Understanding Business Email Compromise — the $43 Billion Scam

Main Navigation

Advertisement
Social Connect
Resources
Our Brand Family
AutoSuccess Online
The No. 1 Sales-Improvement Source for the Automotive Professional
Leadership Solutions

Understanding Business Email Compromise — the $43 Billion Scam

BEC and payment fraud are genuine threats to dealerships today. By following these suggestions, you can significantly reduce your risk.

Nikhil Kalani
By Nikhil Kalani
Nikhil Kalani is the chief information security officer & vice president of information security for Reynolds and Reynolds. Visit ReyRey.com.
Published:

In today’s digital world, email is the backbone of business communication. However, it’s also a prime target for a growing threat known as Business Email Compromise (BEC). This is a type of cyberattack where criminals impersonate trusted figures within an organization, such as executives, employees or vendors via email. Their goal is to defraud the company into transferring money to the criminal. Once they silently gain access to an employee’s email account, they gather information on organizational roles, approval chains and vendors to create a more realistic scam and maximize the impact of their fraud. How big of a problem is this? In May 2022, the FBI called it a $43 billion scam!

Related Articles

In the Real World

Let’s look at two real-world examples of BEC attacks on dealerships from this year alone:

1. Attackers compromised an accounts payable (AP) employee’s mailbox and observed monthly vendor invoices. They impersonated one of these vendors using a look-alike email domain and gave new account payment instructions to the AP employee. They also created a spoof email address for the employee’s supervisor and proactively gave approval for the change. All communications were via email, no one at the dealership called the vendor to verify the change. The fraud was detected when the real vendor sent a past-due invoice.

2. An attacker gained access to a dealer employee’s email inbox and used the same password to access the payroll processor. The payroll processor’s Multifactor Authentication (MFA) system used a code sent to email. With the password, MFA code and even the employee’s SSN (found in other emails), the attacker was able to change the employee’s direct deposit account. The fraud was only detected when the employee realized they weren’t being paid.

In both cases, two aspects remained common — communications were solely via email and email security was weak. Most attacks begin as a phishing email, which prompts a user to enter their credentials (including MFA) at a fake login page. With these values, the attacker is able to immediately login as the original user. Once they have an account login, they can also establish their own MFA codes, allowing them to login while the original user has no idea this happened.

5 Tips to Protect Your Dealership

So, how can your dealership reduce the risk of falling prey to BEC attacks? We need to address people, processes and technology:

1. Payment Account Change Verification: Establish clear internal rules that require careful verification before any accounts are changed or funds transferred. Require your team to validate the request through a secondary communication, such as a phone call using a number obtained outside of email (e.g., a directory or vendor invoice).

2. Defense with MFA: Activate MFA for all email accounts to add an extra layer of security, making it significantly harder for attackers to gain unauthorized access. Although MFA can be defeated, it greatly raises the bar for the attacker.

3. Login Protections: Setup strict email login rules. For example, one could restrict logins from certain locations and even how often to prompt for MFA. Talk to your IT department or provider on whether these higher levels of email security have been enabled, and whether suspicious logins are being monitored for.

4. Warning Banners: Setup your email system with warning banners that are shown to the user if an email originated outside the company, or if it is the first time someone has sent them an email, which is useful in detecting spoofs.

5. Security Awareness Training and Vigilance: Regularly educate your team about BEC and phishing threats. Train them to recognize common tactics used by scammers and emphasize the importance of correctly handling suspicious emails. This will empower your team to monitor for suspicious activity and address it in a timely manner.

BEC and payment fraud are genuine threats to dealerships today. By following the suggestions above, you can significantly reduce your risk and protect your organization. Take time to reflect on your own organization and consider what additional trainings, policies and tools your business could implement to better protect you and your customers’ information.

You May Also Like

Rapid Recon, appraisal, scan tools, time to line, vehicle reconditioning,
The Art and Science of Vendor Partnerships - Women In Automotive
Phone Sales Strategies for Pitch-Perfect Wins
Advanced Automotive Technology Showcased at CES 2024
Blog

Paving the Way for Self-Discipline

Self-discipline is like a muscle, where the more we use it, the stronger it becomes. By being smart about how we use it, we can develop this key attribute and get the best return for our energy.

Chris Saraceno
By Chris Saraceno
Chris Saraceno is the Vice President & Partner of the Kelly Automotive Group. Visit kellycar.com.
Published:
Paving the Way for Self-Discipline

Preparation can ensure the best results from our efforts

When it comes to building our best lives, one of the most powerful tools we have is self-discipline. My Theory of 5 mentors and I believe the ability to put aside what might feel good now and harness our energy into constructive actions and behaviors is crucial in determining our future results.

Read Full Article

More Leadership Solutions Posts
Elevating the FTC Safeguards: Embracing a Defense in Depth Approach

In a serious cyberattack, a single security control may not be able to mitigate all the damage, but multiple controls working in unison can.

By Nick Reed
Elevating the FTC Safeguards: Embracing a Defense in Depth Approach
How Women In Automotive Benefits the Auto Industry

WIA seeks to break down old stereotypes in a way that truly creates channels of opportunity where both women and men can participate.

By Michael Trasatti
Women In Automotive
She’s Not Just the Dealer’s Daughter or Wife!

In this interview, Rita Case shares her journey from pioneering automotive franchises to overcoming industry challenges.

By Susan Givens
Rita Case interview with Susan Givens for AutoSuccess
Just WIN All the Time, It’s Fun!

To operate at your highest level of contribution requires that you deliberately tune in to what is important in the here and now.

By Christian Jorn
Just WIN All the Time, It’s Fun!

Other Posts

700Credit Survey Shows How Dealers Are Susceptible to Fraud

Less than 1% of survey respondents say they collect a digital copy, validate and compare a driver’s license against DMV records.

By Kyle Alexander
High-Tech Solutions: A New Way of Thinking About Paint Touch-Up Products

The automotive paint chip repair products’ journey from simple touch-up solutions to sophisticated repair kits reflects not only the technological progress the industry has made, but also the changing demands of today’s consumer.

By Tony Pando
Dr. ColorChip paint repair
Understanding Your Market: Insights on Customer Retention and Conquest Opportunities

Brand retention and defection numbers can be tough to look at, but they can be a great guide to finding new customers.

By Greg Uland
Insights on Customer Retention and Conquest Opportunities
Unlocking Service Drive Revenue: The Critical Role of Technician Inspections

The true potential of service consulting lies in recognizing the nuanced art of quality inspections and leveraging it to drive success for both advisors and technicians.

By Don Andres
Unlocking Service Drive Revenue: The Critical Role of Technician Inspections