Understanding Business Email Compromise — the $43 Billion Scam

Understanding Business Email Compromise — the $43 Billion Scam

BEC and payment fraud are genuine threats to dealerships today. By following these suggestions, you can significantly reduce your risk.

In today’s digital world, email is the backbone of business communication. However, it’s also a prime target for a growing threat known as Business Email Compromise (BEC). This is a type of cyberattack where criminals impersonate trusted figures within an organization, such as executives, employees or vendors via email. Their goal is to defraud the company into transferring money to the criminal. Once they silently gain access to an employee’s email account, they gather information on organizational roles, approval chains and vendors to create a more realistic scam and maximize the impact of their fraud. How big of a problem is this? In May 2022, the FBI called it a $43 billion scam!

In the Real World

Let’s look at two real-world examples of BEC attacks on dealerships from this year alone:

1. Attackers compromised an accounts payable (AP) employee’s mailbox and observed monthly vendor invoices. They impersonated one of these vendors using a look-alike email domain and gave new account payment instructions to the AP employee. They also created a spoof email address for the employee’s supervisor and proactively gave approval for the change. All communications were via email, no one at the dealership called the vendor to verify the change. The fraud was detected when the real vendor sent a past-due invoice.

2. An attacker gained access to a dealer employee’s email inbox and used the same password to access the payroll processor. The payroll processor’s Multifactor Authentication (MFA) system used a code sent to email. With the password, MFA code and even the employee’s SSN (found in other emails), the attacker was able to change the employee’s direct deposit account. The fraud was only detected when the employee realized they weren’t being paid.

In both cases, two aspects remained common — communications were solely via email and email security was weak. Most attacks begin as a phishing email, which prompts a user to enter their credentials (including MFA) at a fake login page. With these values, the attacker is able to immediately login as the original user. Once they have an account login, they can also establish their own MFA codes, allowing them to login while the original user has no idea this happened.

5 Tips to Protect Your Dealership

So, how can your dealership reduce the risk of falling prey to BEC attacks? We need to address people, processes and technology:

1. Payment Account Change Verification: Establish clear internal rules that require careful verification before any accounts are changed or funds transferred. Require your team to validate the request through a secondary communication, such as a phone call using a number obtained outside of email (e.g., a directory or vendor invoice).

2. Defense with MFA: Activate MFA for all email accounts to add an extra layer of security, making it significantly harder for attackers to gain unauthorized access. Although MFA can be defeated, it greatly raises the bar for the attacker.

3. Login Protections: Setup strict email login rules. For example, one could restrict logins from certain locations and even how often to prompt for MFA. Talk to your IT department or provider on whether these higher levels of email security have been enabled, and whether suspicious logins are being monitored for.

4. Warning Banners: Setup your email system with warning banners that are shown to the user if an email originated outside the company, or if it is the first time someone has sent them an email, which is useful in detecting spoofs.

5. Security Awareness Training and Vigilance: Regularly educate your team about BEC and phishing threats. Train them to recognize common tactics used by scammers and emphasize the importance of correctly handling suspicious emails. This will empower your team to monitor for suspicious activity and address it in a timely manner.

BEC and payment fraud are genuine threats to dealerships today. By following the suggestions above, you can significantly reduce your risk and protect your organization. Take time to reflect on your own organization and consider what additional trainings, policies and tools your business could implement to better protect you and your customers’ information.

You May Also Like

Our One and Only

Taking care of physical and mental health is crucial in the dealership business, yet often overlooked in the daily hustle.

human body images

Is Your Body's "Check Engine" Light On?

There’s a topic that isn’t usually covered in business school or in sales training, but this factor can impact every step we take in our career at our dealerships: our physical and mental health.

In the day-to-day operations of leading our teams, serving our customers and building our dealerships, taking care of our health can often come in second place, or ignored completely. If we want to be effective in our efforts, however, dealing with health challenges will sap our energy and leave us with less to work with.

WIA Conference 2024: A Transformative Experience

The event was truly empowering, leaving us with numerous new connections and plans for future collaborations.

woman speaking in front of audience, crowd-stock
Women In Automotive, My First Time

The women power players in the auto industry were here and they were about to show me how a conference can be different.

Subi Ghosh at WIA conference- Women In Automotive, Colorado Springs
Change My Mind

A centralized vendor relationship manager emerges as the linchpin in achieving this alignment, ensuring that the vendor portfolio is strategically tailored to enhance the overall efficiency and profitability of each store.

A centralized vendor relationship manager emerges as the linchpin in achieving this alignment, ensuring that the vendor portfolio is strategically tailored to enhance the overall efficiency and profitability of each store.
Too Many Dealers Are Stuck in the Pandemic When It Comes to Inventory Management

Dealers who prioritize proactive inventory management and pricing strategies are seizing a competitive edge. Those tethered to outdated methodologies risk being left behind as the market continues its rapid evolution.

Too Many Dealers Are Stuck in the Pandemic When It Comes to Inventory Management
Other Posts
Botdoc, KPA Announce Partnership

Botdoc and KPA’s combined solution provides a secure way for auto retailers to transport confidential information with end-to-end encryption.

Aura, Mosaic Launch Program to Protect Dealers, Buyers from Cybercrime

The partnership will provide identity protection to anyone who gives dealers personally identifiable information (PII) during the car-buying process.

Lax Hygiene Greatest Risk of Dealership Data Breach, Expert Says

Learn strategies combining human oversight and digital security measures from Terry Dortch to maintain compliance.

ABCoA Offers DST Dealership Sales Tools Amid Software Hack

Featuring quick implementation and affordable pricing, ABCoA offers the software to support dealerships affected by the security breach.