Dealers engage should treat the threat of cyber crime as seriously as any other part of their business, says an FBI agent.
“Dealerships are in control of some important data and protecting that data is critical to both themselves and their customers,” says Supervisory Special Agent Edward Parmelee of the FBI’s Cyber Division.
WardsAuto recently spoke to him about how dealers can protect themselves.
WardsAuto: What are the most pressing cyber threats that dealers face today?
Parmelee: The most pressing threats face everyone, not just dealerships. It’s ransomware viruses, business email compromising, and the Internet of Things, or IoT.
WardsAuto: Describe these.
Parmelee: A business email compromise is a phishing scam where a fake email is sent to elicit a response from the user. The bad actor will do a quick study on the dealership – its business practices, how it transfers money, and (how it works with) vendors.
Say a dealership has a large continuous shipment of auto parts from various vendors. The bad actor will figure out who controls the wire transfers in the dealership and will send a false invoice from a vendor requesting payment. A lot of times, because of the volume of business that these dealerships do, they just pay. The criminals use their account for a very short term and then they close it and move on.
WardsAuto: How can a dealership identify this scam?
Parmelee: A lot of times there are subtle differences that you can see in an invoice, particularly in a “spoofed” email address. Let’s say a name has a double “l” or a double “e.” Instead of using double “l’s” in the email address they’ll use the number “1.”
On a quick glance it looks legit, but there’s that one little difference. Sometimes the language used in the invoice is close to the legitimate one, but with a subtle difference. If you take just a half second to look at what the invoice is asking for it usually will cause someone to pause and say it doesn’t feel right. We advise people to trust the email but verify it, particularly if it appears to be an unusual amount of money – either too much or way too little.
WardsAuto: What is ransomware?
Parmelee: Ransomware is a malware that infects a computer system. The victim would open an email attachment or visit a compromised website that would have the malware in it and it infects their network. It propagates through the network and encrypts the files and/or the system to make them unreadable. The criminal offers the dealership a decryption key in exchange for money, often through bitcoin, a virtual currency.
WardsAuto: Can ransomware come from clicking on a link from a legitimate source by simply surfing the web?
Parmelee: Yes to both. Surfing dodgy websites is never a good practice, especially on an employer’s network. Bad actors send out spam, hoping someone clicks on it.
Your system is infected. You get the “splash screen” that says you’ve been locked out and you have to pay this amount of money in exchange for the decryption key to get your files back. Dealers have two choices: pay the ransom or restore their network from backups.
The FBI does not advocate paying the ransom. We encourage people to have a comprehensive and thorough cyber response plan, first and foremost to have good, current backups to your network that should be done regularly and be kept “air-gapped” from your main network – literally not connected so they cannot be compromised by the malwares. Obviously, if your backups are infected you’re just re-creating the problem.
WardsAuto: How can you keep yourself or an employee from stumbling into ransomware in the first place?
Parmelee: Have a good, current antivirus installed on your network, your firewalls can be tuned to have mitigation techniques in between the Internet and your network.
Your No.1 mitigation strategy is to have your employees trained to recognize suspicious websites and activity via email and to practice good, solid cyber hygiene in their daily routines.
(Dealership customers) sometimes bring in files on some sort of media, like a thumb drive, and they want to plug that into the dealership’s computer so they can pull it up and show the salesperson what they want. I would highly encourage not just blindly plugging it in the system. Run an antivirus against it to ensure the files are not infected. Bottom line, employee education is critical.
WardsAuto: Talk about the risks posed by the Internet of Things.
Parmelee: Internet-connected devices are increasingly used to enhance efficiency and convenience. However, their connection to the Internet increases their ability to be targeted by malicious cyber actors.
These devices are particularly hard to protect as there is a significant difficulty in patching vulnerabilities in these devices, as well as a lack of consumer security awareness, providing cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information or interfere with physical safety.
WardsAuto: Should dealership employees use their own devices at work?
Parmelee: That has the potential to open up problems. Again, I circle back to educating employees to practice good cyber hygiene. Teach them to understand what they’re doing can disastrously affect their dealership’s network.
WardsAuto: What other steps can dealers take to protect their networks?
Parmelee: I would highly encourage all dealerships to conduct regular penetration tests with their network. This test is an attempt to discover vulnerabilities in a network prior to a bad actor getting in through those vulnerabilities and stealing data, infecting the network, holding it for ransom or just destroying it for the sake of destroying it.
Dealers can do the tests with their in-house IT staff or they can hire a third party. I would also encourage them to have a relationship with their local FBI field office, something as simple as a phone call just to introduce themselves and maybe have a quick handshake to have a name and a face they can contact if needed.
They can also review the Department of Homeland Security and Federal Trade Commission websites to educate themselves and employees on mitigation techniques to use in-house.
There’s a ton or resources on those sites to help dealerships help themselves.