Automobile dealerships are increasingly under attack by hackers that use social engineering to trick an employee into divulging confidential information or performing a particular computer action. Such information or computer action is used to gain access to the business’s computer system. Once the computer system is compromised, the hacker can use the computer system for his or her own benefit. It is important to educate your dealership’s employees about social engineering, so that your dealership doesn't become a victim.
Pretexting is the act of creating and using an elaborate lie to get a target to divulge information or perform actions that would be unlikely in ordinary circumstances. A pretext often involves prior research about the target, the business, and the business's procedures. This information can be used by the hacker for impersonation, and to establish legitimacy and trust in the mind of the target.
Pretexting is often performed using a phone call. Once trust is established, the hacker may ask the target for specific confidential information, like a logon ID and the associated password - or the hacker may ask the target to perform a specific computer action, like resetting a password. The hacker can then use that information or action to gain access to the target’s computer system.Phishing
Phishing is another common social engineering technique that uses email to “phish” for victims. Phishing emails can incorporate pretexting. The email may appear to come from a legitimate source or the subject line may be something that will immediately grab the target's attention. The name of the sender will be forged; likely with the name of someone the target knows and trusts. The text will say something like “Check This Out!” with a link for the target to click. Clicking on the link will result in the installation of malware on the target’s computer. The malware could be a key-stroke logger that captures logon IDs and passwords or ransomware that encrypts the data on the computer and won’t decrypt until a ransom is paid, or some other type of malware that steals information or damages the computer and the computer network.
Another example would be an email that appears to come from the dealership’s bank, requesting "verification" of information and warning that the employee’s paycheck will not be issued until the information is provided. The email usually contains a link to a fraudulent web page that appears to be legitimate, even containing bank logos and content, and has a form requesting all kinds of information - everything from a home address to an ATM card's PIN, to the employee’s dealership login ID and password.
Everyone in your dealership needs to be aware of social engineering – what it is, and how to defend against it.
Recognize that social engineering plays on people’s natural tendency to trust others and to want to help them - but strangers on the phone or strange email should be verified before being trusted. One can still be trusting and helpful without divulging confidential information.
On the phone, if in doubt, ask for the caller’s phone number. Social engineers may not have the skill to manipulate phone numbers - and they do not want to give you their actual phone number. Most will probably hang up at this point. If they give you a phone number, call back and see who answers. Legitimate callers will appreciate the fact that you are careful.
Educating everyone at the dealership is critical to defending against social engineering. Dealership employees should be taught to look for signs of social engineering. Social engineering can be detected and defended against with thorough verification and education.
RouteOne has a variety of complimentary compliance tools to help you better protect your dealership! Through RouteOne’s complimentary compliance tools, your dealership can:
All of these compliance tools come at no additional cost to your dealership! For more information on these tools, click here, or contact your RouteOne Business Development Manager.