendor often says the payment is overdue and that the employee needs to process it right away to avoid late fees or disruptions in service. Not wanting to disappoint after such an engaging and friendly conversation, the employee complies.
In most of these scenarios, the victim’s email has previously been hacked or compromised unbeknownst to the dealership. The fraudsters spend a great deal of time studying their victims, learning how they communicate, identifying who performs what functions, and eventually precisely targeting the employees with the ability to perform the wire transfer. They are so well prepared and in possession of so many personal details that it can be difficult to detect the fraud.
Theft of sensitive information via malware
Organized crime groups based primarily in Russia, Eastern Europe, and China are stealing and selling personal financial information (PFI) such as payroll data (name, address, social security number, driver’s license number, and bank account number) and customer credit card details. This started as largely card-present, point-of-sale credit card attacks (e.g., the Target breach in 2014) but have shifted to attacks targeting all PFI types stored on web servers. Typically, the theft is initiated by a spear phishing message that tricks an employee into clicking on a legitimate-looking link that actually downloads malicious software and allows the hacker unhindered access to your network.
The way they go about this trickery is continuing to become more underhanded. These days, hackers are creating fake social media profiles, complete with connections and networks that all look authentic. A hacker may stalk an individual in your dealership to get a feel for his or her role and function, professional and personal interests, and other habits. With all this personal information at the hacker’s disposal, he uses his online character to make a connection with your employee. Then he sends a well-crafted email that appeals to that employee, who is lured into clicking on the malicious link. Just like that, the hacker has free reign over your bank accounts, customer data, and other sensitive information. And you won’t know it until the damage has been done.
Paying money to ransom your data
Ransomware is an increasingly popular type of attack used by hackers. Think of it as “digital kidnapping.” Because ransomware is a way for the criminals to get paid quickly, its use has increased exponentially in the past few years.
Ransomware is a malware that encrypts virtually all data and files that it can find, both on the local machine and on every network device that it can connect to. This renders the data unusable by your dealership. Recent variants have the ability to attack the entire network, creating a true business interruption event. Some variants can even migrate to your backup storage media and encrypt that data as well.
Typically the hacker requests payment (the ransom) in exchange for decrypting the affected data. This is how the hacker hopes to make his money. Users typically become victims when they click on an attachment or link that appears legitimate but which actually contains the ransomware code.
Many business owners will pay the ransom and keep mum about the crime to protect their reputation, which makes the crime all the more invidious and allows perpetrators to continue their crimes unscathed.
Raiding the cloud via password theft
Migration to the cloud has been the dominant IT trend over the last 18 months, as many businesses move their email, accounting systems, and data backup to the cloud. As a result, hackers have turned to stealing passwords (so-called “credential harvesting”) in order to maliciously access these systems. This can be done by malware that logs keystrokes or by a phishing email that tricks the user into supplying the password on a malicious website. The key to protecting your business from password theft is to implement multifactor authentication (MFA) on all cloud services. Most cloud providers offer, but do not require, MFA, so you must request it after the initial deployment.
Protecting your dealership from cybercrime
Dealerships can implement several best practices to avoid becoming the victim in these scams:
Build a strong defense
- Utilize bank security tools for online cash management, including:
- Multifactor authentication (MFA)
- Daily and individual transaction limits
- Wire call-back features
- Keep current on technical defensive measures such as firewalls, intrusion detection systems, and spam filters.
- Keep up-to-date on the anti-virus software on each device, and complete regular scans to keep them clean.
- Keep all network servers and PC workstations current with the latest security updates and patches.
- Make better passwords. A strong password is at least 12 alphanumerical characters long.
- Encrypt sensitive data, such as personal financial information.
- Make regular backups of key data and systems and store them in a secure, off-site location.
- USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
- Remove administrative privileges on workstations and laptops from the general user population.
- Engage a specialist to perform periodic vulnerability or penetration tests to determine if your system is susceptible to attacks and validate that controls are functioning as intended.
Communication and training
- Educate employees about electronic payment scams and other attacks and call on them for heightened awareness.
- Be on the lookout for “urgent” requests for payment or sudden changes in business processes, such as a vendor requesting payment outside of the normal protocols.
- Instill skepticism in your people of online connections.
- Consider cyber liability insurance, understand policy definitions and exceptions, and ensure adequate coverage to keep your dealership afloat in the aftermath of an attack.
How we can help
CLA’s dealership professionals join forces with our firm’s information security consultants to develop best practices for electronic transfer policies and procedures. Our IT security consultants are trained and equipped with the most advanced software and tools to perform assessments on your system, root out vulnerabilities, and shore up security.
Cybercriminals are more insidious and sophisticated than ever. Knowing all you can about online banking scams, malware schemes, and ransomware — and what you can do to keep them at bay — can help limit your dealership’s vulnerability.