In today’s digital world, email is the backbone of business communication. However, it’s also a prime target for a growing threat known as Business Email Compromise (BEC). This is a type of cyberattack where criminals impersonate trusted figures within an organization, such as executives, employees or vendors via email. Their goal is to defraud the company into transferring money to the criminal. Once they silently gain access to an employee’s email account, they gather information on organizational roles, approval chains and vendors to create a more realistic scam and maximize the impact of their fraud. How big of a problem is this? In May 2022, the FBI called it a $43 billion scam!
In the Real World
Let’s look at two real-world examples of BEC attacks on dealerships from this year alone:
1. Attackers compromised an accounts payable (AP) employee’s mailbox and observed monthly vendor invoices. They impersonated one of these vendors using a look-alike email domain and gave new account payment instructions to the AP employee. They also created a spoof email address for the employee’s supervisor and proactively gave approval for the change. All communications were via email, no one at the dealership called the vendor to verify the change. The fraud was detected when the real vendor sent a past-due invoice.
2. An attacker gained access to a dealer employee’s email inbox and used the same password to access the payroll processor. The payroll processor’s Multifactor Authentication (MFA) system used a code sent to email. With the password, MFA code and even the employee’s SSN (found in other emails), the attacker was able to change the employee’s direct deposit account. The fraud was only detected when the employee realized they weren’t being paid.
In both cases, two aspects remained common — communications were solely via email and email security was weak. Most attacks begin as a phishing email, which prompts a user to enter their credentials (including MFA) at a fake login page. With these values, the attacker is able to immediately login as the original user. Once they have an account login, they can also establish their own MFA codes, allowing them to login while the original user has no idea this happened.
5 Tips to Protect Your Dealership
So, how can your dealership reduce the risk of falling prey to BEC attacks? We need to address people, processes and technology:
1. Payment Account Change Verification: Establish clear internal rules that require careful verification before any accounts are changed or funds transferred. Require your team to validate the request through a secondary communication, such as a phone call using a number obtained outside of email (e.g., a directory or vendor invoice).
2. Defense with MFA: Activate MFA for all email accounts to add an extra layer of security, making it significantly harder for attackers to gain unauthorized access. Although MFA can be defeated, it greatly raises the bar for the attacker.
3. Login Protections: Setup strict email login rules. For example, one could restrict logins from certain locations and even how often to prompt for MFA. Talk to your IT department or provider on whether these higher levels of email security have been enabled, and whether suspicious logins are being monitored for.
4. Warning Banners: Setup your email system with warning banners that are shown to the user if an email originated outside the company, or if it is the first time someone has sent them an email, which is useful in detecting spoofs.
5. Security Awareness Training and Vigilance: Regularly educate your team about BEC and phishing threats. Train them to recognize common tactics used by scammers and emphasize the importance of correctly handling suspicious emails. This will empower your team to monitor for suspicious activity and address it in a timely manner.
BEC and payment fraud are genuine threats to dealerships today. By following the suggestions above, you can significantly reduce your risk and protect your organization. Take time to reflect on your own organization and consider what additional trainings, policies and tools your business could implement to better protect you and your customers’ information.