We've seen many high-profile data breaches in the last decade. Dealers may think they aren't targets for these kinds of data breaches, but this couldn't be further from the truth. Not only that, but the FTC requires that dealers protect the non-public personal information of their customers.

This video was originally published in March 2019.

Data Breaches: Start with Your Employees

When we talk about information leaks what we're really talking about is data hacks and that can be intentional or accidental. It's the intentional ones were really really worried about.

The greatest risk is not from outside your dealership, but inside, so if you're wondering how to best prevent data leaks—loss of data—start with your own employees.

Written Safeguards Policy

Begin with a written policy that employees are required to read. Employees should read this document when they are first hired and sign an acknowledgment that they read and understood the policy. This process should be repeated annually. Make sure there's no ambiguity. You take this seriously so your employees should as well. If you don't have a policy in place already or need help crafting one for your dealership Mosaic can help.

Safeguards Training

Second, you need training. You should train on the practical implications of your policy:

• What are employees allowed to do with customer data?

• What are employees not allowed to do with customer data?

• What steps should each employee take to protect customer data based on their role at the dealership?

For example, some things employees are not allowed to do:

• copy it

• email it

• take it out of the premises

• use it for anything other than legitimate business purposes

Establish a Safeguards Program

Third, establish safeguards. There's a whole Safeguards Rule about that, but one item to focus on is the data security of your computer network. IT is key.

If you leave a deal jacket lying around, and it gets stolen, then you've lost one identity. If someone gains unauthorized access to your computer network, they could potentially get all of your customer data. We saw something like this happen to a company called Dealerbuilt when their dealer clients' customer data was stolen after it had been kept on unsecured servers.

Do a Network Vulnerability Assessment

Doing a Network Vulnerability Assessment will give you insight into the weak points of your computer network and under the Revised Safeguards Rule it is required by law. NVAs should be repeated annually and used to identify Safeguards that need to be put in place. You should have hardware and software solutions that can detect bad actors.

A Safeguards Solution

A dealer contacted Mosaic concerned about his computer network. We conducted an NVA and installed hardware and software solutions. Within a month I got a call from the IT professional we used to help get them secure. He explained that the dealership was undergoing a data breach right at that moment. The sales manager was using a file transfer protocol to download 100% of the customer base from the DMS. We were able to detect it, catch him red-handed as he was downloading it onto a thumb drive, fire him, and call the cops. Now that is how you prevent data theft.

If you want to learn more about protecting your customer data and complying with the Revised FTC Safeguards Rule contact us today!

All phishing attacks can potentially expose your dealership to malware that corrupts its computer network, or mines the data in its DMS without you knowing it. Spear phishing attacks are targeted at a single target, either an individual or an organization, and can be very difficult to detect until it’s too late.

This video was originally published in December 2021.

What is Spear-Phishing?

We’re still phishing, only this time it’s “spear phishing.” Again, I’m talking about phishing with a “ph” – those emails or text messages that try to induce you to surrender your account information or, worse for your dealership, click on a link that results in malware infecting your dealership’s computer network.

Our last episode focused on what I call broadcast phishing – indiscriminate emails or text messages that rely on volume as much as content for their success. But spear phishing is a different animal, and more dangerous. Spear phishing attacks are targeted at a single target, either an individual or an organization, and can be very difficult to detect until it’s too late.

What is an example of a spear-phishing attack?

Let me give you an actual example to illustrate what a spear-phishing attack looks like. A few weeks ago, I was eating dinner in Texas with an actual IT professional, whom you’d think would know better. Let’s call him Bob. Bob and his wife had recently bought their first house. The process involved weeks of email traffic between them and their real estate agent and, eventually, a title insurance company.

As closing drew near, Bob got an email that appeared to be from his real estate agent. In it, the agent reminded him of a recent email message wherein the agent informed Bob that he would need to either bring a cashier’s check for the down payment to closing or wire those funds to the title company’s account. The agent then said that the title company preferred a wire transfer, and provided the account information for the wire.

Bob dutifully wired $50,000 – the whole of his liquid savings. Later, he called the title company to confirm their receipt of the money. That’s when he discovered they had no idea what he was talking about and were expecting a cashier’s check at closing.

How could this happen? Remember, we’re talking about spear phishing, where a particular individual or organization is targeted with a convincing attack. It seems a sophisticated hacker accessed the real estate agent’s email account and actually saw the messages between the parties. Thus, the hacker knew Bob’s situation and knew he was expecting instructions concerning the transfer of his down payment. When the fake email instructions came in, he was a sitting duck.

Fortunately for Bob and his wife, he reacted quickly and contacted local law enforcement, the banks involved, and, ultimately, the real estate agency’s insurance company. He recovered all but $4,000 of his down payment money and was able to close. Funny how we consider losing “only” $4,000 is a happy ending, isn’t it?

Spear-Phishing Awareness

So what’s the moral of the story? The best weapon against phishing attacks – especially spear-phishing attacks – is awareness. Any email or text message that invites you to click on a link, provide account information, or send money, should be scrutinized carefully. Unless you’re absolutely certain it’s legitimate, contact the sender using a known phone number, and never use a phone number or email address contained in the message itself.

All phishing attacks can potentially expose your dealership to malware that corrupts its computer network, or mines the data in its DMS without you knowing it. That’s why we produce these videos – to increase awareness of the problem – so share them with your employees. Forewarned is forearmed. Keep warning your staff and you’ll arm your dealership against phishing attacks.

If you’d like more tips or need training on how your dealership can prevent phishing and other computer network attacks, contact us today.

Phishing attacks are a kind of social engineering – convincing people to behave in a particular way. And social engineering is by far the greatest threat to the security of computer networks. Social engineering attacks account for 70 – 90% of all computer attacks.

This video was originally published in March 2020.

What is a Phishing Attack?

We’re goin’ phishing. And no, I don’t mean the kind of fishing that involves rods, reel, and bait. I’m talking about phishing with a “ph” – those emails or text messages that try to induce you to surrender your account information or, worse for your dealership, click on a link that results in malware infecting your dealership’s computer network.

Phishing attacks are a kind of social engineering – convincing people to behave in a particular way. And social engineering is far and away the greatest threat to the security of computer networks. Social engineering attacks account for 70 – 90% of all computer attacks. Unpatched software is the next most common threat, at 20% or more. Your IT manager can handle the unpatched software issue, but you can do something about phishing. Let’s discuss how.

How to Recognize a Phishing Email

The first thing you need to do is recognize a phishing attack when it appears in your inbox. Everyone’s heard about the Nigerian Prince email scam, which has been around for well over a decade. Despite being obviously phony, as recently as 2019 Americans reported losing over $700,000 to this scam, and most current phishing attacks are far more sophisticated.

Phishing emails (and text messages) are designed to look like they came from sources you know and trust. I’ve gotten emails from the Bank of America that look like the real thing. Unfortunately for the phisher, I don’t have an account with the Bank of America.

How can you tell a phishing message from the real thing? If any of these features are present, ask your IT manager to check it out or just delete the message:

• Does it come from a source you don’t know or a company you don’t do business with?

• Is the greeting impersonal? If the source is legit, it’s unlikely to greet you as “Dear Friend.”

• Does it ask for account or password information?

• Are you invited to click on a link?

• Does it ask you to make a payment?

• Does it suggest a potential windfall, such as proceeds from a class action lawsuit or a government refund?

• Does it offer you free stuff or anything else that your gut tells you is too good to be true?

Here’s an example of a phishing attack provided by the Federal Trade Commission:

Looks legit, right? Netflix is, after all, a real company, and that is its logo. But let’s look closer.

• The email has a generic greeting – “Hi Dear.” Sounds, well, fishy.

• The email invites you to click on a link.

• The email spells “center” with an "r-e" instead of "e-r" at the end – that’s not common American usage.

• If you hover your cursor over the Update Account Now link, you’d see that the URL is not connected to Netflix.

What should you do if you suspect a phishing attack?

• The first thing to do is bring it to the attention of your dealership’s IT manager. But not all dealerships have an in-house IT professional, so you may need to noodle this out on your own.

• Ask yourself if you have an account with the company or know the person that contacted you? If the answer is yes and you suspect a phishing attack, contact the company or person and ask if the message is real. But don’t use a number or email address contained in the message.

• If the answer is no, delete the message. Do not respond to it, do not divulge any personal, account, or password information, and do NOT click on any links! Doing that could result in malware being installed on your dealership’s network.

Social engineering attacks such as phishing are the biggest piece of the computer attack pie, and they’re the piece you can prevent. Stay alert, stay suspicious, and when in doubt – throw it out.

If you’d like more tips on how your dealership can prevent phishing and other computer network attacks, or if you need to train your employees to identify and avoid phishing attacks, contact Mosaic Compliance Service today.