In the last 12 months 43% of Small to Mid-Size Businesses (SMBs) experienced a successful phishing attack, according to a July 2016 report titled IT Security at Small to Mid-Size Businesses (SMBs): 2016 Benchmark Survey. Was your dealership one of them? You may believe it won't ever happen to you, but chances are very good that one of your employees will become phish bait in the next year; and if they do, your dealership could lose thousands of dollars.
Phishing attacks appear in the form of emails that appear to come from a legitimate entity or person, such as a bank or online payment processor. The message contains a link that takes the victim to a fraudulent website where the user is prompted to provide login information. The cybercriminals then use that information to access the dealership's real accounts.
In one dealership I know of, an accounting employee received an email that he thought was from the bank. He clicked on the link and logged into a website that looked exactly like the bank's website. Shortly after, the phishers initiated a $450,000 wire transfer from the dealership's real bank. Fortunately the bank flagged the activity as suspicious and stopped the transfer from happening.
Spear phishing takes the scam one step further and targets specific individuals within organizations. In auto dealerships, this may be the controller or someone in the accounting office. The employee receives an email that appears to be from a dealer principal or general manager, with a request and instructions on how to wire money to an account.
This happened in another dealership I know of. An employee in the accounting department received an email from someone who he thought was the dealer asking him to initiate a $30,000 wire transfer. The employee exchanged several emails with the person posing as the dealer before complying with the request. The employee never suspected a thing. It was only discovered later that the email was a scam and unfortunately, there was no way to retrieve the funds.
Whaling is spear phishing taken to yet another level, targeting high-level executives within an organization. These attacks are very sophisticated. Phishers do quite a bit of research on their victims, using social media and other sources of information to gather information on personal history, interests and activities. They also collect names, job titles and email addresses of colleagues, and the information is then used to craft a personal and believable email.
Phishing emails may also appear to come from your email provider, social networks or delivery companies like FedEx. These emails contain links that bring you to fake login pages where they capture email and password information. Cybercriminals bank on the fact that many people use the same email and password for more than one account.
Even dealerships with state-of-the-art firewall and security software are vulnerable to phishing. It's difficult to prevent what appears to be a legitimate email from getting through the defenses.
Don't Get Hooked by Phishers!
To prevent your dealership's employees from becoming phish bait, education and training are key. Following these recommendations will help:
1) Require verbal verification for all wire transfer requests.
2) Never click on links in emails, or reply to emails that request personal information. Phishers often use terms like "urgent action required," "your account will be closed," or "your account has been compromised" to get people to react. If you receive an email like this, don't click on the link in the email. Instead, open up your web browser and manually navigate to what you know is the legitimate website. If you're concerned, call the company and ask to speak to a representative.
3) Change passwords. Don't use the same password for more than one online account. Change all your passwords every 90 days. Never share or give login information to anyone.
4) Keep your social media profiles private and don't accept friend or connection requests from people you don't know.
The good news is that it just takes some basic awareness and caution to avoid getting hooked. Once you know what to look for, it's easy to stop phishers in their tracks.