Phishing is the practice of sending targeted emails designed to lure employees into a number of actions, such as entering login credentials, credit card information or downloading documents infected with malware.
Phishing emails appear to come from familiar entities such as a bank, healthcare provider or delivery company. Sometimes they contain threatening messages such as "Urgent! Immediate response required."
Spear phishing is a more targeted form of phishing, where the senders have researched your dealership or you as an individual. Fake invoices that appear to come from a familiar supplier are a common phishing lure. When the attached document is downloaded, your network becomes infected with malware or a virus.
One common type of malware tracks the victims' keystrokes, giving cybercriminals access to login credentials and account numbers, which they can then use to hijack bank accounts and initiate wire transfers.
Whaling goes one step further. In dealerships, principals, GMs and accounting office employees are typically targeted in these sophisticated scams. Phishers may troll their targets for months, using social media and other sources to gather personal history and information, which is then used to craft emails that appear to come from a trusted source or colleague.
The scary thing about phishing is that because these emails are sent directly to employees in your dealership, they can bypass your security firewall and evade your anti-virus software. This leaves your employees as your last line of defense against phishing attacks.
If your employees don't know how to identify phishing emails, your dealership is vulnerable to an attack that could result in serious consequences. In simulated phishing attacks that we've conducted, three to seven percent of dealership employees have given up their credentials when prompted.
The prevalence of phishing attacks is rising. An April 2018 report by Osterman Research found that many companies have been compromised by phishing attacks.
Don’t Get Hooked
As devastating as phishing attacks can be, it’s relatively easy to prevent them if you know what to look for. If you're an employee working at a dealership, follow these five simple tips to keep your dealership's data, bank accounts and reputation secure.
Rule #1: Don’t click on links sent to you in emails
Any link in any email is inherently dangerous. If a customer, vendor, supplier—or anyone, for that matter—sends you a link do not click on it unless you were explicitly expecting it and it's from a known source.
If the link is to a website, do not use the link to navigate to that website. Open up your browser and manually navigate to the website by typing its name into the URL bar.
If you do use a link to navigate to a website, look at the URL bar. The URL will tell you if you're on a legitimate website or not. If you see a random URL with a bunch of strange characters in it, close your browser window and navigate to the website manually.
Another thing you might want to consider is switching from Chrome browser to Microsoft Edge. MS Edge is a new browser that was built for Windows 10 and was designed with significant security improvements, such as blocking websites that it detects are phishing sites.
Rule #2: Check before downloading attachments
Every time you receive an invoice or other document from someone you know, double check the “reply to” email address before downloading the attachment. Phishers will set up email accounts that closely mimic familiar email addresses. So instead of John@xyzsupplier.com the reply email might be John@xxzsupplier.com.
Rule #3: Don’t give away your credentials
The only time you should enter your email address, password, account information or credit card number online is if you navigate directly to a website and login.
NEVER email or message your information to someone. Never enter information on a website that you’ve linked to through an email. Also, never give your information out to someone that calls you. Some phishers will call their victims posting as a representative from Microsoft, a vendor or a bank. If someone asks for personal information over the phone, ask their name and politely tell them you'll call them back. Then call that company's phone number directly.
Rule #4: Require verbal verification for all wire transfers
You can email wiring instructions, but every wire transfer should require verbal verification over the phone before the money is sent. I know of several dealerships that have lost money this way and once the money is wired, there is no way to get it back. In every scenario we’ve seen, a conversation would have immediately thwarted the attack.
Rule #5: Enroll in security awareness training
Employee security awareness training programs send simulated phishing attacks to your employees. If an employee clicks on the link, they are immediately enrolled into an online training program that uses videos, games and other training materials to educate the employee. Over the course of a year, continued security awareness training has been proven to reduce the risk of phishing attacks from 27 percent to two percent.
Awareness if the first step to prevention. Share these tips with your employees to keep your dealership safe.
To learn more about phishing prevention, visit Booth #6453W at the NADA Convention & Expo. Schedule an appointment here http://bit.ly/NADA6453W