KC
Kapacyber
Threat Alert · Auto8 min read

F&I BEC Fraud: How Attackers Steal From Dealership Finance Departments

Business email compromise targeting dealership Finance & Insurance and accounting offices is one of the fastest-growing threats in auto retail. Here's how the scams work — and the controls that stop them.

Kapacyber

Security Research Team

Ransomware gets the headlines, but for a dealership the quieter, costlier threat is often business email compromise — BEC — aimed squarely at the Finance & Insurance office and the accounting desk. There's no malware, no encryption, no dramatic ransom note. Just a convincing email, a redirected payment, and money that's gone before anyone notices.

The FBI's Internet Crime Complaint Center consistently ranks BEC as the costliest category of cyber crime, with billions in annual reported losses. Dealerships are an attractive target for a simple reason: F&I and accounting offices move large sums of money, on deadlines, through email.

Why the F&I Office Is a Bullseye

Think about what flows through a dealership's finance operation on any given day: lender funding payments, floorplan financing, vendor invoices, customer deposits and payoffs, payroll. Many of those transactions are initiated, confirmed, or amended over email. The dollar amounts are large and the cadence is predictable — attackers can study a compromised mailbox and time their move to the funding cycle.

Add the working reality of an F&I office — busy, deadline-driven, under pressure to close deals — and you have the exact conditions BEC attackers exploit: high transaction value plus time pressure.

The Six F&I BEC Playbooks

Attacks against dealership finance functions cluster into six recognisable patterns:

1

Lender funding redirect

Attackers impersonate a captive or indirect lender and email the F&I office 'updated' remittance instructions. The next funding payment lands in the attacker's account.

2

Vendor invoice fraud

A real vendor relationship is hijacked. Attackers send a genuine-looking invoice with new bank details, often after monitoring a compromised mailbox to copy the vendor's tone and format.

3

Floorplan payment diversion

Attackers target the large, regular floorplan financing payments, posing as the floorplan provider with revised account details.

4

Executive impersonation (CEO fraud)

A spoofed or compromised dealer-principal or GM email instructs the controller to make an urgent payment 'before the bank closes' — pressure plus authority.

5

Customer deposit interception

Attackers insert themselves into a customer's vehicle-purchase email thread and redirect a deposit or payoff to a fraudulent account.

6

Payroll diversion

Posing as an employee, attackers email HR or accounting to change direct-deposit details just before a pay run.

How a Real Attack Unfolds

The dangerous BEC attacks aren't the obvious ones. A typical serious incident starts weeks before any money moves: an attacker phishes a set of credentials — often from the F&I manager or controller — and quietly logs into the mailbox. They don't act. They read. They learn the lenders, the vendors, the tone, the approval chain, the funding schedule.

Then, at the right moment, they strike — sending revised remittance instructions that look exactly like the real thing, often from a lookalike domain or, worse, from the genuine compromised mailbox. The payment goes out. By the time the real lender asks where their money is, the funds have been moved through several accounts and are unrecoverable.

The Red Flags Every F&I and Accounting Staffer Should Know

  • Any email requesting a change to bank account or remittance details
  • A new payee or vendor introduced entirely over email
  • Urgency or secrecy — "wire today", "don't call, I'm in a meeting"
  • A reply-to address that differs subtly from the sender address
  • Lookalike domains (rn for m, .co for .com, extra hyphens)
  • An invoice or instruction that arrives slightly early or out of the usual cycle
  • Grammar or formatting that's slightly off for that sender

The Controls That Stop F&I BEC

BEC is beaten with a combination of technology and process. No single control is enough — but the stack below stops the overwhelming majority of attempts:

  • Out-of-band verification: confirm every payment-detail change by phone to a known number
  • Advanced email security with impersonation and lookalike-domain detection
  • External-sender banner warnings on all inbound mail
  • MFA enforced on every F&I, accounting, and executive mailbox
  • Mailbox-rule monitoring to catch attacker-created forwarding rules
  • A documented payment-approval process with dual authorisation above a threshold
  • Targeted BEC training for F&I, accounting, and management staff
  • A confirmed cyber-insurance social-engineering-fraud endorsement

The single highest-value control is the cheapest: an out-of-band verification rule. Any change to payment details, and any brand-new payee, must be confirmed by a phone call to a number you already had on file — never a number from the email requesting the change. This one habit stops BEC even when the attacker's email is technically flawless.

It also belongs in your FTC Safeguards Rule WISP — payment-fraud controls and staff training are part of a defensible written information security program.

The Bottom Line

F&I BEC fraud is a deception attack, not a malware attack — which means antivirus and firewalls never see it. It's stopped by layered email security, mailbox monitoring, MFA, a hard payment-verification process, and trained staff. For a dealership moving six and seven figures through email every week, that stack isn't optional — it's the cost of doing business safely.

Related reading: the full BEC guide, lessons from the CDK ransomware attack, and cybersecurity for auto dealerships.

Frequently Asked Questions

What is F&I BEC fraud?

Business email compromise (BEC) targeting a dealership's Finance & Insurance (F&I) or accounting office. Attackers impersonate lenders, vendors, or executives over email to redirect payments — lender funding, vendor invoices, or floorplan payments — into accounts they control. It relies on deception, not malware, so traditional antivirus never sees it.

Why are dealerships a prime BEC target?

Dealerships move large sums daily — lender funding, floorplan financing, vendor payments, customer deposits — through email-driven processes. F&I offices are busy and deadline-driven. That combination of high transaction value and time pressure is exactly what BEC attackers look for.

How much can a single F&I BEC attack cost?

BEC losses are among the highest of any cyber crime. The FBI's IC3 records billions in BEC losses annually, with individual incidents frequently in the tens or hundreds of thousands of dollars. A single redirected lender-funding payment can exceed six figures.

Does cyber insurance cover BEC losses?

Sometimes — but BEC is often subject to sub-limits or specific 'social engineering fraud' endorsements that must be added separately. Many dealerships discover after a loss that their policy caps BEC reimbursement well below the amount stolen. Review your policy with your broker before you need it.

What's the single most effective control against F&I BEC?

An out-of-band verification step: any change to payment details or any new payee must be confirmed by a phone call to a known, pre-existing number — never a number from the email itself. This one process control stops the majority of BEC attempts even when the technical defences miss.

Protect Your F&I Office From BEC

Free 30-minute assessment. We'll review your dealership's email security and payment-verification process for BEC exposure.

Get Free Assessment
← Back to Security Insights