Pub. 17 2018-2019 Issue 1

N E W J E R S E Y C O A L I T I O N O F A U T O M O T I V E R E T A I L E R S I S S U E N O . 2 , 2 0 1 8 34 new jersey auto retailer P hishing attacks are becoming more prevalent at auto dealerships with one dealership recently falling vic- tim to an attack that resulted in a loss of $251,000. If you believe this can’t happen at your dealership, think again. In phishing simulation tests conducted by Helion Technologies, we have found 3-7 percent of dealership employees are willing to give up their credentials when prompted. Phishing is the practice of sending emails, purporting to be from a legitimate company, in order to lure a person to reveal personal information, such as passwords and credit card numbers. Phishing emails may appear to come from your email provider, bank, de- livery company or other seemingly legitimate source. The emails contain links that bring you to fake login pages where thieves capture your email and password information. Spear phishing is a more targeted formof phishing, where the send- ers have researched you as an individual or business. For example, fake invoices are the most common type of phishing lure. If you receive an invoice from someone that you know, double check the “reply to” email address before downloading the attachment. You could be downloading a malware or virus onto your computer! Whaling goes one step further, focusing on an individual within an organization. These attacks are very sophisticated. Phishers do a lot of research on their victims, using social media and other sources of information to gather personal history and information, which is then used to craft an email that appears to come from someone that the victim knows. Phishing attacks are launched by groups of sophisticated, trans-na- tional criminals. These are not kids sitting in their parents’ basements. These groups are well-funded and reinvest their profits to build world-class infrastructures and hire world-class program- mers. Their only goal is to get your money. Anatomy of an Attack Recently, a salesperson at a dealership received an email. The subject line read: RE: 2015 Ford Focus and looked as if a customer was replying to an email originally sent from the dealership. The email read something like this: “Please consider these changes and let me know what you think. If you are agreeable to my suggestions, I am willing to continue with this purchase.” The email included a link that appeared to go to the Dropbox website. The salesperson clicked on the link and was taken to a website that looked like Dropbox. The site prompted him to sign in using his email provider. The salesperson selected Outlook and entered his email address and password. He was unable to sign in, so he emailed the “customer” to let him know. As soon as the salesperson emailed the “customer,” the phishers were notified that they had “hooked” someone. They immediately retrieved the salesperson’s email credentials and logged into the dealership’s Microsoft hosted exchange server. In an incredibly unfortunate coincidence, the salespersonwas in the process of selling a very expensive car. Within the last two hours, the dealer that owned the vehicle emailed wire instructions to the salesperson, and the salesperson forwarded it to the Controller. The phishers immediately created another email to the Controller pretending to be the salesperson. In the email, the salesperson said the bank information he previously sent was wrong and 4 Simple Rules to Prevent Phishing Attacks BY ERIK NACHBAHR