Helion tests 125 dealership employees with ‘spear phishing’ cyber scam


Helion Automotive Technologies has a new data security warning for auto dealerships because in recent weeks spear phishing hackers have been busy planting malware inside of social media posts designed to lure employees of organizations to click on the post.

Dealership employees are ideal targets for spear phishers looking to grab Personally Identifiable Information (PII) and bank account information, according to Helion.

"This is the same spear phishing scheme that hackers have been using successfully in targeted email messages for several years now," Helion president and chief executive officer Erik Nachbahr said in a news release. "The problem is that although most employees have been told and know not to click on emails from people they don't know, they don't think twice when it comes to clicking on a message or offer in their Facebook . They are more trusting in a social media environment."

If employees take the bait of hackers and click on infected links, malware can be downloaded onto the employee's computer compromising the entire organization's network, the information technology solutions for auto dealers said.

Helion recently conducted a phishing test at an auto dealership by sending emails to 125 employees where three employees took the bait. When prompted by the website the email drove them to, they entered both their usernames and passwords.

If the attack were in fact real, the consequences could cost a dealership thousands, Helion said.

"That test was a good sample that revealed auto dealerships are very vulnerable to this type of attack and need to do a better job at educating their employees," Nachbahr said.

Nachbahr’s tips for preventing a spear phishing attack:

  • Instruct employees to never click on links in social media posts and messages from their computers or personal devices while at work
  • Require employees to change their network login passwords every 90 days
  • Encourage employees to keep social media profiles private and don't accept friend or connection requests from people they don't know
  • If employees receive a phone call, email message or social media message from a banking institution, vendor or other entity that asks for personal information, do not give this information verbally or via email, but the institution directly
  • Get cyber liability insurance, which covers costs associated with a data security breach and loss of data
  • Regularly apply software updates to Microsoft Windows, Internet Explorer and all software applications on every PC

Today's top headlines