Michigan Auto Dealerships Are at Risk of Cyber Attacks During the COVID-19 Crisis—Here’s How to Combat Against the Threats

Monday, April 20, 2020

Auto dealerships are, unfortunately, a favorite target of cyber criminals. This is due to the fact that dealerships collect, process, and store large quantities of sensitive customer data across their various technology networks.

In December, 2019, Automotive News reported that, “On an average day, 153 viruses and 84 malicious spam emails are blocked by technology on a dealership’s network.” However, not all attacks can be stopped, and auto dealerships are among the growing number of companies suffering losses from cybercrimes. Cybersecurity Ventures, a leading researcher in the field, forecasts that the worldwide annual cybercrime damages will reach $6 trillion by 2021.

The COVID-19 crisis has exacerbated the problems and increased the risks of cyber attacks for auto dealerships. Throughout much of the country, dealerships have been forced to close their showrooms because of stay-at-home orders, but have been allowed to keep their service departments open. In Michigan, Governor Gretchen Whitmer issued Executive Order 2020-21, which went into effect on March 24 and required Michigan dealerships to close their showrooms and stop all sales, but allowed essential repair and maintenance services to continue.

On April 9, Governor Whitmer issued Executive Order 2020-42, which extended her previous stay-at-home directive until April 30, but opened the door for dealerships to begin selling cars again, albeit remotely. Executive Order 2020-42 provides that, “Workers at motor vehicle dealerships who are necessary to facilitate remote and electronic sales or leases, or to deliver motor vehicles to customers, provided that showrooms remain closed to in-person traffic.”

The fact that Michigan dealerships can ramp up sales again is great news for an industry already suffering from the economic downturn. But, trying to sell cars through a network of salespeople working from home poses a number of potential security and privacy risks.

As sales teams shift to remote-working environments, it is imperative for dealerships to review security processes and procedures related to remote access of their dealer management systems. Cybercriminals are not only aware of, but also actively targeting workers who are remotely accessing confidential and sensitive information.

Recent news reports and industry experts have highlighted the fact that cybercriminals are leveraging the confusion and chaos around COVID-19 to mount cyberattacks. According to a study conducted by Check Point Software Technologies Ltd., coronavirus-themed domain registrations are 50% more likely to be from malicious actors. One specific example involves websites that impersonate the COVID-19 tracking map maintained by Johns Hopkins University. These malicious websites are embedded with malware which allow hackers the ability to steal user credentials (e.g., employee ID/passwords) or download additional malware to the employee’s system that could further infect a corporate server.  

The risks are real, and the threats are growing daily as the fear of the virus intensifies. From phishing attacks to dangers stemming from employees conducting work using personal electronic devices, dealerships must be more vigilant than ever to guard against a breach. Notably, many dealerships don’t have cybersecurity privacy policies in place for remote-working employees. However, to the extent they want to sell vehicles while Michigan is on lockdown, dealerships have no choice but to have their salespeople work from home. There are a number of steps dealerships can take to help mitigate the risks of falling victim to a cyber attack.

Phishing Attacks

A “phishing” attack involves an attempt by a cyber criminal to obtain sensitive information, such as usernames, passwords and credit card details, through a fraudulent email. The email may direct a recipient to enter personal information at a fake website which mimics a legitimate site or the email may include an attachment which downloads malicious software onto the recipient’s computer.

Before the COVID-19 crisis, phishing attacks posed a real risk to dealerships. For example, Automotive News reported that in January, 2020, the Arrigo Automotive Group in West Palm Beach, Florida, suffered approximately $500,000 in losses due to its computer system being crippled as a result of an employee opening a phishing email that appeared to come from a coworker. The COVID-19 crisis has only heightened the risk of such attacks, particularly for those working from home.

Last month, the U.S. Secret Service issued guidance around coronavirus-related phishing scams. “Cybercriminals are exploiting the coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations,” according to the guidance.

“In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the coronavirus. This led to either unsuspecting victims opening the attachment, causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials.”

For instance, one reported phishing lure involved savvy criminals impersonating the World Health Organization (WHO) to trap remote employees.  By preying on the urgency of the current Covid-19 crisis, the criminals have been successful at luring remote employees into clicking on the link resulting in malicious software being downloaded to the employee’s computer.

To help ward off threats, dealerships should develop and implement processes to help notify and train employees to be on the look-out for such phishing attacks, and remind employees to:

  • Be cautious about any coronavirus-themed email that seeks personal information such as passwords or Social Security numbers. Government agencies and companies do not send emails requesting private and confidential information. The safest response is no response. Remind employees that, to the extent they receive a suspicious email, they can validate the email’s authenticity by calling the government agency or alleged corporation sending the email.
  • Always verify the email address before downloading or clicking on a hyperlink. For instance, remind employees they can inspect a hyperlink by hovering the mouse button over the URL to see where it leads. Most times it will be obvious whether the web address is legitimate or not.
  • Always look for the tell-tale signs of spelling and/or grammatical mistakes within the email. Most phishing emails are created haphazardly and include spelling, punctuation, and grammatical errors.
  • Look for generic greetings like “Dear sir or madam” or “Dear ”. Phishing emails are usually sent out in bulk and will not include an employee’s actual name.
  • Don’t feel pressured to act on an email that insists upon immediate action. Phishing emails try to persuade you to take action without fully considering potential risks.

Risks Related to Use of Personal Devices

Remotely working employees may be accessing and transmitting sensitive data from unsecured networks, which are more vulnerable to attack. As a result, dealerships are at greater risk of exposure, along with liability stemming from state, federal, and/or international privacy and data notification laws should sensitive data be exposed. Risks are compounded to the extent employees use personal devices to conduct company business. But there are steps that can, and should be, taken to minimize the risk.

For instance, remote employees may attempt to download or use tools on a work-based computer.  But allowing employees such unfettered permissions is ill-advised due to the possibility and extent of malicious software available. Bad actors need just one unsuspecting employee to provide backdoor access to a dealership network.  Dealerships should devise policies for permissions given to remote employees on permissible software that can be downloaded and installed on a remote computer.

Dealerships should also employ security systems that allow remote employees secure access to sensitive corporate data, information, or remote applications.  For instance, dealerships should, at a minimum, employ a virtual private network (VPN) to secure data and communications between a remote employee computer and the dealership’s network.  Or, a dealership could employ a zero-trust network (ZTN) which may include multi-factor authentication or push notification authentication to approve or deny access.

While VPNs are still widely used to provide network security for remote employees, it has been reported that ZTNs are a much safer approach because they treat everyone equally as untrusted.  Given the current crisis, and the possibility of a greater remote workforce in the future, providing zero trust for all remote employees is advisable since it takes just one mistake by a remote employee to provide a malicious actor access to your system. 

Conclusion

With more employees working remotely, it is critical that dealerships be more vigilant than ever in the development and enforcement of cybersecurity and data privacy policies. Dealerships should communicate and reinforce cybersecurity policies clearly and frequently—and conduct remote training as necessary—to encourage adherence to them. Doing so will help guard against a costly data breach.