How Cyber Criminals Are Accelerating Attacks on The Automotive Industry: Expert Analysis

Why Trust Techopedia

The automotive industry has maintained an air of stability around its market for many years.

True, worldwide car sales dipped significantly in 2020 due to COVID-19. However, the sector has since rebounded, with Statista reporting that from 2022 to 2023, global car sales grew from about 67.3 million units to around 75.3 million.

Market projections by Spherical Insights & Consulting show that, by 2033, the automotive industry will be worth around $7 trillion.

However, it faces a problem that is blighting pretty much every industry: cyber attacks lurking around the corners.

In this piece, we explore the automotive industry threat landscape, what type of attack to expect in the sector, and expert solutions to them.

Key Takeaways

  • The automotive industry is facing a surge in BEC and VEC attacks, with a 70% increase in BEC attacks.
  • Average BEC attack cost over $137K in 2023, plus major indirect costs like reputational damage.
  • The automotive sector is a prime target due to complex supply chains, high-value transactions, valuable data, and increasing vehicle connectivity.
  • The most common impacts of cyber attacks on the automotive industry are service and business disruption (42%) and data and privacy breaches (22%).
  • Experts recommend a multi-layered approach combining multi-factor authentication, anomalous account behavior detection, vendor security guidelines, ongoing employee awareness and training programs, and AI-driven email protection solutions.

Major Cyber Threats Facing the Automotive Sector

As the criminally-lucrative threat landscape matures, threat actors begin to find specific forms of attacks for what we may call industry-tailored attacks.

Advertisements

While attackers may prefer insider attacks on sectors with valuable intellectual property or sensitive data, like defense and finance, this may be different for the automotive industry, where a new report from Abnormal Security has found that Business Email Compromise (BEC) and Vendor Email Compromise (VEC) are the major attack vector in the industry.

Per findings in the Abnormal Security report, the automotive industry experienced a surge in BEC attacks, with a 70.5% increase in just five months between September 2023 and February 2024.

This translates to an average of 1.7 BEC attacks per week, a rise from the previous six-month period, which saw only one attack per week.

The first quarter of 2024 saw a high level of activity, suggesting an alarming trend for the remainder of the year.

These can be costly — one attack cost a Toyota parts supplier $37 million.

Meanwhile, data from cybersecurity firm Arctic Wolf’s data reveals BEC-related attacks doubled in the first half of 2023, following a 29% increase from 2021 to 2022. BEC engagements also accounted for 29.7% of all Arctic Wolf incident response operations in 2023.

VEC attacks targeting automotive organizations also saw a significant surge between September 2023 and February 2024. According to Abnormal Security, 63% of their customers in the automotive industry experienced at least one VEC attack during this period.

This rate was higher than the incidents observed in the energy/infrastructure (54%), hospitality (50%), and finance (35%) sectors within the same timeframe.

Figure A: Auto-Industry BEC Attacks per Week (Abnormal Security)
Figure A: Auto-Industry BEC Attacks per Week (Abnormal Security)

Automotive Industry as the Perfect Target

Why is the automotive industry such an attractive target for BEC and VEC attacks? The answer lies in the nature of the industry itself, Patrick Harr, CEO at SlashNext, an Email security platform told Techopedia:

He said:

“The automotive industry is a prime target for BEC and VEC attacks due to its complex supply chains, high-value transactions and vast vendor ecosystems.

 

“Threat actors exploit the trust and urgency in these business relationships, using sophisticated social engineering tactics to trick employees into disclosing sensitive information or initiating fraudulent payments.”

In a statement to Techopedia, Josh Amishav, Founder and CEO at Breachsense, a data breach and dark web monitoring solution, cited large financial transactions as the main reason why attacks are increasingly targeting the automotive sector.

He noted:

“The automotive industry is a particularly attractive target for BEC and VEC attacks due to the large financial transactions normally sent for parts, inventory, and vehicles.”

He also highlighted the industry’s complex supply chains as a vulnerability.

“Due to the intricate supply chain that most automotive companies have, with multiple third parties involved, there are numerous potential points of attack for criminals to impersonate vendors or partners to initiate fraudulent transactions,” Amishav stated.

Another factor that makes the automotive industry a prime target is the value of the data it holds.

According to Fortra’s global automotive cybersecurity report, data stored by automotive companies such as personal customer information, proprietary design and manufacturing details is highly valuable to cybercriminals.

Again, the rapid digitization and the rise in Electric Vehicle (EV) infrastructure have revolutionized the automotive sector. More than ever, vehicles now integrate advanced connectivity, automation, and driver assistance systems, as such, their threat landscape expands greatly.

The Cost of Cyber Attacks in the Automotive Industry

The cost of falling victim to cyber-attacks in the automotive industry is staggering. Following data from the Internet Crime Complaint Center, the average cost of a successful BEC attack (PDF) in 2023 alone was reported to exceed $137,000 per attack, but this figure merely scratches the surface when we factor in other potential damages this type of attack leaves on its wake.

A report by Upstream Security paints a grim picture, estimating that 37% of all cyber activities happening on the dark web in 2024 target multiple original equipment manufacturers (OEMs).

Looking beyond the immediate monetary loss, Statista, last March, published a study that laid out cyber attacks on the automotive industry by impact. Service and business disruption, such as production delays or halts, is the most common outcome, occurring in 42% of cyber incidents. Data and privacy breaches follow closely, accounting for 22% of the total impact. Fraud and vehicle theft are also typical outcomes of cybercrime in this sector.

Cyber attacks on Automotive Sector by Impact (Statista)
Cyber attacks on Automotive Sector by Impact (Statista)

There are also indirect costs to consider, such as the damage to a company’s reputation, the loss of customer trust, and the potential for regulatory fines and penalties. These intangible costs can have long-lasting effects on a company’s bottom line and market position.

How the Automotive Industry can Defend Against BEC/VEC Attacks

Addressing the rising threat of BEC and VEC attacks plaguing the automotive sector, Dror Liwer, Co-founder at cybersecurity firm Coro, outlined a two-pronged strategy to Techopedia.

He said: “The best defense against these attacks is made up of two parts: strengthening identity security by using multifactor authentication (MFA) and anomalous account behavior detection tools, and ensuring vendors follow proper security guidelines as well.”

Liwer emphasized that technological controls alone are insufficient and calls for employee training.

“Having an active employee awareness, education, and simulation program in place that teaches employees how to identify a suspicious message. Conducting a once-a-year training class won’t cut it – the program must be ongoing to keep employee awareness top of mind.”

Emphasizing the human-centric nature of BEC attacks, Matt Kiely, Principal Security Researcher at Huntress Labs, advocates a multi-layered approach combining security awareness training, technical controls, and vigilant employee practices.

“Security awareness training can be an effective preventive measure,” Kiely states, advocating regular cybersecurity education to help employees recognize BEC tactics. However, he cautions that “prevention alone isn’t going to stop BEC attacks.”

For suspicious emails, Kiely provides specific guidance for employees receiving suspicious emails:

“If someone is requesting a change of payment or financial information, make a call to that vendor directly to verify its legitimacy. Don’t enter any sensitive information on a page you got to by clicking a link in an email – manually navigate instead.

“Carefully examine URLs, email addresses, and spelling, and don’t click links or open attachments in unsolicited emails, especially if it’s asking you to update/verify accounts or pressuring you to act quickly.”

Harr of SlashNext advocates for AI-driven email protection solutions rather than relying on traditional email security systems.

He said:

“These very targeted and sophisticated attacks are simply missed by basic email defenses, including older SEG technologies or relying on employee training alone.

“Implementing AI protection for email is even more important with the weaponization of generative AI platforms (like WormGPT) by threat actors to create, launch and iterate BEC attacks with near-perfect language, personalization and speed.”

The Bottom Line

The automotive industry has enjoyed a fair share of growth amid economic uncertainties. So, it’s not a coincidence that it’s become a honeycomb for cybercriminals to launch BEC and VEC attacks.

In the face of this ugly development, what really matters is how organizations are adapting their security measures.

While secure email gateways and other traditional security tools can comb through your emails for malicious links, relying solely on them is an invitation for doomsday.

As experts advise, tackling the human factors remains a key to success in email-based attacks like BEC and VEC.

Advertisements

Related Reading

Related Terms

Advertisements
Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. His writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.