When dealerships think about cybersecurity, the focus is usually on firewalls, antivirus software, or protecting the dealer management system (DMS). Email, however, often gets a pass, familiar, essential, and assumed to be low risk.
Under the FTC Safeguards Rule and GLBA requirements, email is anything but low risk. It’s one of the most common ways customer data is exposed, and one of the most overlooked areas of dealership security.
Between sales inquiries, lender communications, vendor messages, and internal coordination, email touches nearly every part of dealership operations. That makes it both a powerful tool and a hidden vulnerability.
Why Email Is a Prime Target in Dealerships
Dealerships are especially vulnerable to email-based threats because of how heavily email is used across departments.
Common dealership email risks include:
- Phishing emails posing as lenders, OEMs, or vendors
- Compromised credentials reused across systems
- Attachments containing malware or malicious links
- Sensitive customer information sent or received without encryption
Attackers don’t need to breach a firewall if they can convince someone to click a link or open a file.
The Role of Human Behavior
Email attacks succeed because they exploit normal business behavior.
Sales teams move quickly. F&I handles high volumes of sensitive data. Accounting processes invoices and payments. Service departments communicate constantly with vendors and customers.
Under pressure, it’s easy for:
- A phishing email to look legitimate
- A link to be clicked without verification
- Credentials to be entered on a spoofed page
- Sensitive information to be shared unintentionally
Email security isn’t just a technical issue, it’s a workflow issue. That’s why tools alone aren’t enough without consistent security awareness training and clear processes.
Email Security Under the FTC Safeguards Rule
Under the FTC Safeguards Rule and GLBA, dealerships are required to protect nonpublic personal information wherever it exists—including in email.
Auditors increasingly look for:
- Controls around email access and authentication
- Evidence of phishing awareness and employee training
- Protection of sensitive data sent electronically
- Documentation showing safeguards are enforced
In many dealership environments, email is where sensitive customer data lives longest, and where it’s least controlled. That makes email security a direct factor in whether safeguards are defensible in practice, not just written into a policy.
Common Email Security Gaps That Put Dealerships at Risk
Despite growing awareness, many dealerships still rely on basic protections that leave gaps.
Common gaps include:
- Single-factor authentication
- Inconsistent phishing training
- Limited visibility into suspicious activity
- Manual handling of sensitive attachments
- No standardized process for secure document sharing
These gaps are often unintentional, but they create opportunity for attackers.
Strengthening Email Security to Support FTC Safeguards Compliance
Effective email security combines technology with disciplined workflows.
From an IT perspective, dealerships should ensure:
- Multi-factor authentication is enforced
- Email filtering and threat detection are active
- Account access is role-based
- Monitoring and logging are in place
From a workflow standpoint, dealerships benefit from:
- Reducing sensitive data shared directly via email
- Using secure document workflows instead of attachments
- Automating document routing and storage
- Limiting unnecessary access to customer information
When email is used as a notification tool, not a document delivery system, risk is significantly reduced.
Why Small Changes Make a Big Difference
Dealerships don’t need to overhaul their entire environment to improve email security.
Small, targeted improvements can:
- Reduce phishing success rates
- Limit the impact of compromised accounts
- Improve audit outcomes
- Protect customer trust
Often, the biggest gains come from tightening controls around the most common workflows.
Turning a Hidden Weakness Into a Managed Risk
Email will always be part of dealership operations. The goal isn’t to eliminate it, it’s to control how it’s used.
By strengthening email security, enforcing access controls, and shifting sensitive workflows out of inboxes and into secure systems, dealerships can reduce one of their most overlooked risks.
If you’re preparing for an FTC Safeguards review or want a clearer picture of where email fits into your overall security posture, a quick conversation can go a long way. Let’s make sure this critical risk is actually managed, not just assumed.
The question isn’t whether your dealership uses email.
It’s whether email is being treated as the critical security boundary it truly is.