Tax season is nearly here, so it’s time to be on the alert for cyberattacks that target accounting office personnel. The IRS recently issued a warning that specifically mentions W-2 scams.

The last few years have seen a significant rise in this type of phishing scam that begins with an innocent-looking email. A cybercriminal poses as a company executive and emails someone in the accounting office with an urgent request to send them W-2 forms.

W-2 forms contain the sensitive and personal information of your employees, including name, address, social security numbers, income and withholding. Cybercriminals then use this information to commit identity theft and/or to file a tax return claiming a fraudulent refund.

If successful, the result of this scam is that your employees won’t get their tax refunds and they’ll have to enroll in an identity theft monitoring service. You can imagine how this would create some very unhappy employees.

Far worse than that, a successful W-2 scam means that your dealership has officially experienced a data breach. Costs related to remediation of a data breach can run into millions of dollars, depending on how many employees you have. Depending on your state’s consumer privacy laws, a data breach might also leave you open to potential lawsuits.

If you work in an accounting office or if you have authorization to access accounting information, be wary if you receive any emails asking for W-2 forms or any other type of form that contains sensitive information.

These “spoof” emails look like they come from the dealer principal, general manager or another senior executive. The first email might be just a simple, “Hey, are you in today?” However, ultimately you will receive a request for a list of employees and their W-2 statements.

Examples of how these requests are worded include “Kindly send me the individual 2019 W-2 (PDFs) and earnings summary of all our company staff for a quick review.” Or, “I’m analyzing some reports and need a copy of all our W-2s for last year.”

If you receive a request like this from anyone in your organization, principal included, don’t automatically comply with the request. Take the following steps to ensure the request is a valid one.

Step 1: First, don’t click on any links in the email or download any attachments. You might be installing a virus or malware.

Step 2: Don’t reply to the email that was sent to you. Instead, create a new email and double check the email address of the contact who you believe sent the request to you. Write them an email that says you are verifying their request for W-2 forms that contain sensitive customer data.

Step 3: In addition, I would call or text the same person to verify the request, just in case the perpetrator has successfully hacked into that person’s email account.

Trust me, it’s far better to be overly cautious here than to be the direct cause of a data breach.

To prevent this type of scam from happening in your dealership, there are a few policies that I would recommend. These include:

• -Limit the number of people in your dealership who can access or process W-2 forms, as well as other documents that contain sensitive data
• -Consider a policy that doesn’t allow anyone—even principals or senior executives—to request forms that include sensitive information via email
• -Enroll employees in security awareness training, which helps them to identify phishing emails
• -Create a validation process that enables employees to verify the legitimacy of a request that contains sensitive information, or a cash transfer request
• -If you receive a W-2 scam email, forward the email to phishing@irs.gov and put “W2 Scam” in the headline

If you value your private data and your tax refund, please share this important information with the accounting office personnel in your dealership.

Do you think that compliance with the proposed FTC Safeguards Rule, the California Consumer Protection Act (CCPA) or New York’s SHIELD Act, puts an onerous burden on dealers? To put it mildly, you aint’ seen nothin’ yet.

Congress recently introduced The Online Privacy Act, new legislation that establishes a “privacy bill of rights” for consumers and is similar in language to Europe’s General Data Protection Regulation (GDPR).

The motivation behind the new bill is that data-collection and data-sharing industries make billions annually from selling Americans’ personal information and that privacy for online consumers is nearly non-existent.

The new law targets tech companies in particular, but applies to every business that collects, stores and sells consumers’ personal and identifiable information (PII). This includes auto dealerships.

If passed, The Online Privacy Act would be even tougher than California’s CCPA, which goes into effect in January 2020.

In a nutshell The Online Privacy Act would:

Create user rights

The bill grants every American the right to access, correct or delete their data. It also creates a right impermanence, which lets customers decide how long companies can keep their data.

Establish a Digital Privacy Agency (DPA)

Currently the Federal Trade Commission broadly regulates privacy, but only employs a few dozen people who are dedicated to enforcing violations. The Online Privacy Act establishes a new federal agency of 1,600 officials who would be empowered to issue new regulations and enforce the new privacy law. As written, the DPA would be about the same size as the Federal Communications Commission (FCC).

Define how companies may use, and not use, customer data

If this legislation is passed, auto dealerships will be required to be transparent about what they do with customers’ data. Auto dealers could not disclose, share or sell user data without receiving explicit consent from customers. The bill minimizes the amount of data companies collect, process and maintain, and bars companies from using data in discriminatory ways.

Additionally, The Online Privacy Act forbids the use of private communications like email, in order to target customers with ads.

If your dealership experiences a data breach that exposes your customers’ personal data, you would have 72 hours to alert both your customers and the DPA.

Strengthen enforcement

If your dealership violates any of the rules laid out in the Online Privacy Act, or any of the new regulations created by the DPA, you could be fined as much as $42,530 per incident. It would also allow state attorneys generals to bring civil actions and consumers to bring civil suits against your dealership for lack of compliance.

Whether The Online Privacy Act passes into law remains to be seen. Currently there is some debate over details like whether the bill should pre-empt states’ laws or whether individuals should be allowed to sue companies for violations.

However, the legislation has bipartisan support, and both democrats and Trump have stated they want a consumer data privacy law.

By now California dealers are aware of the California Consumer Privacy Act (CCPA), which takes effect in January, 2020. This law requires businesses to take “reasonable measures” to secure consumers' personal and identifiable information (PII), such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The California Attorney General defines “reasonable measures" as compliance with 20 controls established by the Center for Internet Security (CIS). The amount of work required to get a typical dealership compliant is more than 1,200 hours and approximately six months, so if your dealership hasn’t started you’re unlikely to be compliant by the January deadline.

However, there are steps you can take to demonstrate that you’re working towards compliance, if you should need to do so for legal reasons. The first step is to order a GAP analysis.

GAP Analysis/Risk Assessment

A GAP analysis from a qualified vendor will determine the current state of your IT infrastructure, and where it falls short of CCPA requirements.

This process involves security experts who will inventory and assess all of your dealership’s hardware, software and network equipment to find areas of vulnerability.

Upon completion of this step, you’ll receive a remediation plan that identifies the gaps between where your dealership’s IT is now compared with the CIS Controls’ best practices. The remediation plan is basically a list of recommendations that include new hardware, software, policies, procedures and processes.

Depending on the current state of your IT it’s always possible that no new hardware, policies or procedures are needed. However, in most cases some updates will be necessary.

Since the CCPA wasn’t just written for dealerships, remediation steps won’t be required for all 20 CIS Controls. For example, CIS Control 18 relates to software development best practices, which don’t apply to most dealerships. As for the other controls, it’s important to know there’s some leeway in the interpretation of the CCPA’s “reasonable measures.” What’s reasonable for an auto dealership might not be reasonable for another type of business, and vice versa. This is why it’s important to hire security experts with knowledge of both the CCPA requirements and of the car business.

Once your GAP Analysis and remediation plan are complete, it’s time to start working on the controls. If you’re starting late, a reasonable goal is to complete the first five CIS controls:

Step 1: Inventory and Control of Hardware Assets

This control requires businesses to inventory, track and manage all hardware devices that connect to your network so that only authorized devices are given access.

Step 2: Inventory and Control of Software Assets

This control requires businesses to inventory, track and manage all software on the network so that only authorized software is installed. Additionally, you’re required to maintain an up-to-date list of all authorized software that includes the name, version and install date. Also, install and use a whitelisting tool to ensure that only authorized software can execute.

Step 3: Continuous Vulnerability Management

Information technology (IT) isn’t static. The CCPA requires that all businesses continuously acquire, assess and take action on new information in order to identify vulnerabilities and minimize opportunities for cybercriminals.

Step 4: Controlled Use of Administrative Privileges

To prevent hackers from gaining access to your system, the CCPA requires the use of tools designed to ensure that only authorized individuals have privileges. Additionally, multi-factor authentication and encrypted channels for all administrative account access are required.

Step 5:  Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

The default configurations on new hardware devices and software are geared towards ease of deployment, not for security. But many businesses never change these configurations, making it easy for cybercriminals to gain access to your system.

The CCPA requires businesses to develop secure configuration settings using configuration management tools. Once configured, these settings need to be continually monitored to prevent security decay as new vulnerabilities are reported.

These five controls are only a fraction of what needs to be done to protect your customer data, but the good news is they can be accomplished relatively quickly so that you can demonstrate your dealership is making the effort to become compliant.

Remember the movie “War Games?” A teenager hacked into a computer and unwittingly almost started a nuclear war. In the late 60s, a famous phone phreak dubbed “Captain Crunch” figured out a way to make long-distance phone calls for free using a toy whistle from a box of Cap n’ Crunch cereal.

These examples established an early perception of “hackers” as lone wolves: teenagers in basements, social misfits out for revenge or bored college kids pulling pranks. Their intent was relatively harmless, and they eventually got caught and had to pay consequences.

Unfortunately, this perception still exists today and is one reason why many businesses don’t take the threat of cyberattacks seriously.

To understand how serious the threat of a cyberattack is, you need to understand who’s behind the threat and what their motivations are.

Cybercrime is the world’s fastest growing criminal industry. By 2021, cybercrime will cost the world $6 trillion annually. This is the greatest wealth transfer in history, far more profitable than the entire global trade of illegal drugs.

The motivation for most cybercriminals is money, pure and simple. Cybercrimes are designed to steal money and data that can be sold for money. Once stolen, consumers’ personal and identifiable information (PII) is typically sold on the dark web, purchased by other criminals with plans to exploit that information.

Most “hackers” today are employees of large multi-national crime organizations, some of which are state-sponsored. Around the world, smart and tech-savvy people are being lured by the promise of huge salaries. Entry-level cybercriminals make about $40,000 per year (which is an excellent salary in many countries). But the real payoff comes with experience, with seasoned cybercriminals raking in $1 million to $2 million per year.

These cybercrime organizations and their employees find safe haven in countries that don’t have extradition agreements with the U.S. China and Russia are the two biggest offenders, followed by Iran and North Korea. However, cybercriminals reside in many countries, including the U.K., Germany, Australia, Japan, South Korea, Ukraine, Israel, France and even the U.S.

U.S. Companies Targeted

Who do these cybercriminals like to attack? Companies in the U.S. are the most targeted, followed by companies in China, India and Europe.

Most of the news-worthy attacks we hear about on the news happen to large organizations, such as government agencies, or healthcare, retail, tech and financial institutions.

But that doesn’t mean that auto dealers aren’t at risk. In fact, 43% of cyberattacks target small businesses with fewer than 250 employees. In particular, companies with antiquated information technology (IT) infrastructures are easy to exploit, and Windows is the most targeted platform.

Does this profile sound familiar to you?

In most dealerships I have seen the IT networks are outdated, with some running the same setup and technology they had five years ago. Many dealers have not made significant upgrades in 10 years. They also trust the management of IT to people who aren’t qualified—in fact, only a third of dealerships employ a network engineer with computer security certifications and training.

Additionally, I have seen many dealerships still running the Windows 7 operating system on computers that are 4 or 5 years old. As of January 2020, Windows 7 will no longer be supported with updates by Microsoft. If you’re still running Windows 7 in January, your dealership will be highly vulnerable to a cyberattack.

It’s nearly 100% certain that cybercrime syndicates already have a plan in place to exploit organizations that haven’t yet upgraded to Windows 10 when January rolls around. Thousands if not hundreds of thousands of cybercriminals around the world are waiting for this opportunity.

Unfortunately, the problem of cybercrime is only going to get worse and it may never get better. This could be the new normal. Thousands of extremely smart people spend every minute of every day dreaming up new ways to steal your money.

The malware threat is now migrating from PCs and laptops to smartphones and mobile devices. Experts worry that in the near future, cybercrime could take an even darker turn. Got a pacemaker? It could feasibly be switched off by a cybercriminal in another country, unless you send bitcoins.

Connected cars also make us vulnerable to what could be an entirely new form of terrorist attack: causing random cars to crash.

But why worry about things you can’t control? There’s plenty that you can control, starting with taking the threat of a cyberattack seriously, and creating a plan to prevent it.

In this video blog, Erik Nachbahr explains how software updates can wreak havoc on a dealership's operation and why having a centrally managed update system is vital to avoid that disruption. 

Cyberattacks are on the rise. In the first six months of 2019, the number of data breaches has increased by 54% compared to the same period last year. As of July, more than 4.1 billion customer records have been exposed in approximately 3,800 publicly disclosed data breaches.If your dealership hasn’t already been targeted, chances are it will be. What can you do to prevent such attacks?

I’ve written previously about how a layered defense is the best approach. This includes:

Policies, procedures and awareness

Physical security: locks on server rooms

Perimeter security: networks

Host security: computers and servers

Application security

Data security

Cyber liability insurance

Human Firewall

In this blog, I’d like to talk about the last line of defense—the Human Firewall. Its importance cannot be underestimated. Your dealership can have an impenetrable technology defense, but your employees are the weak link and cybercriminals know it.

Most attacks these days don’t even target computer systems, they target employees. In fact, 91% of successful cyberattacks start with a phishing email. Of the 100+ billion spam emails sent out by cybercriminals every day, it’s estimated that one in 200 make it through spam filters and into email inboxes. That’s approximately 11,500,000 spam emails per day.

To ensure that your employees don’t click on these emails, or fall for other scams, you need to build a human firewall. Here are tips to include in your cybersecurity policy.

Provide Security Awareness Training

In states that have passed consumer privacy laws (such as California, New York and Ohio), this is now a legal requirement. Businesses subject to these laws must provide training to their employees.

In a security awareness training program, baseline testing is first used to assess the percentage of employees in your company that click on phishing links. Then, those employees are enrolled into an online training program. Once enrolled, employees are educated with videos, interactive games and training modules. Monthly phishing tests and benchmark reports allow you to gauge progress.

The training teaches employees how to spot suspicious emails, as well as best practices such as not downloading attachments or clicking links in emails, even if sent from a known source, without first verifying the email is legitimate.

The good news is, security awareness training programs are inexpensive and deliver a high ROI. Prior to security awareness training, in an average business 27% of employees open phishing emails. After 90 days of training, the risk drops to 13% and after one year of training, the risk drops to 2%.

Require Password Changes

Employees should create secure passwords for the applications they use and change them every 90 days. Never use the same password for more than one application, and never share or give login ID or password information to anyone. A password manager can help.

Prohibit Visiting Personal Websites at Work

Your corporate security policy should not allow employees to visit social media sites, online shopping or gaming sites at work. This isn’t about forcing employees to be more productive or spying on them; it's about your network security and financial health. Many phishing scams include links to fake websites, and many social media posts will lead unsuspecting individuals to similar sites. Viruses and malware are often disguised in ‘free’ applications or products for download.

Don’t Allow Personal Devices

If your employees are using their personal laptops and/or cellphones at work, that’s trouble waiting to happen. Unprotected mobile apps and web applications are highly vulnerable to cyberattacks. When plugged into your network, these devices can easily spread viruses and malware.

Require Verbal Verification for All Wire Transfers

It’s OK to email wiring instructions, but every wire transfer should require verbal verification over the phone before the money is sent. It’s a common practice now for cybercriminals to pose as a dealer principal, GM, Controller, salesperson or other managers, and send emails to accounting staff with instructions to wire money into an account. I know of several dealerships that have lost a lot of money this way and once the money is wired, there is no way to get it back. In every scenario we’ve seen, a conversation would have immediately thwarted the attack.

Your employees are the last line of defense protecting your dealership from the increasing threat of cyberattacks. To keep your data, bank accounts and reputation safe, build a human firewall with employee training and new cybersecurity policies.

In this video blog, Erik Nachbahr shares how if not handled correctly on the IT side, employee turnover can cost a dealer sales

Is your dealership located in one of these 20 states? If so, pay attention.

The California Consumer Privacy Act (CCPA) may be the first comprehensive data privacy law in the U.S., but it certainly isn’t the last. Since its passage,19 additional states have introduced and/or passed similar laws, or have amended their current breach notification laws to either expand the definitions of personal information, or to include new reporting requirements.

The purpose of these new privacy laws is to require businesses—which include the majority of auto and heavy truck dealerships—to provide consumers with control over their personal information; including the right to know what data is collected, whether that data is sold and/or shared, the option to opt out of those sales or sharing, and the right to access and/or delete their data.

Some of these new laws aim to expand consumer rights through private right of action, which means that consumers have the right to sue if your business fails to adhere to the standards set forth in these new laws.

As of July 2019, here is a roundup of states with brief summaries of their legislation:

1. California. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. This law was intended to restrict the way personal information is used, stored and shared. Dealerships will be required to notify consumers about their data collection practices and allow consumers to opt out of having their data shared with third parties. The CCPA allows consumers to bring a private right of action (a.k.a. lawsuit) against a dealership if they are a victim of an unauthorized breach of non-encrypted personal information.
2. Colorado. The Colorado Consumer Protection Act (CCPA) was passed in the spring of 2019. This law makes it easier for the attorney general’s office to pursue deceptive practices. Prosecutors no longer have to prove that a business acted maliciously towards consumers, or that bad practices must cause significant harm or impact before action being taken. The law also increases the maximum violation a business can be ordered to pay from $2,000 to $20,000.
3. Hawaii. SB418 is modeled after the CCPA, but has an even broader reach since it does not define a business. The proposed law does not have a private right of action or specify any penalties, and the Office of Consumer Protection is tasked with enforcing the law.
4. Illinois. SB 1624 requires businesses to notify the Attorney General of breaches involving at least 500 Illinois residents.
5. Louisiana. Recent changes to the Database Security Breach Notification Law expands the definition of personal information and requires notice of a security breach to all affected Louisiana residents within 60 days. Additionally, all businesses must maintain “reasonable security procedures and practices” to protect personal information. When consumer data is no longer retained for business use, reasonable steps must be taken to destroy it.
6. Maine. Passed in June, 2019 An Act to Protect the Privacy of Online Customer Information currently only applies to broadband Internet service providers (ISPs).
7. Maryland. The Online Consumer Protection Act is modeled after the CCPA but with more expansive consumer rights to opt-out of the sharing of any personal information to third parties. However, during the 2019 General Assembly session this bill was postponed indefinitely.
8. Massachusetts. An Act Relative to Consumer Data Privacy has even stricter standards than the CCPA. Similar to Maryland’s bill, it expands consumers’ rights to opt-out of the sharing of information with third parties, and completely prohibits the sharing of information of minors under the age of 18. It also allows a private right of action for any violation of the law. This bill takes effect January 1, 2023.
9. Mississippi. The Mississippi Consumer Privacy Act was almost a replica of the CCPA, but the bill died in committee in February, 2019.
10. Nebraska. LB757 requires all businesses that collect Nebraska residents’ personal information to implement and maintain reasonable security procedures and practices, including safeguards for the disposal of personal information.
11. Nevada. SB 220 is modeled on the CCPA with only a few deviations, but applies only to owners of Internet websites and online commercial providers. The law does not allow private right of action.
12. New Jersey. A-4902 is similar to CCPA, but focuses more on the disclosure of personal identifiable information (PII) to third parties. Currently the bill applies only to owners and operators of commercial Internet websites and online services.
13. New Mexico. The Consumer Information Privacy Act is modeled after the CCPA but has a broader scope due to shorter and more general definitions of the terms “business,” “consumer” and “minor.” However, this bill has been postponed indefinitely.
14. New York. SB-S224 is even broader than CCPA in that the CCPA only allows private right of action for failing to take reasonable measures to secure data. The New York bill expands private right of action to additional violations such as the failure to act on a customer’s request to delete information. This means dealerships could potentially be faced with hundreds of lawsuits from consumers. The law is expected to pass in 2019.
15. North Dakota. House Bill 1485 is not as strict as the CCPA, but it does prohibit the disclosure of personal information to third parties without written consent from a consumer. However, this bill has been replaced with a legislative management study with findings expected to be reported in 2021.
16. Ohio. The Data Protection Act differs from the CCPA in that it provides protection against lawsuits for businesses, even in the event of a security breach, as long as the business can provide proof that it took “reasonable measures” to protect consumer data.
17. Oregon. The Consumer Information Protection Act requires businesses and vendors of businesses to notify all “covered entities,” as well as the Attorney General, within 10 days of discovering a security breach, if the breach involves more than 250 consumers or if the number of individuals affected is unknown.
18. Rhode Island. The Consumer Privacy Protection act is modeled after the CCPA, but as of April 2019 the bill is being held for further study.
19. Texas. Effective January 1, 2020, the Texas Identity Theft Enforcement and Protection Act law will require businesses to send breach notifications to affected individuals no later than 60 days after identifying the breach, as well as to the Attorney General, provided that the breach impacts at least 250 Texas residents.
20. Washington. The Washington Privacy Act is modeled after both the CCPA and the European GDPR, but does not give consumers a private right of action. The bill failed to pass in April but it’s currently in the state senate, where it has a chance to be amended.

In the next few years, expect this list of states to grow longer as well as new legislation that expands the scope of these bills. Don’t assume dead bills will never be resurrected.

It’s also important to note that there’s growing support for federal data privacy legislation. Proponents argue that the current system, with each state having its own data privacy laws, is too confusing. Several bills have been introduced to Congress by lawmakers, but so far none have passed. It’s uncertain whether federal legislation will supersede state laws.

In this video blog, Helion Founder & President Erik Nachbahr shares how dealers can resolve circumstances in which they have vendors blaming other vendors for IT issues. 

Is your dealership still using the Windows 7 operating system? As of January 2020, Microsoft is discontinuing all support for Windows 7, which means they will no longer be releasing security updates. If you haven't upgraded to Windows 10 by January 14, 2020, your dealership will be highly vulnerable to attacks from cybercriminals.

This event is similar to when Microsoft retired Windows XP in 2014. Within just a few months, cybercriminals developed dangerous exploits such as malware and viruses that specifically targeted businesses running Windows XP.

Unfortunately, upgrading to Windows 10 isn't as simple as installing new software. In most dealerships that I've seen, the computers running Windows 7 are almost as old as Windows 7 itself. In order to upgrade to Windows 10, you'll also have to upgrade your PCs. Older PCs simply do not have the processing speed necessary to run Windows 10, let alone all your other software applications.

When you start upgrading your PCs, a domino effect starts. Because Windows 10 requires more bandwidth, and your new PCs will be sending and receiving larger data packets, it's very likely you'll also have to upgrade your network switches, WiFi routers and possibly servers.

Many dealerships have small IT teams or even a single IT employee. Sometimes that person is a friend or family member of someone who works in the dealership. If this describes your situation, an upgrade of this magnitude could prove to be a nightmare and major disruption to your business. You might want to consider outsourcing or hiring a temporary IT team to help you with this task.

Another reason to upgrade to Windows 10 sooner rather than later is because of new consumer privacy and data security laws that take effect in 2020. If your dealership resides in a state that has recently passed one of these laws, continuing to use Windows 7 means that you'll be in violation of these new laws.

If your dealership resides in California, Washington, Alabama, Louisiana, Colorado, Nebraska, Ohio or Massachusetts, make sure you're aware of state requirements. If your state is not among those listed, you're not off the hook. Keep checking, because more state legislatures will pass similar laws soon.

To ensure your dealership is safe from cyberattacks, act quickly. As of January 2020, cybercriminals worldwide will be actively targeting businesses still running Windows 7.