You want to balance your inventories. You have twenty more new vehicles than you need. Another dealer says he wants them. You do the deal, he picks up the vehicles, and you do not get paid. The dealer says he sent you a wire transfer for three-quarters of a million dollars, but you never received it. Your floorplan source is demanding the vehicles be paid off. What went wrong?
If you are like one of two Midwest dealers involved in a recent lawsuit, you may be the unfortunate victim of a cybercrime. In a Midwest lawsuit, a dealer arranged through its inventory manager to sell twenty Ford Explorers to another Ford dealer. After the arrangements were made through email, and the vehicles were shipped, the buying dealer received emails about payment from a slightly different email address that began with a simple message: “Due to some tax related procedures, we will prefer a wire transfer, let me know when you need wiring instructions?”
Unfortunately, those payment emails were sent by a Nigerian fraudster who hacked into and took up residence in the selling dealer’s computer system. He provided wire instructions to his account, the money was wired by the buyer to the real bank account set up by the fraudster, and then the account was immediately emptied.
Both dealers were victims. However, the federal judge considering the case had to choose a winner and a loser, and he ruled that the buying dealer must pay the selling dealer $735,225.40, meaning the buying dealer has lost nearly three-quarters of a million dollars.
This case has important lessons for all dealers.
Motor vehicle dealers engage in large dollar transactions, and they are targets of hacking. The FBI has reported that from 2013-2016, known losses for a cyber crime called Business E-mail Compromise (BEC) totaled over $5 billion worldwide. The scam is carried out when a fraudster utilizes social engineering or hacking techniques to compromise business e-mail accounts and swindle unsuspecting employees into making fraudulent wire transfers. These criminals appear to indiscriminately target companies—big or small—and use money mules to clean the account before anyone can discover what transpired.
How does this scam work? The scam artist’s goal is to hack your e-mail account and either take control or use a spoof account to deceive your vendors, sellers, or employees into wiring funds to an account controlled by the criminal. To access an e-mail account, the criminal can utilize numerous techniques.
- Man in the Middle in which the fraudster intercepts communications, and steals credentials or other sensitive information;
- Spoofing: in which the fraudster creates a fake, albeit similar, e-mail account to impersonate and fool victims;
- Phishing: which involves the perpetrator sending an e-mail with a link to a recognizable—but fake—website, prompting the recipient to enter his or her credentials, or an attachment containing a malware program.
If your e-mail is compromised through hacking, sophisticated con artists can lay dormant for weeks, evaluating the company’s vendors, accounting systems, employee communication styles and travel schedules. They end up looking like you, writing like you, and joking like you. They may impersonate the dealer and send employees “urgent” wire transfer requests or wait for a deal to develop and hijack the conversation to redirect payment. They may even inject themselves between you and your bank to intercept credentials and redirect, or create additional, wire transfers.
The aftermath of the crime is generally a mess. The seller blames the buyer, the buyer blames the bank, the bank blames both, and insurance companies rely on complicated policy exclusions to avoid paying losses.
Unfortunately, this scam is not going away soon. The FBI reported that between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. And this scam can affect individuals’ lives, including the hacking of realty transactions and court settlements. Title companies and lawyers have been victimized so frequently that many will not accept emailed wire instructions without verifying them by phone.
So what do you do?
No technique or technology is secure, but creating a layered wall around your business can help prevent and deter scammers.
Make sure your computer protections are state of the art and constantly updated. Scammer techniques are constantly updated, and their abilities are augmented by rapidly changing technologies. You can only keep up by requiring your computer vendor to maintain state of the art protections and by following directions for implementation and use.
Employee awareness training is a crucial aspect of any cyber security umbrella. Employees must know of crimes like BEC and the related infiltration techniques. They must understand that a company that is a victim of a cybercrime can be crippled or destroyed, leading to the loss of jobs.
Regularly monitor employee use of protections. Have your computer vendor develop protocols to protect against hackers. These are not difficult. One can find suggestions throughout the internet such as do not share passwords, do not write down passwords, do not click on links in emails from unknown senders, etc. One can implement those suggestions. But how often do you go, or have someone go, desk to desk to see if employees are paying attention. The first time you do, you will be horrified to see how many passwords are written on stickies or on blotters, how often passwords are shared, and how susceptible you are to employees clicking on phishing links. This must be handled like any other management challenge – set standards, train, monitor, and discipline for violations.
Be especially careful of wire transfer scams. If you are selling, establish immediately the method by which you will be paid. In each email you send or document you create, use a message warning against fraud, such as: “Because of the possibility of fraud, only accept payment directions such as wire transfer instructions if you personally verify the information by a telephone call to our publicly advertised phone number.” If you are the buyer, never accept payment directions, such as wire transfer information, without calling a known person at the seller using the publicly advertised phone number.