We’ve all heard about international crime organizations targeting businesses.
But auto dealerships are also are being attacked. Hackers are targeting auto dealers, along with other service businesses, with sophisticated and targeted email scams designed to trick unwitting employees into performing actions that make business networks vulnerable.
A few years ago, computer hackers used relatively unsophisticated schemes to try to access information and money. Remember the emails from the dethroned princes in Nigeria? Today’s schemes are more sophisticated.
Dozens of auto dealerships across the country (that we know of; the figure may be in the hundreds) have already fallen victim to hackers who have successfully managed to access the following information:
- Bank account numbers, routing numbers and login credentials.
- Customer bank account numbers and routing numbers.
- Customer credit card numbers, addresses, social security numbers and credit scores.
Employees who work in the accounting and F&I departments are most at risk for being targeted by sophisticated email scams.
Here is a sampling of actual incidents:
A controller received an email from someone, whom he thought was the dealer, requesting a $30,000 wire transfer. After a few emails back and forth, the controller complied with the request. Unfortunately, the bank was not able to retrieve the $30,000.
A virus was downloaded in an email attachment on the F&I manager’s computer. The virus tracked every website visited and every keystroke made.
Hackers were able to use the information to login into credit bureau sites and extract credit reports for hundreds of customers. This cost the dealership more than $150,000.
An accountant was tricked into visiting what he thought was Bank of America’s website. The accountant was prompted to enter in login information, bank account numbers and other information that enabled hackers to initiate a $400,000 wire transfer. Fortunately, the real Bank of America stopped the transfer before it happened.
Another tactic growing in popularity is to install a virus that encrypts every file on the network. Hackers then demand a ransom to release the files back to the business. Small businesses in the U.S. and Europe have paid up. They didn’t have much of a choice. It’s either pay up or their business is shut down.
Security software and firewalls have a hard time stopping these types of attacks, because they all originate from emails that are sent to employees. These are not random emails. They are targeted attacks on specific dealerships and the individual employees who work there.
According to Symantec, half of all spear phishing attacks (emails to employees that contain viruses, malware and links to fake websites) target small businesses, defined as those up to 250 employees.
To prevent your dealership from being a victim of these types of attacks, follow these recommendations:
- Verbally verify all requests for wire transfers.
- Have cyber-liability insurance. Shockingly, the majority of dealerships do not. If customer records are accessed, costs can run to $1 million or more per incident. A good insurance policy will cover that.
- Train employees. Be sure they know the latest cyberwarfare strategies and how to follow them.
- Keep software patches updated. More than 90% of dealerships do not have a system in place to keep their patches updated on a regular basis. This is like leaving your back door open at night to cyber-thieves.
Every business that has been hacked didn’t think it would happen to them. Take steps now to protect your dealership and your customer data.
Erik Nachbahr is the founder and president of Helion Automotive Technologies, an information technology firm.
