In this video blog, Erik Nachbahr shares why it is important to protect your dealership from phishing attacks.

Recently I talked to a dealer whose internal information technology (IT) person had quit suddenly after receiving another job offer. The dealer scrambled to find someone else. He hired a small, local IT firm that soon went out of business. Once again, the dealer scrambled to find a solution.

The amount of effort and worry this dealer endured over the course of a year with regards to IT was a huge distraction to his core business. Not only that, but the level of risk his network was exposed to during this time was high. If the dealership had been hacked or suffered some type of outage, their ability to operate as a business would have been seriously impacted.

Does this story sound familiar to you? As a dealer you sell and service vehicles, but your entire business relies on the health of your information technology (IT) infrastructure. Whether you realize it or not, you're a technology company every bit as much as you're an auto dealership.

You probably have a strategy in place for how to sell and service more cars. Do you have an IT strategy to ensure your infrastructure can support those business objectives?

The number of connected devices in your dealership, and the amount of data moving through your network, requires professional grade equipment, large amounts of bandwidth and constant monitoring. Additionally, cybersecurity is a serious issue that requires multiple levels of defense in order to ensure the safety of your customer data and bank account information.

Placing all of this responsibility on the shoulders of a single "IT guy," whether an employee or independent contractor, is dodging bullets.

In technology, the term "resiliency" means having a back-up plan. Examples of resiliency include having two Internet connections with two different carriers, in case one goes down. If one network switch fails, data is routed through another network switch. If your power goes out, you have a generator. Having a resilient IT infrastructure allows you to continue operating in the event of an unforeseen disruption. In short, you're prepared for anything.

This includes having a back-up plan for the person or business that's currently managing your IT.

Unfortunately, many dealers don't have either an IT strategy or resiliency. As a result, they're not leveraging the cloud for email and backups, not keeping systems up to date, not ready for connected cars and they're overpaying for certain technology solutions. Outdated equipment is an all-too-common problem that reduces the productivity of employees, and so are networks that aren't secure against the threat of cyberattacks.

Your business is too important to trust that a single person can take care of all your IT needs. These days, it's critical to take a proactive role in managing the technology side of your business and making sure that you always have a back-up plan.

Erik Nachbahr explains why employees could be endangering dealerships through improper use of computer software.

Do you believe your dealership is safe from phishing attacks? Here are two actual incidents that occurred at dealerships as a result of successful phishing attacks.

One day a salesperson at a Ford dealership received an email. The subject line read: RE: 2015 Ford Focus. The email appeared to be from a customer who was replying to an email that was originally sent from the dealership.

The email read something like this: “Please consider these changes and let me know what you think. If you are agreeable to my suggestions, I am willing to continue with this purchase.”

The email included a link to Dropbox.

Thinking this was a hot lead, the salesperson clicked on the link and was taken to a website that looked like Dropbox. The site prompted him to sign in using his email provider. The salesperson selected Outlook and entered his email address and password. He was unable to sign in, so he emailed the “customer” back to let him know.

As soon as the salesperson emailed the “customer,” the phishers were notified that they had “hooked” someone. Phish on! They immediately retrieved the salesperson’s email credentials and logged into the dealership’s Microsoft hosted exchange server.

In an incredibly unfortunate coincidence, the salesperson was in the process of doing a dealership exchange with a very expensive car from another dealership. Within the last two hours, the dealer that owned the vehicle had emailed wire instructions to the salesperson, which the salesperson had forwarded to the controller.

The phishers immediately hijacked the salesperson's email account and created another email to the controller pretending to be the salesperson. In the email, the salesperson said the bank information he had previously sent was wrong, and asked the controller to please send the wire transfer to a different account number.

The controller obliged and proceeded to wire $251,000 to the new bank account. The money immediately disappeared. The entire incident took under two hours.

If you fall victim to wire fraud due to a phishing attack, that money is gone forever.

In another dealership, a successful phishing attack was launched from Facebook. One day the F&I Manager was browsing Facebook and clicked on a post that downloaded a file onto his computer.

What he didn't realize was that the file installed Keylogger, a type of malware that tracks keystrokes, onto his computer.

Later that day the F&I Manager logged into the dealership's credit bureau, allowing the cyber criminals monitoring him to capture his login credentials. Later that night the criminals pulled credit reports on over 200 customers. Fortunately, the credit bureau identified the suspicious activity and stopped the credit pulls.

The aftermath was painful. An FBI investigation ensued and the dealership was forced to hire security experts to conduct a security audit. In the end the dealership paid out over $150,000 in remediation. That's one expensive Facebook session!

Could This Happen to You?

We all like to think these types of incidents could never happen to us; but the fact is they can and do happen to dealerships all the time.

Phishing attacks are responsible for 91 percent of all security breaches. Phishing is the act of sending emails to individuals with the goal of getting those individuals to either click on a link that takes them to a malicious website, or to download an attachment.

The attacks are designed to steal login credentials so the cyber criminals can gain access to your network, or to install various types of malware, including Ransomware, onto computers or servers.

Remember the old email scams that promised untold riches from Nigerian princes, if only you sent them your name, social security number and bank account number? Today's phishing scams are much more sophisticated. 

These emails often go undetected by firewalls and anti-virus software because the 'reply to' addresses are very similar to the actual email addresses used by employees in your organization or by other companies you do business with.

For example, let's say your email address is JDoe@johndoedealership.com. Cyber criminals will register the domain address johndoedealershiip.com, then create and send emails from the address JDoe@johndoedealershiip.com. At first glance the two addresses look the same, and most employees don't pay close attention to the 'reply to' address.

The most effective way to stop these attacks is to enroll your employees in a security awareness training program. These programs teach employees about the various phishing scams used and how to spot suspicious emails. Security awareness training is inexpensive and proven to reduce the risk of successful phishing attacks from 27 percent to just two percent.

In today's growing cyber economy, it's not a matter of if, but when your dealership will experience a phishing attack. Auto dealers are prime targets for phishers, so take the necessary preventive steps today.

Helion Founder & President Erik Nachbahr shares why a dealership's IT infrastructure is critical to its business in this video blog.

Phishing is the practice of sending targeted emails designed to lure employees into a number of actions, such as entering login credentials, credit card information or downloading documents infected with malware.

Phishing emails appear to come from familiar entities such as a bank, healthcare provider or delivery company. Sometimes they contain threatening messages such as "Urgent! Immediate response required."

Spear phishing is a more targeted form of phishing, where the senders have researched your dealership or you as an individual. Fake invoices that appear to come from a familiar supplier are a common phishing lure. When the attached document is downloaded, your network becomes infected with malware or a virus.

One common type of malware tracks the victims' keystrokes, giving cybercriminals access to login credentials and account numbers, which they can then use to hijack bank accounts and initiate wire transfers.

Whaling goes one step further. In dealerships, principals, GMs and accounting office employees are typically targeted in these sophisticated scams. Phishers may troll their targets for months, using social media and other sources to gather personal history and information, which is then used to craft emails that appear to come from a trusted source or colleague.

The scary thing about phishing is that because these emails are sent directly to employees in your dealership, they can bypass your security firewall and evade your anti-virus software. This leaves your employees as your last line of defense against phishing attacks.

If your employees don't know how to identify phishing emails, your dealership is vulnerable to an attack that could result in serious consequences. In simulated phishing attacks that we've conducted, three to seven percent of dealership employees have given up their credentials when prompted.

The prevalence of phishing attacks is rising. An April 2018 report by Osterman Research found that many companies have been compromised by phishing attacks.

• 28% reported a phishing attack successfully infected systems with malware
• 25% reported that sensitive/confidential info was leaked through email
• 23% reported that user's account credentials were stolen
• 17% reported a phishing email successfully tricked senior executives

Don’t Get Hooked

As devastating as phishing attacks can be, it’s relatively easy to prevent them if you know what to look for. If you're an employee working at a dealership, follow these five simple tips to keep your dealership's data, bank accounts and reputation secure.

Rule #1: Don’t click on links sent to you in emails

Any link in any email is inherently dangerous. If a customer, vendor, supplier—or anyone, for that matter—sends you a link do not click on it unless you were explicitly expecting it and it's from a known source.

If the link is to a website, do not use the link to navigate to that website. Open up your browser and manually navigate to the website by typing its name into the URL bar.

If you do use a link to navigate to a website, look at the URL bar. The URL will tell you if you're on a legitimate website or not. If you see a random URL with a bunch of strange characters in it, close your browser window and navigate to the website manually.

Another thing you might want to consider is switching from Chrome browser to Microsoft Edge. MS Edge is a new browser that was built for Windows 10 and was designed with significant security improvements, such as blocking websites that it detects are phishing sites.

Rule #2:  Check before downloading attachments

Every time you receive an invoice or other document from someone you know, double check the “reply to” email address before downloading the attachment. Phishers will set up email accounts that closely mimic familiar email addresses. So instead of John@xyzsupplier.com the reply email might be John@xxzsupplier.com.

Rule #3: Don’t give away your credentials

The only time you should enter your email address, password, account information or credit card number online is if you navigate directly to a website and login.

NEVER email or message your information to someone. Never enter information on a website that you’ve linked to through an email. Also, never give your information out to someone that calls you. Some phishers will call their victims posting as a representative from Microsoft, a vendor or a bank. If someone asks for personal information over the phone, ask their name and politely tell them you'll call them back. Then call that company's phone number directly.

Rule #4: Require verbal verification for all wire transfers

You can email wiring instructions, but every wire transfer should require verbal verification over the phone before the money is sent. I know of several dealerships that have lost money this way and once the money is wired, there is no way to get it back. In every scenario we’ve seen, a conversation would have immediately thwarted the attack.

Rule #5: Enroll in security awareness training

Employee security awareness training programs send simulated phishing attacks to your employees. If an employee clicks on the link, they are immediately enrolled into an online training program that uses videos, games and other training materials to educate the employee. Over the course of a year, continued security awareness training has been proven to reduce the risk of phishing attacks from 27 percent to two percent. 

Awareness if the first step to prevention. Share these tips with your employees to keep your dealership safe.

New Solution builds a "Human Firewall" that Reduces Risk of Phishing Attacks from 27% to 2%

Timonium, MD –­ January 7, 2019 –­ Helion Automotive Technologies is offering a new security awareness training program for auto dealership employees. The solution is designed to build a "human firewall" that reduces the risk of data breaches from phishing and other social engineering attacks. Cyber-crime is a persistent and growing threat to dealerships, and 91% of successful data breaches start with a phishing attack.

The training program also helps dealers comply with the Federal Trade Commission (FTC) Safeguards Rule to protect consumer personal information. Auto dealerships that provide financing to customers are subject to the rule and are required to provide employees with security awareness training.

"A dealership can have a secure firewall and anti-virus software, but even the best technology can't protect them from sophisticated phishing schemes where humans are the weak link," said Erik Nachbahr, president of Helion Technologies. "Once an employee clicks on an email link and surrenders information, it's easy for cyber criminals to accomplish their objectives."

The consequences of phishing attacks are devastating. Many incidences of dealership employees transferring tens of thousands of dollars to bank accounts have been documented, only to have the money disappear forever. In one case a dealership lost $251,000 in a single transaction.

An additional consequence of a data breach includes harm to a dealership's reputation. Nearly 84% of consumers claimed they would not buy another car from a dealership if their data had been compromised, according to a study by Total Dealer Compliance. Dealers also face the threat of legal and civil lawsuits when their customers' personal data is compromised.

"Dealers are vulnerable to attacks because they tend to have a lot of cash in their bank accounts and conduct a large number of electronic financial transactions. That's very attractive to cyber criminals," said Nachbahr.

Most dealers employ IT staff or use outside IT services that lack awareness when it comes to cyber-crime. Only 30% of dealers employ a network engineer with computer security certifications and training, and 70% of dealers aren't up to date on their anti-virus software, according to Total Dealer Compliance.

"In dealerships IT staff are generally reactive; they respond to employee complaints and keep the network running," said Nachbahr. "They don't have the resources or expertise to proactively seek solutions to cyber-attacks that haven't happened yet."

Phishing attacks rely on email to bait and lure employees into downloading viruses, upload secure information or give out login credentials to dealership systems. Cyber criminals often troll a company for months to learn names, titles and emails of target employees.

To combat the growing threat and consequences of phishing attacks, Helion has partnered with KnowBe4 to bring the world's most popular security awareness training and simulated phishing platform to auto dealers. More than 18,000 organizations worldwide currently use the system, which over time substantially reduces the risk of successful phishing attacks.

Prior to security awareness training, in an average business 27% of employees open phishing emails. After 90 days of training, the risk drops to 13% and after one year of training, the risk drops to 2%.

"Employees are your last line of defense," said Nachbahr. "It's a dealer's responsibility to train them but most dealers aren't aware of the scope of the threat, let alone how to counter it. We searched for a solution to this problem and we're thrilled to offer this training program that will safeguard dealerships' money, customer data and reputations."

Helion's security awareness training program includes:

• Baseline testing using a simulated phishing attack to assess the percentage of employees that click on a phishing link
• Employees that don't pass the baseline test are enrolled in an online training program
• Employees are educated with a library of videos, online games and training modules; gamification makes learning fun and interactive
• Monthly phishing security tests for every employee on the system
• Phish Alert Button provides employees with a safe and easy way to report malicious emails
• Industry Benchmarking allows managers to compare their phish-prone percentage against other dealerships, and track improvements over time
• Advanced Reports allow managers to see which employees need further testing

The cost of the training program is just $15 per employee, per year. Helion has customized the KnowBe4 training system to simulate phishing emails that auto dealerships typically receive; and manages all onboarding, setup, integration, ongoing maintenance and support.

The new service is available February 1st, 2019. To learn more or to enroll in the security awareness training program, stop by booth # 6453W at the NADA Convention and Expo or call Helion Technologies at 443-541-1500. Schedule an appointment at NADA using this link: http://bit.ly/NADA6453W

About Helion Automotive Technologies

Helion Automotive Technologies is the automotive industry's leading managed services provider (MSP), providing auto dealers with faster, more efficient networks and secure data protection. Helion offers IT solutions for every dealership's needs, so that dealers can focus on what matters most: selling more cars. Helion has specialized in IT for over 20 years and works with 700+ auto dealers nationwide. Dealers can request a free assessment of their IT needs at www.heliontechnologies.com.

How confident are you that your dealership can withstand a cyber attack? In my experience, most dealers underestimate the threat of attack and overestimate their ability to withstand an attack.

When looking at your internal information technology (IT) strategy, it's important to understand where cyber attacks originate.

First, identify what in your dealership is valuable to cyber criminals. Assuming money is a primary motivator, they want to accomplish one of the following:

• Obtain routing and bank account numbers
• Access your customer data; social security numbers, credit scores and credit card numbers.
• Hold your data hostage and make you pay ransom to gain access to it

To successfully thwart these objectives, your dealership needs to have three lines of defense in place.

Perimeter

This is the first and most obvious line of defense that most people think of when it comes to security. The perimeter consists of technology solutions designed to keep your data safe.

Ensure that you have an up-to-date firewall, spam filter (aka spam firewall) and an intrusion prevention system. Additionally, make sure your routers are enterprise-grade, as they have better security features.

Desktop

This is where we see a lot of dealerships are making themselves vulnerable. Employees' computers need to be locked down at the desktop level.

Ironically, the way to accomplish this is not at the desktop. You need to have a centralized administrative set-up, so that employees are not allowed to install or de-install their own software. Anti-virus software should also be centrally managed and not installed on individual desktops.

Additionally, install web-filtering software that monitors employee activity and prevents them from accessing dangerous websites. Many cyber attacks occur because employees click on an email link that leads them to malicious websites.

Switching from desktop-based applications to cloud-based applications is also highly recommended. The huge Equifax breach that exposed millions of customer records occurred because of a simple failure to install a software update, also known as a patch. If you're using cloud-based applications such as Office 365, security patches are automatically updated.

Employees

The final and perhaps most importance line of defense is your employees. Over ninety percent of successful data breaches start with phishing attacks, which use emails to lure employees into clicking on something they shouldn't.

Make sure you provide your employees with security awareness training, which is required under the FTC Safeguards Rule. Also put policies and procedures in place designed to increase security, such as:

• Require employees to change passwords every 90 days
• Verbally confirm all wire transfers
• Patch all desktop-based applications weekly, if not daily
• Keep logging records
• Get an IT security audit once a year
• Obtain cyber liability insurance
• Create a cyber incident response plan and response team

The threat of cyber attacks is growing and should not be underestimated. Do you have three lines of defense in place? If not, your dealership is vulnerable.

Microsoft has released Office 2019, the newest version of its desktop suite of applications that most dealership employees use on a daily basis; including Word, Excel, PowerPoint and Outlook for email. Prior versions of Office that your dealership might still be using are Office 2016, Office 2013 and Office 2010. Please don't tell me you're still using Office 2007.

If you're thinking about upgrading to Office 2019, I encourage you to look at another option. If you haven't already, now is the time to migrate to Office 365 Business, which offers cloud-based versions of all the same Office applications, plus additional features.

Considering what you get, Office 365 is actually less expensive than the single license version of Office 2019. The price for Office 365 Business Premium is $12.50 per user per month, which is just $150 per year. The cost for a single license of Office 2019 is $250 and yes, it can feasibly be used for more than one year. But Microsoft also announced that Office 2019 is a one-time release and won't receive any future feature updates.

That means Office 2019 will become outdated pretty quickly. Plus, Office 2019 doesn't offer any of the cool cloud-connected features that Office 365 offers, such as workflow, productivity and collaboration tools.

The fact is, Microsoft is really pushing to get everyone onto the cloud-based version, so the benefits of doing so far outweigh any reasons not to migrate. At this point I can't think of a reason not to switch, unless you work in a cave with no Internet access.

Let's take a look at some of the advantages of switching to Office 365.

Eliminate Licensing and Hardware Headaches

Depending on how many employees you have, on-premise licensing fees can get expensive. In addition to licenses for Office applications, dealerships pay licensing fees for Exchange Servers and Exchange User Client Access Licenses. That doesn't include the cost of hardware and the cost of having to hire someone to maintain all the equipment.

Additionally, someone at the dealership has to be responsible for handling security patches and other software updates on a regular basis.

Perhaps the biggest issue that Office 365 helps you avoid is the usage of unlicensed copies. This happens when someone in a dealership installs Office on six or ten or even dozens of computers, instead of limiting installations to the three or five licenses that come with the package.

Unfortunately, this practice is fairly common. It's also illegal and very costly, if you're caught. In recent years, the Business Software Alliance (BSA) has really cracked down on small and mid-sized businesses, and offers whistle-blowers (usually disgruntled employees) cash rewards for reporting businesses that use unlicensed software.

One dealership I know of got caught using unlicensed copies of Microsoft Office on over 300 computers, and had to pay a fine of $1.5 million. Another dealer purchased a small dealership only to be hit with $50,000 in fines because the new store had unlicensed software installed on its computers.

Paying a small monthly per user license for Office 365 eliminates this risk and makes for easier budgeting.

Greater Team Collaboration and Productivity

Office 365 offers features designed for team collaboration, improving workflow and increasing productivity. With Office 365 everyone has a clear view of task assignments, workloads and timetables so that all team members are in the loop on a project's status.

Additionally, Office 365 has integrated Yammer, an enterprise-level social platform that allows team members to communicate from any location. Office 365 also has Skype for Business, allowing team members to call quick virtual meetings, as opposed to formal in-person meetings, which tend to be lengthy and inhibit productivity.

Increased Mobility and Flexibility

Office 2019 is installed one time on a single PC or Mac. Office 365 allows a single user to sign in from multiple devices, including mobile devices such as smartphones and tablets. This allows team members to easily check email, edit documents and securely access shared information at anytime from anywhere.

Improved Security

Chances that your dealership will experience a cyber attack are growing every year. Applying software updates, also known as patching, is one of the most important security measures you can take to protect your dealership. Yet in my experience, 95% of dealerships aren't doing this on a regular basis.

Perhaps the greatest advantage of Office 365 is that cloud-based applications are instantly updated with every new software and security update.

With Office 2019, employees and even IT staff can ignore software update notifications for days, if not weeks, leaving your network vulnerable to cyber attacks.

If you're a desktop die-hard and prefer to have Office applications on your computers, whether or not you upgrade to Office 2019 depends on the version you're using now. Microsoft is ending support for Office 2010 in October 2020. If you're using Office 2016, be aware that although the standalone version will still function after October 2020, you won't be able to access any additional Office 365 services such as Exchange Online, Sharepoint Online or OneDrive for Business.

If your dealership hasn't already migrated to Office 365, you might want to try it. Start small, with one department. Ensure that every employee gets the necessary training and support to make the transition successful.

Auto dealerships are independent businesses, with careful financial management separating success from failure and limited internal teams delivering results. As with many small companies, it's common for information technology to be a secondary priority rather than its own department. Third-party IT services can step into such situations and provide assistance - the consequences of not having these professionals on hand could be severe.

In today's IT-centric business world, digital threats are everywhere and the advantages of timely tech maintenance and upgrades are many. Therefore, dealerships without full IT departments should consider the benefits of calling upon outside help, before their undermanned tech operations become a liability.

Dedicated IT professionals must tend to serious needs

Dealership IT needs dedicated team members due to the increasing role innovative tech is playing in the modern workplace. From ensuring competitive performance to defending against pressing threats, IT professionals fulfill many important functions today. The following are just a few of the tasks your dealership will need addressed to stay current and effective:

Meet expectations and cut inefficiencies:

Simple business improvement may be the most important IT use case, as the Harvard Business Review recently explained. Independent companies suffer from frighteningly high closure rates, and any edge that can improve customer service and internal productivity is worth taking. From updating analytics systems to improving point-of-sale terminals on the dealership floor, well-maintained IT can boost employee and consumer experiences.

Defend against cyberthreats:

Independent businesses, dealerships included, are targets of opportunity for cybercriminals. If you don't have dedicated IT personnel on your side, your systems may be especially vulnerable to intrusions, data theft and the negative repercussions that follow. According to the latest Verizon Data Breach Investigation Report, small companies made up 58 percent of cyberattack victims in the past year. Fields without security personnel on staff or on call may find themselves under attack by opportunistic data thieves.

Create stable and resilient data reserves:

Intentional breaches aren't the only threat to data, and contracting IT professionals can help dealerships' information reserves in multiple ways. Receipt Bank's Nelson Da Silva suggested to eWeek that companies should ensure their data is safe from loss in a disaster. From a natural event that wipes out servers to human error or a ransomware attack, there are plenty of issues that can damage poorly maintained tech resources - and the data within.

IT is the backbone of modern business.

Help specifically for dealerships

Looking for a third-party IT team to oversee your systems and services doesn't have to be a difficult or costly process. By working with a provider specifically catering to the auto industry, you ensure the experts are familiar with your needs, challenges and potential. Rather than dealing with continued risk and potential inefficiency, you can seek assistance from these teams.

Without the intervention of trained IT personnel from third-party sources, you may find yourself either devoting too much employee time and effort to keeping tech systems running or simply going without needed expertise. Neither option is particularly promising for your dealership, showing the value that comes with a team of experts. Having someone monitoring your systems at all times is a modern advantage for an auto dealer.