Pub. 3 2024-2025 Issue 1

attacks, scammers trick employees into providing sensitive information, making fraudulent payments or opening email attachments that contain malware. Criminals can then enter a system and gain access to sensitive data or impersonate another member of an organization. Regularly review your online user entitlements to make sure rights are legitimate and appropriate. All users do not need access to everything, particularly personally identifiable information such as your customers’ social security numbers. Accounts payable and treasury teams are primary marks for BEC since they manage and approve outgoing payments. Others target legitimate, outsourced service providers or vendors to get into an organization’s systems or pose as a new vendor to obtain fraudulent payments. Synthetic fraud based on false identity is an increasing threat as well. Be Alert to Synthetic Fraud Synthetic fraud is on the rise at auto dealerships, up 38% in 2023.1 Criminals use stolen or “synthetic” identities to facilitate vehicle theft by securing approval for a loan in someone else’s name. Synthetic fraud combines information available for purchase with stolen or falsified documents to “prove” an identity. Don’t let today’s decisions lead to surprising repercussions. RECOGNIZE COMMON RISKS QUICKLY Auto dealers identified email phishing, including BEC, as the most prevalent cyber threat in 2023.1 Other top threats dealers experienced in 2023 included (in descending order): 1. Ransomware. 2. Infection by PC viruses and malware. 3. Theft of business data. 4. Criminals enter email and systems using stolen or weak passwords. Regardless of the method, it’s important to uncover and remedy a problem as quickly as possible. Fraud doesn’t always trigger immediate alarm bells, but the longer it’s left undetected, the higher risk it presents. A recent survey showed that organizations identified 31% of reported fraud incidents within one to four weeks, while 22% took a month or more to discover.3 Early detection is important, but preventing fraud and cybercrimes from happening in the first place is ideal. All major dealer management systems provide a daily reconciliation module, which is an effective tool to catch fraud faster. As an example, it recently took a dealer 45 days to identify a fraudulent attack, which could have been found in 10 minutes if they had reconciled their account. SHORE UP YOUR DEFENSES Auto dealers, like all businesses who handle consumer financial data, must comply with the Federal Trade Commission’s Safeguards Rule, which took effect in 2023. Your defensive actions should align with the security measures you’ve already taken for compliance with the Safeguards Rule. Consider people, processes and technology to create a comprehensive plan. People are your first line of defense. Make employee education a top priority. Train all staff to recognize the latest social engineering schemes and follow these security basics: • Don’t open suspicious emails or unexpected email attachments. • Be cautious when sharing personal or dealership information online. • Conduct online business via secure networks and internet connections only. • Verify any suspicious requests that purportedly come from staff, vendors, suppliers or other business partners. • Design financial process tasks to maintain strict segregation of duties — the staff member who initiates a task should never be the same one who approves it. Processes to safeguard company finances are another critical defensive measure. Start with the payment methods you choose. When possible, replace checks with a more secure medium, including credit cards, ACH and Real-Time Payments (RTP®). And always store checks safely, even canceled checks. Fast action is important if your dealership undergoes a significant cyberattack. 27 THE GENERATOR

RkJQdWJsaXNoZXIy MTg3NDExNQ==