Understanding Business Email Compromise — the $43 Billion Scam

Main Navigation

Advertisement
Social Connect
Resources
Our Brand Family
AutoSuccess Online
The No. 1 Sales-Improvement Source for the Automotive Professional
Leadership Solutions

Understanding Business Email Compromise — the $43 Billion Scam

BEC and payment fraud are genuine threats to dealerships today. By following these suggestions, you can significantly reduce your risk.

Nikhil Kalani
By Nikhil Kalani
Nikhil Kalani is the chief information security officer & vice president of information security for Reynolds and Reynolds. Visit ReyRey.com.
Published:

In today’s digital world, email is the backbone of business communication. However, it’s also a prime target for a growing threat known as Business Email Compromise (BEC). This is a type of cyberattack where criminals impersonate trusted figures within an organization, such as executives, employees or vendors via email. Their goal is to defraud the company into transferring money to the criminal. Once they silently gain access to an employee’s email account, they gather information on organizational roles, approval chains and vendors to create a more realistic scam and maximize the impact of their fraud. How big of a problem is this? In May 2022, the FBI called it a $43 billion scam!

Related Articles

In the Real World

Let’s look at two real-world examples of BEC attacks on dealerships from this year alone:

1. Attackers compromised an accounts payable (AP) employee’s mailbox and observed monthly vendor invoices. They impersonated one of these vendors using a look-alike email domain and gave new account payment instructions to the AP employee. They also created a spoof email address for the employee’s supervisor and proactively gave approval for the change. All communications were via email, no one at the dealership called the vendor to verify the change. The fraud was detected when the real vendor sent a past-due invoice.

2. An attacker gained access to a dealer employee’s email inbox and used the same password to access the payroll processor. The payroll processor’s Multifactor Authentication (MFA) system used a code sent to email. With the password, MFA code and even the employee’s SSN (found in other emails), the attacker was able to change the employee’s direct deposit account. The fraud was only detected when the employee realized they weren’t being paid.

In both cases, two aspects remained common — communications were solely via email and email security was weak. Most attacks begin as a phishing email, which prompts a user to enter their credentials (including MFA) at a fake login page. With these values, the attacker is able to immediately login as the original user. Once they have an account login, they can also establish their own MFA codes, allowing them to login while the original user has no idea this happened.

5 Tips to Protect Your Dealership

So, how can your dealership reduce the risk of falling prey to BEC attacks? We need to address people, processes and technology:

1. Payment Account Change Verification: Establish clear internal rules that require careful verification before any accounts are changed or funds transferred. Require your team to validate the request through a secondary communication, such as a phone call using a number obtained outside of email (e.g., a directory or vendor invoice).

2. Defense with MFA: Activate MFA for all email accounts to add an extra layer of security, making it significantly harder for attackers to gain unauthorized access. Although MFA can be defeated, it greatly raises the bar for the attacker.

3. Login Protections: Setup strict email login rules. For example, one could restrict logins from certain locations and even how often to prompt for MFA. Talk to your IT department or provider on whether these higher levels of email security have been enabled, and whether suspicious logins are being monitored for.

4. Warning Banners: Setup your email system with warning banners that are shown to the user if an email originated outside the company, or if it is the first time someone has sent them an email, which is useful in detecting spoofs.

5. Security Awareness Training and Vigilance: Regularly educate your team about BEC and phishing threats. Train them to recognize common tactics used by scammers and emphasize the importance of correctly handling suspicious emails. This will empower your team to monitor for suspicious activity and address it in a timely manner.

BEC and payment fraud are genuine threats to dealerships today. By following the suggestions above, you can significantly reduce your risk and protect your organization. Take time to reflect on your own organization and consider what additional trainings, policies and tools your business could implement to better protect you and your customers’ information.

You May Also Like

Paving the Way for Self-Discipline
Data is the new oil - Velocity Automotive
Dr. ColorChip paint repair
Insights on Customer Retention and Conquest Opportunities
Magazine Articles

Are You The Captain Now?…or Is Bad Marketing Steering Your Ship?

It’s time to get out of the mindset of cut, cut, cut, and into the mindset of spending wisely for your long-term success.

Zach Billings
By Zach Billings
Zach Billings is the vice president of client performance for Wikimotive.
Published:
Is Bad Marketing Steering Your Ship?

You’ve made cuts in Q1. You’ve thinned out your marketing — and maybe even your staff — as the market has returned to a pre-COVID competitive landscape and with new challenges. Have you reinvested those cuts into marketing that’s going to make you a winner in 2024? Or are you planning to limp your way through 2024 in fear of a pullback that clearly hasn’t come to fruition?

Read Full Article

More Leadership Solutions Posts
She’s Not Just the Dealer’s Daughter or Wife!

In this interview, Rita Case shares her journey from pioneering automotive franchises to overcoming industry challenges.

By Susan Givens
Rita Case interview with Susan Givens for AutoSuccess
Just WIN All the Time, It’s Fun!

To operate at your highest level of contribution requires that you deliberately tune in to what is important in the here and now.

By Christian Jorn
Just WIN All the Time, It’s Fun!
Everyone Has Something to Teach Us

Don’t let pride keep you from learning and expanding your skill sets. Create a “learning zone” where knowledge is freely shared.

By Chris Saraceno
Everyone Has Something to Teach Us
Reducing Worries for Dealership GMs

No GM wants to be pulled away when something comes off the rails or slammed by unexpected events they thought were being managed by our products.

By Dennis McGinn
Reducing Worries for Dealership GMs

Other Posts

Dealership GMs Need Fewer Worries; Start Here: Recon and Appraisal Integrity

How do you manage margin compression? With a focus on predictable outcomes.

By Dennis McGinn
Dealership GMs Need Fewer Worries; Start Here: Recon and Appraisal Integrity
Embracing AI: How Automotive Dealerships Can Supercharge their Operations and Reconnect with Humanity

Having a human-centric approach, augmented by AI, is the cornerstone of a dealership that not only excels in sales but also in creating lasting connections with its community.

By Nick Askew
Embracing AI: How Automotive Dealerships Can Supercharge their Operations and Reconnect with Humanity
Why Dealers Should Care About the Coming Auto Insurance Recovery

The anticipated upswing of the auto insurance market in 2024 — and lower insurance rates that come along with it — should have dealers celebrating.

By Mike Burgiss
Why Dealers Should Care About the Coming Auto Insurance Recovery - Polly
Shawn Leibold Selected to Fill STAR Board of Directors Seat

Leibold has collaborated with STAR members as a part of the organization’s Technology Committee and has served as a previous board member.

By Jennifer Clements