‘We have a dealership getting hit roughly every other week:’ Thomas


For all the benefits the Internet has brought to dealerships and the car shopping experience, it is important to acknowledge the world of threats that has also developed in this digital universe.

While most dealers will have some form of physical security in place, many experts suggest a high percentage of Canada’s automotive retailers are not taking the online security threats as seriously as they should.

Sean Thomas is the lead solutions architect at A&R Solutions and boasts over 20 years of IT experience. As A&R’s resident expert on servers, recovery, email systems and security, he has an amazing perspective on the host of serious digital disasters lurking that could be lurking in an innocent-looking email attachment or hyperlink.

Canadian AutoWorld recently sat down with Thomas to discuss some of the new schemes hackers and thieves are using to attack dealerships.

I have heard wire-transfer fraud is a growing threat for car dealerships. Can you explain the process?
A hacker will email the controller as the dealer asking for a wire transfer to some location. They have either registered a domain name to get an email that looks, at first glance, to be exactly like the dealer’s real email – it might have an extra letter in it or be a .co instead of .com.

The thief will have exactly the same email signature as the dealer and will have used the company website or LinkedIn to find out who the controller is. They have it all set up, the grammar is correct and they’re not getting greedy.

Many are asking for around $10,000 to be wired to an account to pay for a new purchase or something and the controller won’t even think twice about it.
Some dealers might request half a dozen wire transfers a day so the controller likely won’t be surprised at the request.

What are some of the red flags for wire transfer fraud?
We’ve seen some instances where they request a transfer for $100,000 and the red flag goes up right away. Other obvious signs for the controller would be if the transfer were going to an odd place like an account in Asia or something similar.

Another red flag could be a small thing that seems slightly out of sorts.

Sean Thomas

We had one the other day where the email to the controller called using her full name. The two had known each other for decades and the dealer had always used a shorter version of her name.

There are some controllers who feel almost scared to call the dealer and confirm the payment. Picking up the phone and asking a quick question could save everyone a major headache and thousands of dollars.

How often is this kind of fraud happening?
We’re seeing this scam at dealerships a couple of times a month. The thieves are doing their homework and making these scams look very real. And I can see this type of scheme going further.

If they have an email that looks exactly like the dealer’s, why not email the sales staff and say you want them to gas up a vehicle, put a plate on it, leave it at the dealer’s house and put the keys on the tire? Who’s going to say no to that?

Say it’s a dealership group with 25 stores. No one is saying no to a request like that from the dealer principal.

The thief just has to wait down the street, watch them drop the car off and leave, then he can jump in a take off. It will likely take a few days before anyone figures out what happened and by that time its been stripped or put on a cargo container.

This is where I think we are going to see people abuse dealerships. It’s with this little stuff.

I have heard from dealers that some people have been stealing deal jackets right from inside the dealership
That is definitely an up-and-coming threat. A deal jacket has everything you would want on that person. It contains all the information to open a credit card, a bank account; it has the customer’s credit rating, address, where they work. It contains everything.

Deal jackets are left on desks and dealers don’t really have cameras inside the building. A smart and sly thief could slip into an F&I office, grab two deal jackets and get out quietly.

Rumour has it that a stolen deal jacket can be sold on the black market for anywhere from $5,000 to $10,000. This is identity theft at a whole new level and some dealers can be sloppy.

Give us a snapshot of the current ransomware situation at the dealer level
We have a dealership getting hit roughly every other week. They encrypt all the files on that computer and the network that computer has access to. The dealer has to pay a ransom to unlock those files.

We’ve worked with two recent dealerships that paid the ransom – one got their files back and the other didn’t; the latter lost about a decade’s worth of files.
Ransomware gets worse by the day. It is ever evolving and many are ahead of the anti-virus companies. You see major companies getting hit constantly and car dealers are low-hanging fruit.

For the dealers you know who have been victim of ransomware, how much money are the hackers demanding?
It’s usually $1,000 to $1,500 per computer. Most dealers will only pay for the people whose files are the most important like a controller, manager or accountant as opposed to the entire sales force.

For the most part, salespeople live on the web, anyway. Their email should be hosted with Microsoft or Google and the CRM and DMS are within the larger systems already.
They really shouldn’t have a lot of documents saved locally.

The ransoms have to be paid in bitcoin, which is a digital currency that can be very hard to get. The value has ballooned tremendously this year making it even harder to accumulate. (1 bitcoin was worth over $5,000 Canadian dollars as of press time).

What does a dealer do if they lose all their files?
Start again.

The problem with ransomware is that it encrypts one computer, but if the computer has access to drives, it encrypts all of those, too. That’s where it can get really bad. If you have a dealer principal or a controller who has access to all of those drives, it can encrypt everything.

The only thing you can really do is back up your files regularly; they are your last and final resort.

What are the best practices for saving back-up files?
If you store them on a network device, you have to set it up so that when it backs up, it does it behind the scenes, so to speak. If you’re back up directly to it, ransomware will see that and your backups will be toast.

Those backups also have to be offsite to the cloud. If your computer is hit, we can restore it from the cloud easily.

Are there a few key areas to focus on to improve security?
Training is key but the high turnover in sales departments doesn’t help. Dealers are constantly training people and warning them about the dangers of an attack like this.
Most times, these emails look legit and like they came from somebody you know.

Hackers are starting to realize that they can go after dealerships because many are not relying on a proper IT company or have developed a great in-house IT department. This is a vital department and should not be done by the owner’s nephew or the parts manager. Dealerships are low-hanging fruit and odds are they are going to pay because they are cash-heavy small business and they rely on their files so deeply.

We have some clients who spend a ton of money on IT and they will likely never fall victim because they have layer after layer of security. For those who don’t dedicate the resources, it might not be a matter of if they get hit, but when and how bad it is.