In this article, we’re goin’ phishing.
Being alert to phishing attacks and preventing them is not just a good idea ... For agents, it’s a legal obligation.
And no, I don’t mean the kind of fishing that involves rods, reel, and bait. I’m talking about phishing with a “ph” – those emails or text messages that try to induce you to surrender your account information or, worse for your agency, click on a link that results in malware infecting your computer network.
Phishing attacks are a kind of social engineering – convincing people to behave in a particular way. Social engineering is far and away the greatest threat to the security of computer networks. These types of attacks account for 70- 90% of all computer attacks. Unpatched software is the next most common threat, at 20% or more. Your IT manager can handle the unpatched software issue, but you can do something about phishing.
The first thing you need to do is recognize a phishing attack when it appears in your inbox. Everyone’s heard about the Nigerian Prince email scam, which has been around for well over a decade. Despite being obviously phony, as recently as 2019, Americans reported losing over $700,000 to this scam, and most current phishing attacks are far more sophisticated.
Phishing emails and text messages are designed to look like they came from sources you know and trust. I’ve gotten emails from Bank of America that look like the real thing. Unfortunately for the phisher, I don’t have an account with Bank of America.
Once I received an email informing me that there was a problem with my recent wire transfer, and that email arrived the day after I had wired a vendor $50,000. I didn’t fall for it, but the coincidence lowered my guard. I called the vendor to confirm receipt of the wired funds and deleted the email, but it was close.
How can you tell a phishing message from the real thing? If any of these features are present, ask your IT manager to check it out or just delete the message:
- Does it come from a source you don’t know, or a company you don’t do business with?
- Is the greeting impersonal? If the source is legit, it’s unlikely to greet you as “Dear Friend.”
- Does it ask for account or password information?
- Are you invited to click on a link?
- Does it ask you to make a payment?
- Does it suggest a potential windfall, such as proceeds from a class action lawsuit or a government refund?
- Does it offer you free stuff, or anything else that your gut tells you is too good to be true?
Here’s an example of a phishing attack provided by the Federal Trade Commission:
Looks legit, right? Netflix is, after all, a real company, and that is its logo. But let’s look closer:
- The email has a generic greeting – “Hi Dear.” Sounds, well, fishy.
- The email invites you to click on a link.
- The email spells “center” with an r e instead of e r at the end – that’s not common American usage.
- If you hovered your curser over the Update Account Now link, you’d see that the URL is not connected to Netflix.
What should you do if you suspect a phishing attack?
The first thing to do is bring it to the attention of your agency’s IT manager. But not all agencies have an in-house IT professional, so you may need to noodle this out on your own.
Ask yourself if you have an account with the company or know the person that contacted you? If the answer is yes, and you suspect a phishing attack, contact the company or person and ask if the message is real. But don’t use a number or email address contained in the message.
If the answer is no, delete the message. Do not respond to it, do not divulge any personal, account, or password information, and do not click on any links. Doing that could result in malware being installed on your business’ network.
Phishing is a more complex topic than this article lets on. There are “broadcast phishing” attacks that take a volume approach towards its victims. There are “spear-phishing” attacks that are more sophisticated and target a particular person or job description. Then there are “whale-phishing” attacks that are more sophisticated and target high-level executives with convincing information that would only be of interest to someone in such a high position.
So why should an agent care about phishing? The first reason is simple prudence: Phishing attacks can damage any person or business; agents and agencies are not exempt.
But a second reason is particularly germane to F&I agencies. The Safeguards Rule requires service providers to identify risks to consumers’ Nonpublic Personal Information and create safeguards to protect that NPI. Most agencies probably collect and store a great deal of consumer NPI in the form of contracts, remittance reports, and the like. Phishing attacks could result in that NPI being compromised or corrupted.
In other words, being alert to phishing attacks and preventing them is not just a good idea. For agents, it’s a legal obligation.
Social engineering attacks such as phishing are the biggest piece of the computer attack pie, and they’re the piece you can prevent. Stay alert, stay suspicious, and when in doubt, throw it out.
James Ganther is president of Mosaic Compliance Services and co-founder of Automotive Compliance Education, a compliance training and industry certification company.