Car dealerships have everything that hackers and scam artists love and need to focus on cyber-security therefore. You deal with high-value items and handle large amounts of money. Car dealers deal with people’s banks directly and process stacks of personal information that could be used for identity theft. You process payment information like debit and credit cards and cars are a favorite way to blow through stolen money or ruin the life of someone whose identity has been stolen. To a hacker, a car dealership looks like a playground which means that it’s your job as the honest professionals trying to run a business to protect yourself, your customers, and your staff members from the inevitable attacks.
Cyber-Security and Social Engineering
However, having a strong firewall, encryption, and virus-scanning software isn’t enough anymore to stop the really determined cyber-criminals. The new name of the game is social engineering, using deception and false human connection to lure staff members into making a critical mistake. Sometimes, the scam isn’t even to get malware onto your computer, but rather to steal information directly from the employee themselves, tricking them into giving away important personal or account information about a customer or performing an action that they shouldn’t. In order to keep your employees safe, it’s vital that they are fully trained in data protection on every possible level.
1) Protect Line-of-Sight
Start by explaining that hackers aren’t the only criminals. People can and will come in under false pretenses, hoping to get a look at someone else’s account information. Guests claiming to be the spouses, friends, and family members of your customers may ask to check on information, then try to get a look at something else while the account is up on the staff member’s screen. There are several reasons why someone might want a peek at another person’s car dealership information including looking for financial information, an identity to steal, or stalking.
Because you can’t know who is scamming right off the bat, you are obliged to be helpful and go along with any reasonable requests but be very careful about line of sight. Never show someone another customer’s information and if your office door isn’t closed, don’t turn your monitor around at all just in case someone sees something from across the hall. Be aware of windows, people walking behind you, and reflective surfaces. Yes, scammers and stalkers get that devious to steal personal information; they are a cyber-security threat.
2) Never Answer Personal Questions
People will come in person, call you on the phone, and send you emails asking for information about accounts, cars, services, and customers. Naturally, the vast majority of these contacts will be business-as-usual but every staff member needs to be on their guard for the one call in two hundred that is loaded and dangerous. To be ready even if you don’t see a scam call coming, never ever give out personal information on customers or your fellow employees.
While most dealership staff understand that you can’t give out financial information, it may seem overcautious to reserve anything that might be found out from a business card, but be careful. If you have not triple-confirmed that the person on the other end of the line has legal permission to know what they’re asking, don’t share.
Hackers could be fishing for the answers to banking security questions or for tidbits of information to complete an identity theft. Scammers will be looking for phone numbers and email addresses to harass along with details that will ‘prove’ that they’re not scammers when asked. Finally, never forget that your customers’ personal lives are unknown and stalkers exist. If a customer has an ex-romantic partner or even just an overly pushy mother who wants their personal information, you don’t want your staff to have betrayed customer privacy.
Protect Personal Information
Personal Information Includes
- Names – If the caller doesn’t know, don’t tell them
- Phone Numbers
- Name of Bank
- Size of Loan
- Model and Color of Vehicle
- Anything you learned while making small talk
- Screen Names and Passwords
- Date of their last or next maintenance appointment
As a dealership, you process the vast majority of someone’s personal life, sometimes in a matter of hours, in order to help them find and finance new vehicles. From credit scores to background checks to personal banking account numbers, you have everything the hackers want and your staff needs to be on their toes to defend it and make sure that they are not vulnerable to Cyber-Security threats. They are responsible for handling reams of customer personal information and protecting the financial interests of every client who comes through your doors. This means keeping account information safe, even from people who claim to be the friends and family of your customers. Last time we talked about line of sight on staff computer screens and the reasons why personal data is so vital to protect. Let’s pick up on access to employee computers.
3) No Customer Access to Employee Computers
There are two kinds of computers in a dealership, those set aside for customers to manage their finances and buy insurance on, and those that employees use to sell cars and manage customer accounts. If it can possibly be helped, do not let customers use employee computers. These have software, data access, and possibly saved log-in information that could give customers access to information and actions they should not have.
Worse than accidentally letting a customer access your control software is the fact that not all hackers live in Russia. There are plenty right here in the states and they will absolutely take an opportunity to ‘phish themselves’ on your machine, quickly pop in a malware-riddled USB device, or find a way to email themselves data on your system. If a customer is allowed to use an employee computer, watch them very closely and do not, under any circumstances, allow outside data devices to be plugged into a dealership computer.
4) Never Open Email Attachments
Speaking of phishing, the current leading form of hacking and social engineering all tied into one. Phishing occurs when a hacker sends a false email with an infected attachment. The email either appears to be from a friend or coworker or it can pose as a message from a concerned “customer”. There are many different phishing strategies ranging from convincing the victim that the attachment is an important work document to thinking it’s a funny cat picture. The only thing in common is that the hacker must convince a staff member to click their infected link in order to spread the malware.
A lot has been done to try and prevent hacking but the best possible cyber-security measure is surprisingly simple. Simply never open an email attachment. Yes, you will need to send documents back and forth with banks, clients, and business partners, but you don’t need to do it by downloading documents locally. Instead, get hooked up with an online document manager (like Google Drive) that allows contacts to upload documents onto the cloud which staff members can read safely without downloading anything onto the local network. This keeps the network safe from phishing and your employees safe from embarrassment.
5) Two Forms of Confirmation
Finally, it’s important to remember that changes made to a dealership account by a dealership staff member can have enormous (cyber-security) consequences. Changing the status of someone’s lease account, starting a customer on a new service, or even just changing a customer’s registered contact information can wreak havoc if a mistake is made. Of course, it’s not always a mistake to blame.
First, it is possible that someone calling in the name of a customer is trying to make changes that will harm your customer. Second, there is a pro-phishing technique known as whaling in which hackers pose as a highly placed boss in order to get lower ranked employees to make hasty actions like transferring money or sharing business information. Third, mistakes happen, especially if two customers have similar names.
The solution to this is to always receive at least two forms of confirmation before making any major changes. If you get a message from your boss asking for a customer’s account information, call or ask them in person to confirm to make sure it’s not whaling. If a customer calls to change their information or arrange for a new service, send them an email to make sure that you’re talking to the same person who answers the registered email address. Always double-check with a second channel of communication.
A Better Mousetrap
A car dealership has everything that hackers, scammers, and even personal stalkers want, but this doesn’t mean you have to feel like a criminal target. Instead, see all the personal information your dealership handles as the cheese to a very large and complex mousetrap. The better trained your staff is for cyber-security threats, the more frustrated hackers and scammers will become as not a single attempt, even on your new hires, yields personal information or a malware victim. If you’re fast and get good at the cyber-security routine, you might even be able to turn a few would-be criminals over to the authorities. For more tips on cybersecurity and car-security, contact us today.