The next time a salesperson says cold calls don't work, ask them if they understand how Twitter was hacked. It didn't start with some complex code: it was cold calls.
A 17-year-old from Florida was able to talk their way into enough access to take over Twitter accounts of Barack Obama and Elon Musk. Your BDC should be able to unload that Caravan.
But that's not why dealers should care about the Twitter attack. Without proper and recurring training, any business can fall victim to a social engineering attack like the one that hit Twitter (technically referred to as a "phone spear phishing attack").
For the hacker, it's as simple as picking an existing vendor and providing the A/P clerk with some misdirection.
Here is an example of a phone spear-phishing attack we used in a penetration test of one dealership's cyber defense:
1 - Using the public-facing code on the dealer's website we identified [REDACTED] as the vendor the dealer was using for service scheduling.
2 - Acting as the A/R team from [REDACTED], we placed a call to the Service Manager to let them know they could save money by switching to a new electronic payment system.
3- After giving us a hard time for not letting them know sooner, the Service Manager happily routes our call to A/P
4 - Once on the phone with A/P, it's a simple pitch "we've been trying to contact you. What's your email? Sending you a link now. Simply fill out your payment info, and you'll see 5% off your next invoice."
For this test, we didn't start with A/P as the first contact. Beginning with the Service Manager and having them transfer the call increases the chance that Accounting will view the request as legitimate. As far as the A/P Clerk is concerned, the Service Manager wouldn't transfer a call they didn't know was legitimate.
This simple penetration test helps us answer several questions from "Is the team trained to ask the right questions to help spot fraud?" to "Does the store have minimum network protections to stop users from accessing malicious links?"
Social-engineering based attacks work because they are simple, and we all want to believe the best in people. The only way to protect your business from attacks like the one that befell Twitter is constant training and testing.
For more information about how penetration testing can help you find holes is your cyber defense, contact dlrSec today: email@example.com.