TIMONIUM, Md. — Helion Automotive Technologies has issued an urgent data security warning for auto dealers: Hackers are now planting malware inside of social media posts.

If an employee takes the bait and clicks on the social media post (e.g. Facebook and Twitter messages and public postings), according to the firm, the malware is downloaded onto the employee’s computer and may compromise the entire organization’s network. Security software and firewalls cannot prevent this type of attack, according to Erik Nachbahr, president and CEO of Helion and an Auto Dealer Today contributor.

“This is the same spear phishing scheme that hackers have been using successfully in targeted email messages for several years now,” Nachbahr said. “The problem is that although most employees have been told and know not to click on emails from people they don’t know, they don’t think twice when it comes to clicking on a message or offer in their Facebook feed. They are more trusting in a social media environment.”

Spear phishing is a type of attack that involves identifying specific people for attack, studying their social media posts to learn their interests and activities, and then creating a message or offer that appeals to them.

Nachbahr cited the example of a recent breach at the Pentagon. It was caused when the wife of an employee clicked on a Twitter link that promised a great deal for a family-friendly vacation. She had previously been exchanging messages with friends over what they should do with their children over the summer. Although the wife was at home at the time, the hackers accessed the Pentagon employee’s computer via a shared home network, and once the employee was back at the Pentagon, accessed the network from his computer.

Auto dealership employees are ideal targets for spear phishers looking to steal personally identifiable information (PII) and bank account numbers.

Helion recently conducted a phishing test at an auto dealership by sending emails to 125 employees. Three employees clicked on the emails and were taken to a website where they entered their user names and passwords when prompted. If this was a real attack and customer information was compromised, the consequences for that dealership may have been thousands of dollars paid out in credit monitoring for customers, investigations and lawsuits.

“That test was a good sample that revealed auto dealerships are very vulnerable to this type of attack and need to do a better job at educating their employees,” said Nachbahr.

To help prevent this type of attack, Nachbahr recommends counseling employees against clicking on links in social media posts and messages from their computers or personal devices while at work or at home, require them to change their network login passwords every 90 days, keep social media profiles private, and don’t accept friend or connection requests from people they don’t know.

Every auto dealership should have cyber liability insurance, Nachbahr added, and dealers should install software updates, also known as patches, to Microsoft Windows, Internet Explorer and all software applications on every PC on a regular basis.