Cyberattacks have increased at an alarming rate. According to the FBI’s Internet Crime Complaint Center, victims of email business fraud lost $5.3 billion from 2013 to 2016[1]. Between January 2015 and December 2016, identified losses increased 2,370 percent. Professional fraudsters use methods like phishing and ransomware to prey on employees, access sensitive data and ultimately tap into your accounts.
Auto dealerships — with large transaction amounts, expensive inventory and a network of third-party vendors — are a prime target for these types of attack. To protect company assets, it’s important to understand the cyber threat landscape and install protective measures. While it may seem like security is only an issue for the IT department, cybersecurity demands an overall review of the business strategy that requires cooperation from senior and junior staff members.
Here are some steps to protect your dealership from fraud:
Recognize a possible attack – A majority of cyberattacks occur through fake emails. According to Dark Reading[2], 91 percent of ransomware attempts come through “phishing” emails directed at employees who are unprepared. For an auto dealership, these emails could come from a multitude of places, such as a hacker pretending to be a senior executive in need of a wire transfer. An employee, aiming to please the boss, may wire the money to the hacker’s account without confirming the legitimacy of the ask. Train employees to recognize the three most common types of email hacks:
- Fake email coming from a company executive or colleague
- Fake invoice from a supplier whose email address has been spoofed
- Fake email from an attorney requesting funds or information about a deal
Employees should also be weary of links and PDFs; clicking on one of these items could install software that freezes the entire company’s software systems. Be extra wary first thing in the morning or at the end of the week, when hackers will try and catch you off your game.
Form partnerships – Unfortunately, training isn’t enough to keep up with the ever-changing type of attacks. Dealership owners should work with partners such as financial institutions, consulting them for the best education practices and other opportunities to keep abreast of emerging threats. Dealerships should also contact their local branch of the FBI for a security company recommendation to conduct an audit of their computer systems.
Establish financial controls – In order to eliminate fraudulent transfers, install an approval process that requires two approvals to initiate and approve financial transactions, create user accounts and change entitlements. You should also limit access to payment systems to only those functions that each employee needs and remove system access and entitlements promptly when an employee leaves the company. Lastly, verify any large transactions with a second communication, such as a phone call, in addition to an email message.
Maintain a vendor approval process – Auto dealers work with a variety of vendors, creating new avenues for attacks on the business. Hackers could either attack the vendor itself or look to pose as one to gain access to your dealership. It’s important to institute procedures to check and verify vendor information, to keep that information up to date and to limit the ways vendors can access your company’s data. Ways to mitigate this risk include:
- Establishing a written procedure for adding a vendor to the system.
- Creating a vendor profile form that verifies the vendor company’s proof of existence by checking product catalogs, federal tax returns, sales tax certificates, recently audited annual reports, city or county business licenses, or 1099 or W-9 tax forms.
- Ask for a W-9 form from each vendor in advance of any payment being issued.
- Verify any requested changes to vendor names, contacts, addresses or payment information via a separate communications channel — make a phone call, send a letter or have a colleague create a new email message from a different computer to validate any changes.
- Ask the sender for confirmation in the form of old payment instructions and accounts or by printing the new payment instructions on company letterhead.
These steps, among others, will help protect your dealership from cyberattack. While proper cybersecurity isn’t an overnight fix, establishing a fraud prevention strategy as soon as possible could prevent major losses in the future.
About the Author
By Derek Comestro, Dealer Financial Services Market Executive, Bank of America Merrill Lynch
# # #
Bank of America Merrill Lynch” is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured • May Lose Value • Are Not Bank Guaranteed.
[1] Business E-Mail Account Compromise: The 5 Billion Dollar Scam, May 2017
[2] Dark Reading: 91% Of Cyberattacks Start With A Phishing Email, December 2016