As a universal communication medium for businesses today, email remains one of the primary vectors for cyber attacks. In 2023 alone, the number of business email compromise attacks increased by 55%. And while every organisation across every vertical is at risk of experiencing advanced email attacks, there are certain industries that, for various reasons, periodically become the go-to target for threat actors.
The automotive industry is one of those, especially for business email compromise (BEC) and vendor email compromise (VEC). In these attacks, cyber criminals impersonate trusted identities—whether internal executives or external vendors—and manipulate their targets into completing fraudulent transactions or divulging sensitive information. What makes these attacks so dangerous is that they tend to use social engineering tactics, making them appear like authentic emails to easily evade traditional security solutions.
The latest research from Abnormal Security shows that BEC attacks against automotive businesses increased by a staggering 70.5% between September 2023 and February 2024. Most concerningly, the frequency of these attacks was higher in the first quarter of 2024, which potentially indicates a worrying trend for the rest of the year. VEC attacks were similarly elevated during the same six month time period, with 63% of Abnormal Security customers in the automotive industry experiencing at least one VEC attack. In fact, the rate of VEC attacks was significantly higher in the automotive industry compared to other critical industries like the energy sector, finance, and hospitality.
It’s evident that automotive businesses are a key target for advanced email attacks. But what makes this sector so attractive? For one, the industry generally sees high-value transactions for vehicle parts and inventory, making it a lucrative target for cyber criminals. Some may recall the email attack that targeted auto parts supplier Toyota Boshoku a few years ago, where threat actors used an email scam to manipulate an employee into changing bank account information for a wire transfer, resulting in a loss of US$37m. There’s also the fact that automotive companies rely on a complex supply chain of third parties and vendor ecosystems, which provides substantial scope for threat actors to impersonate a variety of trusted vendors in their attacks.
So, how can automotive organisations steer clear of this growing threat?
A layered approach to email security
Ensuring the strongest protection against advanced email attacks requires a layered security strategy and there are a few important defences that every organisation—regardless of industry‚ should apply.
The first is security awareness training for end users. Employees are a key line of defence and need to be able to identify the hallmarks of an email attack. Things like urgent requests for sensitive information, poor spelling and grammar, or malicious links are all red flags for which employees should be vigilant. Organisations must prioritise regular training sessions that cover the mechanics of email attacks and emphasise the importance of vigilance. Simulated phishing exercises can be particularly effective, providing employees with practical experience in identifying and responding to deceptive emails. It’s also critical to have clear processes in place that can ensure users are actively reporting these kinds of suspicious emails.
While fostering a culture of security awareness is key, this should be a starting point rather than a silver bullet, especially because modern email threats are becoming increasingly difficult to spot. Today’s cyber criminals are savvy, and have adapted their attack tactics to evade detection by the human eye as well as traditional email security tools. By using social engineering, they can write seemingly legitimate emails that omit the traditional indicators of compromise. These emails are often text-based, sent from trusted (or spoofed) domains, and even personalised to their target to manipulate them into taking an action, like wiring funds or divulging credentials or other sensitive information.
For example, in a recent BEC attack a threat actor posed as the president of a truck dealership and sent phishing emails to the company’s accounts department. The attacker went to great lengths to disguise the email, such as creating a fraudulent email thread, changing the display name, and using a trusted and established domain. As the attack didn’t have any obvious indicators of compromise, it wasn’t flagged by the email security system or noticed by employees.
The proliferation of generative AI applications like ChatGPT (and its malicious counterparts like WormGPT and FraudGPT) have given threat actors an even greater advantage, offering them a tool that enables them to craft convincing social engineering attacks at higher volumes than ever before.
This growing sophistication of email attacks means that awareness training should also be supplemented with technology-based detection. Solutions that leverage AI and machine learning, for example, will be able to detect malicious intent by learning the typical user behaviours in an email environment, and then detecting deviations indicative of suspicious activity. This means that even if an email appears to be authentic, with no threat signatures present, AI can detect subtle discrepancies in behaviour that could signal a potential attack.
Lastly, foundational security measures like password management and multi factor authentication are important for minimising damage in instances where an attacker does gain access to an email account. The reality is, even the best security tools and the most robust training are unlikely to stop every single attack, so being able to prevent criminals from launching further attacks once they are inside the corporate network is key. Ideally, organisations implement a tool that can highlight potentially compromised accounts and then automatically launch remediation actions like logging the user out of an active session or forcing a password reset.
Regulatory implications and compliance considerations
Organisations in the automotive industry should also design their cyber strategies with compliance in mind, ensuring adherence regulations that protect sensitive information and maintain customer trust. Specific regulatory frameworks, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US, impose heavy penalties for data breaches, making compliance essential for legal adherence and critical for operational continuity.
In addition to national and international regulations, automotive companies must also consider industry-specific standards like the Automotive Industry Action Group (AIAG) cyber security guidelines, which provide frameworks for protecting against and responding to cyber threats. These guidelines stress the importance of securing communications within the supply chain to safeguard intellectual property and personal data.
Defending against the new generation of email threats
Email remains one of the greatest threat vectors in today’s organisations, largely due to its human vulnerabilities. People place an immense amount of trust in their digital communications and cyber criminals know this, which is why socially engineered attacks like BEC and VEC remain among the leading cybercrimes.
Every organisation in the auto industry—and across every other vertical—should ensure they have the right tools and training in place to not only mitigate current threats but also ensure they are prepared to stay ahead of future threats as the attack landscape continues to evolve.
About the author: Mick Leach is Field CISO at Abnormal Security