Auto dealerships have moved into the cyber realm and become an easy target for phishers (those who attempt to acquire sensitive information by masquerading as a trustworthy entity via electronic communication). Last March, the FBI-DoT-NHTSA issued a joint Public Service Announcement (PSA) indicating the importance that “[auto] consumers and manufacturers maintain awareness of potential cybersecurity threats”.
The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than in any other three-month span since it began tracking in 2004. In fact, the number of phishing websites detected by the APWG increased by 250 percent between October 2015 and March 2016. For auto dealerships, the consequences of such attacks lead not only to financial loss, but also loss of customer confidence and trust.
Phishing involves deceitful emails sent by criminals to acquire useful information to be used in malicious ways for financial gain. It works because human beings are so comfortable with sharing information online. The social media phenomenon has catapulted our personal information into being available globally. Information we have volunteered. This data can be searched, combined and analyzed from anywhere in the world unbeknownst to you.
To better understand what makes a specific dealership an attractive target, we first must define what information is available within the varying levels of the internet.
1. Surface Web. This is the portion of the World Wide Web that is readily available to the general public and can be discovered by standard search engines. When using search engines (i.e., Google, Bing) you are only searching within databases that have been compiled by that company, not the entire internet. Using creative techniques, phishers can compile data from these databases that may make your specific dealership of interest to them. Examples of information found in the Surface Web include:
2. The Deep Web. This refers to parts of the World Wide Web whose contents are not indexed by standard search engines (e.g., technology forums and user groups, Airbnb, genealogy sites, electoral registers, telephone directories, reunion sites). Examples of information found in the Deep Web include:
3. The Dark Web. This is classified as any World Wide Web content that requires specific software, configurations or authorization to access. This includes underground and criminal sites and databases. Examples of information found on the Dark Web include:
Dealerships are attractive targets for phishers because they collect, process, and store customer bank account and routing numbers, credit card numbers, addresses, and social security numbers, among other sensitive information. If this information is not on systems directly accessible to the dealership’s accounting and F&I departments, dealership employees need login credentials to access credit bureau, banking and other loan sites (i.e., vendors). These credentials can be intercepted or stolen from the vendor’s infrastructure and sold on criminal websites and databases (i.e., the Dark Web).
Furthermore, phishers are targeting dealerships because they are able to steal both financial and personal identifiable information (PII) from them. For example, auto dealerships are taking advantage of more sophisticated customer relationship management (CRM) tools and analytics in an effort to better serve their customers. In using CRM programs to anticipate customer needs, dealerships are merging their customers’ online and offline history in central repositories. These repositories are “double trouble” as both the valuable PII and financial data in them can be found by phishers.
Phishers are looking for easy – and new – targets. Banks are subject to government regulations and scrutiny regarding their security measures, making them much tougher targets. Similarly, information stolen from larger retailers during recent well-publicized hacks has already been sold on the Dark Web, making them much less profitable targets. To obtain new financial and PII, phishers are now looking to dealerships as they have the same data as banks and large retailers, but their systems are generally less secure.
Dealerships are subject to the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule. Although this has been around for quite some time, the Safeguard Rule requires dealerships to periodically re-evaluate their information security policies and procedures, including physical, administrative and technical safeguards. How can you help prepare your dealership?
Accomplishing an annual open source intelligence gathering and training employees to recognize phishing campaigns is an exercise in due care and is in support of the Safeguards Rule.
For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.