Actual examples of phishing emails sent to F&I agency personnel include links designed to give the sender access to saved messages and the ability to send requests for funds.  Photos courtesy Central States Family of Companies

Actual examples of phishing emails sent to F&I agency personnel include links designed to give the sender access to saved messages and the ability to send requests for funds. Photos courtesy Central States Family of Companies

OMAHA, Neb. — Hackers are targeting F&I agencies, says Jeff Wanning, senior vice president of operations for the Central States Family of Companies, including four CSO-affiliated agencies in the past three weeks.

“We’re a little bit alarmed,” Wanning said. “I realize they may or not be targeting agencies specifically, but agents need to be aware of how to protect themselves.”

In several cases, the hack was initiated with an apparently official email request for “validation” of the recipient’s Microsoft Outlook account. If an agent or agency staff member were to click on the link within, the person behind the initial message could begin using their accounts to scan old messages for valuable data and send new messages to request funds.

“The first email we got actually made sense. They knew the vernacular. Up until the time they mentioned Hong Kong, we thought it was legit,” Wanning said, suggesting that agents invest whatever resources are needed to train staff against clicking on phishing messages. He said CSO relies on KnowBe4, one of several companies offering online training. “We require each of our employees to go through the 25-minute training module and the test at the end, and every month, the system sends fake scam emails, and we track who clicks on them.”

John Braganini of Great Lakes Companies confirmed his agency was among those affected by the recent wave of hacks. He said an IT expert found the Portage, Mich.-based company’s database was not compromised, possibly indicating a third party, such as Facebook, was the source of the breach.

“It looks like someone got into my contact directory and had been sending out emails, supposedly from me. They put my name into an email and sent an invoice to about 20,000 people,” Braganini said.

About the author
Tariq Kamal

Tariq Kamal

Associate Publisher

Tariq Kamal is the associate publisher of Bobit Business Media's Dealer Group.

View Bio
0 Comments