Phishing for Awareness: Why cybersecurity matters for auto dealerships

Nearly 84 percent of consumers said they would not buy another car from a dealership after their data had been compromised … is your dealership protected?

Cybersecurity is becoming an increasing concern for automotive dealers – and here’s why:

Auto dealerships have moved into the cyber realm and become an easy target for phishers (those who attempt to acquire sensitive information by masquerading as a trustworthy entity via electronic communication). Last March, the FBI-DoT-NHTSA issued a joint Public Service Announcement (PSA) indicating the importance that “[auto] consumers and manufacturers maintain awareness of potential cybersecurity threats”.

The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than in any other three-month span since it began tracking in 2004. In fact, the number of phishing websites detected by the APWG increased by 250 percent between October 2015 and March 2016. For auto dealerships, the consequences of such attacks lead not only to financial loss, but also loss of customer confidence and trust.

How does a dealership become a target?

Phishing involves deceitful emails sent by criminals to acquire useful information to be used in malicious ways for financial gain. It works because human beings are so comfortable with sharing information online. The social media phenomenon has catapulted our personal information into being available globally. Information we have volunteered. This data can be searched, combined and analyzed from anywhere in the world unbeknownst to you.

To better understand what makes a specific dealership an attractive target, we first must define what information is available within the varying levels of the internet.

1. Surface Web. This is the portion of the World Wide Web that is readily available to the general public and can be discovered by standard search engines. When using search engines (i.e., Google, Bing) you are only searching within databases that have been compiled by that company, not the entire internet. Using creative techniques, phishers can compile data from these databases that may make your specific dealership of interest to them. Examples of information found in the Surface Web include:

  • Company organization chart
  • Technologies used or purchased
  • Charity affiliation
  • Document metadata, such as file sizes, date of document creation, author, etc.
  • IT infrastructure assets
  • Website owner information

2. The Deep Web. This refers to parts of the World Wide Web whose contents are not indexed by standard search engines (e.g., technology forums and user groups, Airbnb, genealogy sites, electoral registers, telephone directories, reunion sites).  Examples of information found in the Deep Web include:

  • Sensitive documents and photos
  • Vendor profiles
  • Reputation analysis
  • Disgruntled employees
  • Rogue websites
  • Policy violations

3. The Dark Web. This is classified as any World Wide Web content that requires specific software, configurations or authorization to access. This includes underground and criminal sites and databases. Examples of information found on the Dark Web include:

  • Credentials for sale
  • Deleted websites and posts
  • Fraud detection
  • Cloned websites
  • Risky employees
  • Stolen credit cards

Why are dealerships attractive targets?

Dealerships are attractive targets for phishers because they collect, process, and store customer bank account and routing numbers, credit card numbers, addresses, and social security numbers, among other sensitive information. If this information is not on systems directly accessible to the dealership’s accounting and F&I departments, dealership employees need login credentials to access credit bureau, banking and other loan sites (i.e., vendors). These credentials can be intercepted or stolen from the vendor’s infrastructure and sold on criminal websites and databases (i.e., the Dark Web).

Furthermore, phishers are targeting dealerships because they are able to steal both financial and personal identifiable information (PII) from them. For example, auto dealerships are taking advantage of more sophisticated customer relationship management (CRM) tools and analytics in an effort to better serve their customers. In using CRM programs to anticipate customer needs, dealerships are merging their customers’ online and offline history in central repositories. These repositories are “double trouble” as both the valuable PII and financial data in them can be found by phishers.

Phishers are looking for easy – and new – targets. Banks are subject to government regulations and scrutiny regarding their security measures, making them much tougher targets. Similarly, information stolen from larger retailers during recent well-publicized hacks has already been sold on the Dark Web, making them much less profitable targets. To obtain new financial and PII, phishers are now looking to dealerships as they have the same data as banks and large retailers, but their systems are generally less secure.

Take the necessary steps to remain compliant and safe

Dealerships are subject to the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule. Although this has been around for quite some time, the Safeguard Rule requires dealerships to periodically re-evaluate their information security policies and procedures, including physical, administrative and technical safeguards. How can you help prepare your dealership?

  • Conduct an annual open intelligence gathering (ONSINT): This review uses the same processes and tools criminals are using to understand what data is being broadcast on the internet by employees, service providers, and executives that could make your dealership a target
  • Train your employees: Work with an outside firm to execute a simulated phishing campaign to train your employees to recognize these strategies via a simulations before the real attack happens

Accomplishing an annual open source intelligence gathering and training employees to recognize phishing campaigns is an exercise in due care and is in support of the Safeguards Rule.

For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.