"I don't think it's a matter of not being breached," Linda Robertson, executive director of the Association of Dealership Compliance Officers, said of the threat to dealerships. "I think it's a matter of when."
Iannarelli, of Scottsdale, Ariz., said one risk for dealerships is business email compromise, where someone hacks into an email system and watches exchanges, including the flow of money, perhaps also sending fake money-wiring instructions.
Dealership employees have received fraudulent emails that appear to come from someone at the dealership asking them to buy a gift card or from someone claiming to be the controller or CFO and requesting the employee wire money, said Nachbahr, a certified information systems security professional.
In other attacks, a dealership employee may click on an email link or attachment and a sophisticated ransomware attack can lock up a dealership's computer operations for days or weeks, experts said.
In some cases, criminals will pretend to be a customer and ask a dealership employee to look at a file, such as a car they want to buy, and ask the employee to log in using Dropbox and use their dealership username and password, Nachbahr said.
"It requires no hacking, really. You just stand up a fake website. So then dealership employees will go in, they will enter the credentials," Nachbahr said. "Then the cyber criminals will actually log in to their email boxes and set up a bunch of rules to forward all of their email."
Once they have access to an employee's email, they scour for personal information such as credit card or bank-account numbers.