No, your employees aren’t allowing attackers past your defenses on purpose, but attackers have tended to gravitate toward using social engineering as their “way in”, knowing that many businesses often trust things inside their firewalls. By social engineering, we are referring to emails, phone calls, social messaging, insecure passwords, rogue USB thumb drives, etc. Basically anything a normal employee might access while connected to the dealership network, which makes them hard to detect and protect against, especially as it is normal for employees to use these tools WITH EXTRA PERMISSIONS. Here are some of the most common attack methods being used today:
1) Phishing/Smishing/Vishing/Spearfishing/Whaling: These are all attacks that use messaging as their delivery method. Phishing refers to sending a generic email that seems to be legit, asking you to click on a link or open an attachment, which opens the back door to the attackers. Smishing is the same, but using social messaging (Facebook, text messages, Twitter, etc.), while vishing refers to fraudulent phone calls, often claiming to be from the government or a bank. Spearfishing are targeted phishing attacks that are less generic and more specific- usually the attacker has done some reconnaissance to gain some inside knowledge on a person or company, and crafts the email to look even more authentic- calling the person by name, mentioning the dealership name, referring to another employee…all info which can be found on the dealership’s website. Whaling is another form of spearfishing, but is targeted at senior management of companies (i.e. the big fish), as there tends to be more to gain by attacking them.
How to protect yourself: a good healthy level of common sense and paranoia is key- if it looks or sounds funny, it probably is. Follow up suspect emails by calling the “sender” to see if they really did message you, check for spelling/grammar mistakes, ask for more proof that the sender is really who they claim to be, are they asking for something out of the normal, etc.
2) External Media/USB drives: So you are walking through the dealership lot and notice a USB thumb drive on the ground. Of course, wanting to find the owner, you plug it in to your computer to see if there is anything on it to identify the person, right? Well, just like CD’s and DVD’s in the past, Windows likes to use autorun to automatically launch a program when you insert the USB key into your computer…and a malware app can load in the background without you knowing, Maybe you’ve disabled autorun on your computer- that’s good. However, there is a file on the USB drive that looks enticing- maybe called “Payroll2021.xlsx” or “[insert competitor name]SalesLeads.xlsx”. Who wouldn’t be tempted to take a peek, right?
How to protect yourself: as above, a good healthy level of paranoia is a bonus here. Ask yourself- would someone actually copy sensitive data like that to a USB key and just leave it lying around? Like a fish, they are luring you with attractive bait…don’t bite.
3) Insecure Passwords: We all know it’s hard to remember passwords, especially ones that are complex. So we write them down (maybe under the keyboard), or we use easy ones to remember (i.e. “Spring2021”), or we use ones with personal info in them (your birthday or anniversary, etc.) that can be found on your social media (Facebook, etc.). Attackers use simple programs (that are freely available, by the way) to test/crack passwords using lists of actual passwords that have been collected in breaches. One website that checks passwords to see if they have been compromised currently has over 11.6 BILLION passwords in their list. So you think yours is really secure??
How to protect yourself: use a complex password, of course. Think more like “passphrases” that deliberately use poor spelling (i.e. “sUp3rsT@r-S@lesgUy”) or link multiple unrelated items together (i.e. “gOat1776Twinkie”). Easy(er) for you to remember but almost uncrackable by the bad guys.
Naturally, there are other types of attacks that ALL can’t be listed in a single article, but these 3 are probably the “Top Performers” as attack vectors these days. Fix all 3 and you are well on your way to not becoming the weak link in the IT Security chain. Stay safe!