It only takes one phishing scam to sink your collision repair shop. Collision Industry Conference attendees experienced a simulation of a phishing attack and its consequences during the presentation “From Threat to Safety: Navigating Data Vulnerability and Mitigation Practices” on April 30 in Richmond, Virginia.
StoredTech’s Aleks Pavlinik, chief information security officer, and Allan Polak, director of growth and development, created the fictional Lucky Bob’s Shop to illustrate the data privacy concerns collision repair shops must remain cognizant of. They cautioned that 60% of small businesses close within six months of a successful cyberattack and 90% of successful cyberattacks come from phishing.
“There are some things you can do to prepare [for a breach], but what we really want to do is prevent it from happening,” Polak said.
In the simulation, Lucky Bob clicked a link and provided information as requested by one of his tool vendors. The email looked legitimate, but there was one extra letter in the address. Pavlinik warned that typos in phishing attempts are becoming less common as more advanced technology gives hackers more dangerous spoofing capabilities. They can also use AI to craft more realistic emails.
“What they’re doing now is using non-synthetic characters to simulate the alphabet. To you, it looks correct,” he said. “It’s pretty scary out there.”
All of Bob’s company documents were encrypted in cypher text, which is data encrypted in electronic files as random rest. Employees were locked out of company systems, phones got disconnected, and hackers threatened to destroy or leak customer data unless Bob paid a $50,000 ransom. Polak and Pavlinik asked the audience if they would pay or not pay. Most attendees said they would not pay, but the outcome was mostly similar between the two choices.
If you fall victim to a phishing scam, the loss of data, recovery costs, insurance company claim contests, loss of revenue, reputation damage, and loss of customer, vendor, and employee trust will happen regardless of a ransom payment. Paying the ransom does not guarantee file access and strengthens the position for the insurance company to contest your claim.
“There is no good option here. Most of the implications are the same,” Polak said. “How do we tell the IRS we paid $50,000? What line item is that?”
Recommended cybersecurity measures include performing all mandatory scheduled software updates for computers and firewalls, having strong multi-factor authentication, comprehensive employee training, VPNs, and token theft protection. Pavlinik said he moved StoredTech completely away from passwords in favor of FIDO keys, physical devices that use public key cryptography for authentication. Biometrics is another option.
“Passwords are a dead, failed technology because we’re human and humans are not good at remembering things,” he said.
Multi-factor authentication is also not as safe, as the running cost to access a personal phone is about $5,000, Pavlinik said. If they don’t have access to your phone, they might call and ask for the authenticator number.
“Most people will comply. Social engineering attacks bypass technical security,” he said. “Humans are always the weakest link.”
Employee education and vigilance is crucial to avoiding phishing attempts. The presenters stressed the importance of encouraging employees to slow down and take their time because phishing attempts rely on an urgent call to action to get a response.
"Telling our teams to slow down is very important because they’re always working fast to solve issues for customers,” said Brian Burbridge, senior vice president, strategic accounts at Caliber Collision.
Mitigation strategies can reduce the chances of a successful attack. Zero Trust Architecture reduces it by 40%-90%, strong multi-factor authentication 99.2%, anti-virus and extended detection and response 99%, 24/7 managed SOC 85%, token theft monitoring and protection 80%, sign-in protection 99.9%, security awareness training 80%, and updating software and hardware including firewalls 80%.
The presenters emphasized the importance of there being no single strategy that offers 100% protection from phishing attacks because cybersecurity is like an onion, and you need layers on layers on layers to fully secure your business.
The presentation ended with a QR code to scan for more information. It was a fake that notified the 22 audience members who scanned it that they could’ve compromised their personal device had it been real.