Fraudsters are using far more technical crimes to steal from car dealerships and auto lenders these days. And the newest method of choice for them is cyber-crime.
In recent industry reports, cyber-criminals have significantly increased their attacks using wire transfer fraud, high tech data breaches and even introducing malware onto the dealer and lenders systems.
Most recently, Auto News reports that a cyber thief snatched $253,000 by intercepting a wire transfer between an exotic-car retailer and another dealership. And in another recent case, a cybercriminal gained access to a dealership’s finance employee’s computer and downloaded 200 customer credit reports from a credit bureau.
This type of high tech barrage can spell bad news for dealerships that are often not equipped with high-security computer systems and networks. And perhaps that is precisely the reason they are targeted.
The Rise of BEC Scams for Luxury Car Dealers and Lenders
PointPredictive, the AI firm that tracks application and dealer fraud for the auto finance industry, has received reports from lenders that scammers are using BEC (Business Email Compromise Techniques) to perpetrate massive frauds.
Business email compromise typically occurs when a scammer sends a phishing email to somebody within the dealership. When the unsuspecting employee opens the email, it launches malware which embeds itself in the companies servers. That malware gives the scammer a backdoor to gain access to everyone’s emails within the company – often times the CEO or another executive.
Once the scammer has access to those emails they can begin sending requests for wire transfers to be sent to pay invoices to fake companies or even falsely instruct the finance departments to send funds to pay for a luxury car that they may not even be acquiring.
The problem with BEC scams for luxury car dealerships is that they can put a dealership out of business very quickly. In many cases, the emails appear highly legitimate.
In some cases, BEC scammers can instruct employees to do other things that can compromise customer and employee data. In one recent case, scammers instructed the accounting department to send all of the W2’s for employees to the scammers’ email address.
If dealerships were not aware of BEC scams, they should be. The growth in BEC scams makes it one of the fastest-growing financial crimes in the US.
Often Unreported Instances Lead to Lack of Good Statistics on this Crime
According to Auto News, these instances of cyber breaches and BEC scams often go unreported because the dealerships are embarrassed or don’t want to hurt future business with customers.
According to them, 84% of customers would not buy another car from a dealership if their personal data had been compromised from the dealership before.
They also reported that dealerships are notoriously slow to report data breaches – about 208 days on average after the breach occurred. Dealerships often don’t have network engineers or other personnel that know how to spot the telltale signs of a customer or employee data breach.
The penalties for breaches and fraud are hard on a dealership so they will often not report the crime. This means that statistics that track the growth in these types of cybercrimes are often underestimated.
Recommendations from The FBI to Avoid BEC Scams and Wire Fraud
The FBI also published 10 Recommendations to help small businesses including car dealerships stop wire fraud.
- Avoid Free Web Based Email Accounts – They are targets of fraudsters an easily exploited
- Don’t Post Executives Email Addresses Publically – Fraudsters use that information.
- Don’t Post Organizationally Structures Publically – Fraudsters use that for social engineering
- Use Out of Band Authentication for Email Transfers – This can stop the fraud after it is initiated
- Report and deleted all spam and suspicious phishing attempts – They can proliferate on your company email systems.
- Do not Reply, Forward back to Recipient Executive – The fraudsters will use misspelled emails to divert emails. On wire request, hit forward and manually type in the email of the recipient.
- Use Intrusion Detection System – These systems can detect fraudulent email requests by analyzing the originating domains to sure they are not spoofed versions of real emails.
- Do 2 Factor Authentication on All Vendor Location Changes – Fraudsters are merely changing the banking account orders on wire transfers and not setting up new vendors.
- Pick up the Phone – Calling an executive directly to confirm is far more effective than emailing.
- Know the Habits of your Customers – Use common sense an investigate things that look out of the ordinary and out of pattern.
Thanks for reading!