All Ears Podcast | Fighting cybercrime and fraud at dealerships

Rick Lowe, Senior Vice President, and Aaron Lee, Senior Director, both in Ally’s Property & Casualty Insurance division, share how the shift to digital platforms has created vulnerabilities that cybercriminals are exploiting. They also discuss how dealers can protect themselves from these attacks.

Advertisement: It's time to take your dealership from zero to 100. From dedicated underwriter, and account executive teams to comprehensive training courses, Ally has the resources needed to take your business to the next level. Contact your local account executive today.

Steve Schmith, Automotive News: Hi, everyone and welcome to episode two of the All Ears Podcast, a 10-part series sponsored by Ally and produced by the Automotive News Content Studio. My name is Steve Schmith with Automotive News. I'll be your host over the course of this series where we'll delve into a number of topics that are reshaping the automotive industry. In each episode, we'll also hear from some of Ally's best thought leaders who will share their perspectives and offer their insights on how dealers and others in automotive retailing can navigate transformational changes underway in the business of making, selling and servicing vehicles. Our objective is to provide actionable insights that you can use immediately to run your business and offer perspectives to help inform your future business decisions. In this episode, we're speaking with Rick Lowe, senior vice president, and Aaron Lee, senior director, in Ally's property and casualty insurance division. Our topic is cybercrime and fraud and how automotive retailers and financial institutions' shift to digital platforms has created vulnerabilities cyber criminals are increasingly exploiting. What's the latest and what are some of the tips and best practices dealers and financial institutions ought to consider in their efforts to protect their customers and their businesses? We've caught up with Ally's Rick Lowe and Aaron Lee. Aaron and Rick, thanks for joining me today on the All Ears podcast. How are you?

Aaron Lee, Ally: Doing great, Steve. Thank you.

Rick Lowe, Ally: Very good. Thank you.

SS: Thank you both for taking time out of your schedules and joining us today. We have a very important topic of conversation, and that is the topic of cybercrime and fraud, particularly important as dealers continue to move towards digital platforms in response to COVID in serving customers and customers growing desire to do business on digital platforms. Aaron, let's start with you. In March, the FBI released its annual Internet Crime Complaint Center, and it showed a record number of cybercrime complaints in America in 2020, a 69 percent increase from the prior year. The FBI cited the pandemic had created new opportunities for criminals to try and take advantage of the growing reliance of technology. I'm curious, did we see that kind of increase within auto dealerships and the financial companies they work with?

AL: Yeah, thanks, Steve. The pandemic certainly introduced cybersecurity challenges to many organizations, particularly those that were not already positioned to have a remote workforce. Alongside protecting their own organization and employees, dealerships had to posture for also working with consumers who were also becoming increasingly digital and dependent on technology. Also with the indiscriminate or broad nature of most cybercrime, they're typically casting a pretty wide net, it's certainly reasonable to say that dealerships were included in that those numbers of the impact by this change.

SS: Rick, another thing that emerged from the FBI was a focus on phishing schemes and compromises to business email systems. Can we start with perhaps you explaining to our listeners what phishing schemes are?

RL: Sure, so a phish is designed to get you to click on a link or reveal confidential informations. So some of the characteristics of a phish would be it's going to include bait, if you will. So the content will be tempting. It'll be about pay or it'll be vacation related. Along with that will come an urgent call to action. So, "You must click on this link by 5:00 p.m. today, otherwise you'll lose PTO or vacation." So that link obviously is the way in for the cyber criminal and goes elsewhere.

SS: So being aware of what to look for is one way that dealerships can keep an eye out for these types of phishing schemes. Beyond those key words that dealerships can look for, are there other criminal tactics that they should be aware of? And what can dealers do to be more, more vigilant against these phishing schemes and these efforts to compromise business email?

RL: Yeah, so I think the other tactics may involve things like spearfishing, which is a different type of phishing that's attempting to get confidential information. So that's going to appear to come from a trusted or known source and it's going to ask you for business or personal confidential information. So we mentioned that education is the key to combating this. If you are the dealership or the company, you need to make sure that all of your employees are educated from the very first day of employment and they need to test for understanding and repeatedly have that training throughout the year.

SS: Aaron, it appears that another area that has revealed itself as something that is an area of fraud as a result of the pandemic is this notion of fraudulent information on credit and loan applications. What can dealerships' F&I teams do to protect themselves from criminal tactics like credit washing and creating synthetic identities?

AL: Yeah, thanks for the question. And for those that may be listening and are unfamiliar with some of these terms, I think it may have been touched on in a prior podcast, but I'll just give a real brief overview of what we're talking about. So you mentioned two things credit washing and synthetic identities. Credit washing is where an individual will go and dispute information or a negative report on their credit report in order to have it temporarily removed while it's being investigated, therefore, artificially raising their credit score with the with the idea that they can then qualify for better terms on a loan, whereas synthetic identities, these are created identities. They're made to look like real customers by using a blend of information, some that's real and some that's false, such as Social Security numbers, addresses and things like that. So both of these things, credit washing and synthetic identity fraud are inherently hard to combat, and they often run several layers deep. So due to the complexity, it really takes a technology-focused and multifaceted approach to attempt to prevent and detect this type of fraud. Since these are evolving problems, one suggestion is to regularly work with industry peers and law enforcement to ensure you're following modern best practices in defending against these threats, and as with all of these evolving threats, education is a key factor and best practice.

SS: Rick, I think we all know that dealerships have moved to more online sales and digital retailing. There are new companies out there that do this exclusively. Do you think the dealerships and the companies that they work with have figured out the I.T. systems, the procedures to successfully and safely handle these remote sales and deliveries? Do you think that they have a handle on how they prevent fraud in those areas?

RL: Yeah, thanks, Steve. Definitely, the industry has experienced several months of working with customers remotely, and I'm always impressed with how dealerships modify, you know, overcome the obstacles and work in the environment and are still successful. So I definitely think dealerships have been successful with online sales as far as the safety and handling practices before the pandemic. Customers have started to move towards digital services and remote options when that was available, so I really see the pandemic as being a force multiplier, if you will, and smart dealerships and providers, they've had it on their roadmap for a while now, and the pandemic really served to accelerate that timeline. So it's critical that the dealerships evolve and adjust their security posture accordingly, no matter the environment, because even working remotely or when they're back in the office is going to be critical. And I think your insurance provider, that would be a great source to assess your current state and review best practices.

SS: Thanks for listening. We'll be right back with more.

Advertisement: Want to run laps around your previous business goals? Ally has the resources and tools to help your dealership succeed. With dedicated underwriter and account executive teams, customized F&I solutions and comprehensive training courses Ally can help your business crush every lap. Ready to get started? Contact your local Ally account executive today.

SS: So we're 14, 15 months into this, to your point, dealerships had to move on this in response to COVID. We're doing this better. Dealerships, you know, you learn your practice, you do these things better. Are their tips, best practices, they things they can do now, things that they could be watching out for similar to the advice you gave or the tips you gave around the phishing and the email compromise, are there things to watch out for when it comes to this area of fraud and risk that would be insightful for our listeners?

RL: Yeah, I think there's some things that seem relatively simple, but not everyone does. So when you're through with work and you have a work laptop, specifically, it's a good practice to entirely shut down that work laptop and not leave that open or connect it to the business Internet.

SS: Aaron, let's turn to you for this area of increasing cyber crime, and that is ransom demands. We've had one recently when it came to a major pipeline in the United States. There have been some high profile attacks in the OEM space around Honda and the US operations for Hyundai and Kia. Are these ransom demands a serious threat to dealerships? And what does a dealership need to think about or do to prepare for an event like this?

AL: Yeah, Steve. Ransomware is certainly a serious threat to dealerships and a growing one. Many groups have commoditized their ransomware, and turned it into a service offering. The barrier to entry for this is low to cyber criminals. So that means that these these criminals can essentially rent ransomware for little to no cost, which ultimately increases the reach of that ransomware. Obviously, this type of attack can cause costly downtime, reputational harm and ongoing legal and regulatory costs. Protecting against ransomware requires a comprehensive and dynamic approach to cybersecurity as a whole and includes having a strong incident response plan. It's really important that dealers have a plan for how they're going to handle something before it happens, as opposed to trying to figure out what they're going to do in the midst of it. Even with robust protection measures, dealers still experience cyber attacks such as ransomware. And this is where a cyber insurance policy or incident response retainer is helpful for helping them navigate these things after a ransomware event if one does occur.

SS: Rick, cybersecurity at dealerships. How much of an issue is outdated hardware and software? And where can dealers turn to get some sort of assessment of the systems that they have in place now and what it might need to to get to a point that offers better protection, better monitoring, etc.?

RL: Sure. Thank you. Security researchers and most importantly, cyber criminals, they're always looking for and constantly finding new vulnerabilities in hardware and software. So having an outdated system that really widens your vulnerability or your organization's attack surface. So patching your computer system is critical. And what I mean by patching is that's when you make changes to the computer program or its supporting data, and that's really designed to update, fix or improve it. And that would include fixing any security vulnerabilities or bugs. And certainly that's a never ending process. It's not just a point in time effort. However, patching your computer alone would still leave you vulnerable to possible threats introduced. So I would recommend that dealers have an outside party assess their security. That outside party would review internal technology. They'd ascertain the effectiveness of their current vulnerability management programs and whether there's a need for a patch or possibly an entirely new system. So for dealers that purchase something like cyber insurance coverage through Ally, a security assessment like this is included as a service.

SS: Aaron, let's close with a point of view around employees who are increasingly working remotely. They are working from home. They are meeting customers in places other than the dealership lot to deliver and complete the transaction. How much of a vulnerability, how much risk is there in employees using personal phones, computers, tablets to do this work? Any special concerns in terms of data security and what should dealers be aware of and what should they be doing to prevent those types of problems?

AL: Yeah, Steve, when it comes to increased exposure from employees using personal equipment to conduct business activities, it certainly opens up a lot more cybersecurity risks for the organization or for the dealership. When the pandemic hit, a lot of organizations faced increased cybersecurity challenges involved with this remote work. Again, having a situation where they suddenly have to figure out how to do things with everybody at home. And this included, obviously, dealerships across the country. To stay secure in a remote environment, organizations should consider extending the traditional protection offered inside the office to their remote workers. So that means giving them a way to plug into and access the company network, while they're remote or at home using a dealership computer that's been vetted through I.T. and has all those patches and things that Rick was talking about, as opposed to having employees working on their personal devices and computers. This is an area where organizations are combining the technology solutions with security awareness. So another piece of it, again, comes back to education, making sure that employees are aware of what type of risks are being opened up by using personal devices. If dealers are just getting started in this type of initiative, it's really smart to work with industry peers and law enforcement for, again, more resources on best practices in transitioning that.

SS: Aaron and Rick, thank you for joining me today on the All Ears podcast. Very insightful and great tips and best practices that dealers ought to be thinking about and implementing as they continue to thwart cybercrime and fraud and continue to protect consumers and their employees. Thank you for joining us.

AL: Thanks so much for having us, Steve.

RL: Our pleasure, Steve. Thank you.

SS: That's a wrap on the second episode of the All Ears podcast. Stay tuned for future episodes in this series designed to help those working in automotive retailing navigate the road ahead. On behalf of Ally and the Automotive News Content Studio, thanks for joining us.