Dealerships move fast. When the line is stacked in the service drive and the phones won’t stop, “make it easy” becomes the rule.
That’s how shared mailboxes and shared logins happen.
- The service BDC shares an inbox because multiple people cover appointments
- The parts counter uses one login because turnover is constant
- The warranty team shares credentials because “it’s easier”
- Accounting has a shared email for vendor invoices and statements
- Sales has a shared address for leads or delivery coordination
On the surface, it feels like teamwork.
To an attacker, it looks like a wide-open door with no camera and no fingerprints.
This post breaks down how attackers exploit shared mailboxes and “everyone logs in” habits, why it drives cyber insurance and compliance headaches, and what to do instead without slowing the store down.
Note: This is general information, not legal advice.
First, a quick definition (because the terms get mixed up)
Dealerships often use “shared mailbox” to mean a few different things:
- Shared mailbox (Microsoft 365/Google): An inbox multiple users can access, usually without a separate password if configured correctly.
- Shared user account: A single username/password used by multiple people (“service@”, “accounting@”, “parts@” as a login).
- Forwarding distribution list: Emails get forwarded to multiple people’s inboxes.
From a security standpoint, the biggest danger is the shared user account and any setup where people routinely share passwords or bypass MFA.
Why attackers love shared mailboxes and shared logins
Attackers do not need to “hack the whole dealership.” They need one foothold that lets them blend in.
Shared access gives them four advantages.
1) No accountability (and no clean investigation)
When five people log in as the same user, you lose the ability to answer basic questions:
- Who approved the login prompt?
- Who opened the attachment?
- Who changed the mailbox rule?
- Who sent the message to a lender?
That makes investigations slower and makes it harder to prove what happened to insurers, counsel, OEMs, and regulators.
2) MFA gets weakened or bypassed
In many stores, the shared account ends up configured with:
- MFA turned off “because it’s annoying”
- MFA tied to one person’s phone (and everyone approves prompts)
- A password that never changes because changing it breaks everyone
That’s a gift to attackers. If they steal the password once, they keep access longer.
3) Shared inboxes are perfect for payment fraud and lender impersonation
The most damaging dealership incidents often involve email-based fraud:
- fake vendor payment changes
- payroll redirect requests
- fake wiring instructions
- lender “stip update” traps
- fake doc requests that harvest IDs and contracts
Shared mailboxes tend to receive exactly those messages (invoices, statements, funding requests), which makes them high-value targets.
4) Attackers can hide inside the workflow
Once inside a shared mailbox, attackers commonly:
- Create mailbox rules that forward or delete messages (so nobody sees them)
- Use the shared inbox to reply to customers or vendors because it looks legitimate
- Watch conversations and jump in at the right time (for example: right before a vendor payment goes out)
Because multiple people touch the mailbox, it’s easy for the store to miss subtle changes until money or data walks out the door.
Dealership examples of “how it goes wrong”
Here are real patterns we see in dealer environments.
Service BDC shared inbox
A phish lands in the shared inbox. One person clicks. Credentials get captured. Now the attacker has access to:
- customer appointment info
- communication threads
- password reset emails for other tools
Then they set a rule to auto-delete “security alert” emails so nobody notices.
Accounting vendor invoices mailbox
An attacker gets into an AP-related inbox and monitors vendor payment threads. When the timing is right, they send:
“New bank details attached, please update for next payment.”
If your process allows bank changes from email without verification, that can turn into a direct cash loss.
“Everyone logs into service@”
One password, used on a shared PC in the service lane. A browser gets compromised or credentials get reused. The attacker logs in from outside, creates a forwarding rule, and now has a constant feed of customer communications and attachments.
No one can tell which employee “caused it,” so the dealership loses time and trust internally.
What underwriters and compliance teams hate about shared accounts
You don’t need to name brands to understand the underwriting mindset: shared accounts create:
- weak authentication and poor MFA enforcement
- lack of auditability and accountability
- higher fraud exposure (invoices and payments)
- uncertainty in the event timeline during a claim
Even if you have good tools, shared logins undermine your ability to prove controls are working.
The goal: keep the shared inbox, remove the shared password
Dealerships do need shared workflows. The fix is not “take away shared inboxes.” The fix is “stop sharing credentials.”
Here’s the clean approach that works in real stores.
The better way (dealership-friendly fixes)
1) Use a true shared mailbox with individual user access
Instead of logging in as “accounting@” or “service@,” configure the mailbox so:
- each person accesses it using their own named account
- MFA stays on for their account
- permissions are role-based (read, send-as, send-on-behalf)
- you can remove access instantly during offboarding
This keeps coverage and convenience, while restoring accountability.
2) Turn off legacy authentication and stop “app passwords”
If your environment still allows older login methods, attackers can bypass stronger controls. Lock this down so MFA and modern auth are enforced.
3) Lock down mailbox forwarding and suspicious inbox rules
A common attacker move is to set forwarding rules or delete rules. Tighten controls so:
- forwarding outside the organization is restricted
- rule creation is monitored and alerted
- high-risk sign-ins trigger alerts
4) Conditional access that matches dealership reality
Dealers have predictable patterns:
- users should not be logging in from random countries
- shared kiosks should not have access to email admin functions
- high-risk logins should require step-up authentication
Set policies that reflect how your store actually works.
5) Payment-change controls that don’t rely on email
For AP and payroll, enforce a hard rule:
- no bank detail changes from email alone
- call-back verification using known numbers on file
- require dual approval for vendor changes and payments above a threshold
This is a process control that saves dealerships even when a mailbox gets compromised.
6) Make shared devices “low trust”
If the lane has shared PCs, treat them as higher risk:
- no email access on shared service lane PCs if possible
- no saved passwords in browsers
- standard locked-down workstation build
- automatic session timeouts
A fast “GM/Controller” checklist
If you want to spot the biggest risk quickly, answer these:
- Do we have any shared user accounts for email (one password many people use)?
- Is MFA enforced on every person who can access customer or payment emails?
- Can we list who has access to the AP/vendor inbox and remove access same day?
- Are external forwarding rules blocked or at least monitored?
- Do we verify bank and payment changes by phone using known numbers?
- Are shared lane PCs prevented from storing passwords and accessing sensitive inboxes?
If you can’t answer these confidently, you have an easy win.
Shared Mailbox and Shared Login Gap Assessment
If shared inboxes are part of how your store operates, the goal is not to eliminate them. The goal is to make them safe.
Book a Shared Mailbox and Shared Login Gap Assessment and we’ll:
- identify every shared mailbox and shared account in your environment
- map who has access, how they authenticate, and where MFA is weak
- lock down forwarding, inbox rules, and high-risk login paths
- redesign shared workflows so you keep speed without sacrificing accountability
- deliver a prioritized fix plan that supports cyber insurance and Safeguards readiness