Many automotive businesses are adapting to these challenging times by changing their working practices so they can cater for existing customers in innovative ways, and in some cases enter new markets. Repair and maintenance businesses, for instance, may be using remote diagnostics software to respond to social distancing.
In retail, with showrooms closed to protect both the public and the dealership employees, distance selling is being maximised by those businesses that already used this as a distribution channel. Smaller dealerships who previously relied on face-to-face interaction are increasingly adopting this model too. However, these changes to working practices mean there are different risk exposures.
Customers are rightly cautious as buying a car is a significant purchase, meaning many people will be uncomfortable making such a purchase without the usual reassurances of physical interaction. With customers having access to social media, review sites and other means of expressing their opinions, if anything goes wrong then the fall out is likely to be considerable. This creates a significant risk for lasting reputational harm, which could seriously impact on future sales.
What are the potential risks?
Aside from possible allegations of miss-selling by a customer, there are a number of risks that could cause issues.
Dealers will hold increasing amounts of personal information on customers, both in relation to marketing and transactions. Since the introduction of GDPR, the rights and freedoms of individuals were clearly set out, and businesses have a responsibility to protect data.
Examples of data loss could include:
- Lost or stolen devices such as laptops
- Compromised databases which allows unauthorised access to systems
- Human error such as accidentally emailing marketing or other databases, or mistakes such as forwarding, selecting reply all or pre-populating the wrong email address.
If data is lost then the business could be exposed to severe penalties from the Information Commissioner’s Office, litigation from claimants and a damaged reputation.
Denial-of-service attack (DoS attack)
This is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its users by temporarily or indefinitely disrupting the services of a host connected to the Internet. It is common for hackers to target businesses who are dependent on online sales bringing their systems, and potentially their business, to a halt.
Ransomware is one of the most common form of cyber-crime in the UK , and is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Typically ransomware attacks are the result of clicking on an infected email attachment or visiting hacked or malicious websites.
Push payment fraud
Online trading potentially exposes businesses to the actions of opportunist criminals, organised crime gangs and money launderers. We have seen several instances of sophisticated scams being deployed in the distance selling market including push payment fraud. This is where fraudsters deceive employees at a business to send them a payment under false pretences, which will be sent to a bank account controlled by the fraudster. As payments are made using real-time payment, the victims cannot reverse a payment once they realise they have been deceived.
These approaches are not new. There are various examples of cyber criminals posing as suppliers and asking for amended payment details to be processed. More commonly, customers are duped in to paying the wrong businesses. In these unfortunate instances, it is often the business that bears the force of the customer’s frustration as questions may be raised as to whether this could have been prevented, leading to potential reputational damage.
What can you do to help protect your business?
- Take your time - fraudsters will often try to rush you into sending money or revealing details.
- Listen to your instincts and have the confidence to say no – if it doesn’t feel right then it probably isn’t.
- Always verify all payment requests verbally in a separate phone call before sending any money
- Speak to your insurance broker - cyber and crime insurance policies can provide indemnity for costs and awards for lost data, business interruption, lost money and lost assets. They will also provide support and access to a suite of specialists such as forensic IT investigators, system remediation support, legal and PR support. They can also provide support for clients to prevent a lasting reputational issue including ongoing credit monitoring.
The regulations around distance selling are different to traditional sales recognising the risks and differences in interaction. These are clearly explained in this helpful FAQ shared by the Motor Ombudsman.
For more information, please get in touch with the Gallagher Automotive Team.