Is your dealership safe from hackers and bad actors?
There’s a well-known phrase among experts in the cybersecurity industry. Maybe you’ve heard it? It goes something like: Hackers don’t hack. They log in.
The situation can be as simple as a dealership employee downloading software after clicking on the wrong link on a website. Or the employee receives an email, usually a type of phishing or social engineering attack, such as a Business Email Compromise (BEC).
“Those are the two main attacks and we see them happening all the time,” said Loïc Calvez, Co-Founder and CEO of ALCiT, an Ontario-based Managed Security Services Provider (MSSP).
In the second example he said the employee opens the email and, maybe they’ve been tricked into revealing their login details or to bypass security measures, but the outcome is a story cybersecurity experts know all too well: colleagues are asking the employee why she or he keeps sending them marketing emails to click on a link. “Is that really you?” they ask.
“If you’re at that stage (the hacker) has been in your mailbox for weeks and that’s when they decided to ‘burn’ (it),” Calvez told Canadian auto dealer. “There’s no one going into the mainframe and trying to change the lights. Hackers are either given a login credential or there’s a weak password, a leaked password, a password that’s somewhere else… and they just log in.”
He said it takes an average of over 180 days between the moment the actual cyberattack happens and the moment it gets discovered, with the most common example being a BEC. That is in-line with the findings of the IBM Cost of a Data Breach 2024 report, which shows the global average is 194 days to identify the issue and another 64 days to contain it. Which is why Calvez advises selecting strong passwords.
“Your first name, your daughter’s name, your car brand’s name, your dealership’s name are not good passwords. Even if you put a number one in the exclamation mark at the end, that’s still a really weak password. We crack those in about five minutes,” he said.
Identity security
Anne-Marie Kelly, Head of Fraud at Paays Financial Technologies, has been in financial crime prevention and detection for 30 years. She said the fact that conversations around passwords are still ongoing tells her they are still dealing with old school fraud.
“Cyber is still happening, but the criminals are using technology to perpetrate the same old crimes that I was talking about 25 years ago,” she told Canadian auto dealer. The difference now might be that she’s hearing from dealers a lot about controlling identity access management.
In the past there may have been one username and password, or a few usernames and passwords to log into a specific portal(s) or DMS. Now there is a shift in the dealership perspective, and from vendors offering solutions for access, towards creating unique usernames and passwords for the people who are allowed to get into these different systems.
“Whether that’s access to inventory, whether that’s access to employee information, whatever access that is, having more control around identity access management certainly has been a topic of conversation,” said Kelly.
She said the event that occurred last summer, in which a major DMS software provider for dealerships experienced an outage stemming from back-to-back cyberattacks, raised awareness that it’s a “me too” situation — this too can happen in the automotive sector.
In the month that followed the outage cyberattacks against dealerships rose to nearly 232 per cent, according to The State of Cybersecurity 2024 report. The data, compiled by Proton Dealership IT and Cybersecurity, which was acquired by Reynolds a few years ago, shows cyberattacks remain well above the levels observed prior to that major incident.
The report also notes that attacks are being targeted at dealerships “every single day.” How well those dealerships are protected can make a difference in whether they fall prey to a full-fledged ransomware event that shuts them down for days or weeks, or whether the issue is “a 15-20-minute problem for one user.”
“(The CDK incident) did happen and there were big ramifications because of that event,” said Kelly. “The sector needs to do better as far as cybersecurity and as far as identity goes, and identity meaning identifying identity verification.”
Common red flags
Due to limited detection mechanisms regular users often miss early warning signs of cybersecurity threats, said Seyed Hejazi, a member of MNP’s Digital Services team in Toronto, Ontario, who has nearly two decades of cybersecurity and information technology experience.
He told Canadian auto dealer that in ransomware attacks, issues like blocked systems, inaccessible servers, or service disruptions may only become apparent when it’s too late.
“A dealership may be at risk if it does not have a formal vulnerability management program (including vulnerability scanning and timely patching), lacks an Incident Response Plan, operates with flat networks that allow broad access across all areas, or does not maintain a comprehensive cyber security program,” said Hejazi.
He added that BEC and ransomware attacks continue to be widespread threats, noting that social engineering remains the most effective type of attack. It often results in BEC or ransomware incidents, and both types of attacks can result in significant financial losses and damage the organization’s reputation.
“Additionally, there has been an observed increase in the deployment of AI-based tools to facilitate more sophisticated and successful social engineering campaigns across various industries,” said Hejazi.
The impact isn’t just direct, but indirect when it comes from consumers. A 2025 Connected Car Cyber Safety & Security Index released by RunSafe Security found that, of the 2,000 connected car owners surveyed across the U.S., U.K., and Germany, 70 per cent would consider buying older, less connected vehicles to reduce cyber risks.
Another 85 per cent would be more concerned about cybersecurity risks if outside companies included AI features in their vehicles, and 37 per cent would move to a different brand if their preferred vehicle were vulnerable to cyberattacks.
All of which goes to show that AI security and cyber attacks are not just on the minds of businesses but consumers as well.
How dealers can take action
The importance of education and training should not be understated. Corey Bloom, Partner and Eastern Canada Leader with MNP’s Forensics and Litigation Support Services team in Montreal, Quebec, said it is critical that employees, and in particular salespeople, understand how important their role is in protecting the dealership.
“It is vital that they receive recurring anti-fraud/cyber security training so they can recognize red flags, escalate issues where needed, and attempt to avoid phishing, social engineering, and other cyber security threats,” she said.
Bloom also advised that dealers consider getting help internally and consult externally when needed. She said legal counsel can often help the dealer connect with investigators, forensic accountants and cyber security professionals.
Whatever decision is taken, remember how simple it is for hackers to gain access. After all, most don’t hack. They log in.
