TRADITIONAL forms of fraud are bad enough. An employee with their fingers in the till is both costly and damaging to any business. But old school forms of theft and embezzlement pale in comparison to the destruction that can be wrought by a computer hacker.
A typical car dealership is a big enough business to make a hacker’s efforts worthwhile, particularly when the sensitivity of some of the information kept in its archives is considered.
Think about the details that live in the dealership management system (DMS) and customer relationship management (CRM) application. Hackers will seek to target any or all of the following information and use it perpetrate frauds on either the dealer or their customers.
- Repair order data including customer’s name, address, phone and credit card numbers
- Login details for PCs and mobile devices that allow access to customer information such as credit reports, credit card numbers, copies of driver’s licenses, vehicle insurance information and tax file numbers
- Customer bank account and BSB numbers
- Dealership bank account and BSB numbers
- Access to copiers and scanners that may contain hundreds of thousands of stored digital documents, and
- Login details to the DMS to mine data including employee payroll information, tax file numbers, bank account details, addresses, phone numbers and email addresses.
Nor does a business’s IT system have to be actually penetrated to lose valuable information. A technique known as ‘phishing’ occurs usually in the form of an email that appears to come from a legitimate entity or person, such as a bank or supplier.
The message contains a link that takes the victim to a fraudulent website, one that might look exactly like your bank for example, where the user is prompted to provide login information which is then used by the hackers to access the dealership’s real bank account.
A method known as ‘spear phishing’ takes the scam one step further by targeting specific individuals within an organisation. In dealerships, typically this is the controller or someone in accounts.
The employee receives an email that appears to be from the dealer principal or general manager, with a request and instructions on how to wire money to an account.
Typically this is accompanied with a confidential email saying a private deal is being completed and that no-one else should be notified or consulted.
Steve Bragg is currently director Motor Industry Services for KPMG, but before that was chief financial officer for a large trucking distributor and retailer. He has plenty of experience in detecting and combating fraud, cyber or otherwise.
“Recently one of my clients was attacked using a spear phishing technique,” Mr Bragg told GoAutoNews Premium.
“The attack started with the accounts payable clerk receiving an email from a major supplier to update the bank details. The email came from the supplier’s email address and looked legitimate.
“The accounts payable clerk updated the banking details in their DMS on the same day after calling the number on the email to confirm the changes. Sixty days later, the supplier chased the dealership for payment.
“After investigation and discussions with the supplier the dealership’s administration team identified that the bank account changes were not legitimate or initiated by the supplier.
“Two months of payments amounting to thousands of dollars went to an account in Australia set up by a ‘mule’ which then immediately transferred the money to Russian bank accounts,” Mr Bragg said.
The matter was referred to the Australian Federal Police and none of the money has been recovered.
Those who perpetrated this fraud identified dealership accounting staff on LinkedIn or other social media using a simple Google search. They then identified a major supplier in the dealership staff’s connections on social media.
The final step was cloning the email of that supplier and providing the Australian bank account details of their local intermediary. The crooks also changed the contact number on the email so that when the accounts payable clerk called to confirm the changes they spoke to the hacker’s associate.
According to Steve Bragg early detection and prevention of these attacks is key in protecting a business.
“Along with the basics, such as not clicking on links in emails from people you don’t know, there is a series of procedures and checks that can vastly reduce a business’s susceptibility to fraud,” Mr Bragg said.
By Daniel Cotterill
Read More: Related articles
