Maritime Cybersecurity: Business E-Mail Compromise, a Cautionary Tale

Mainbrace | March 2018 (No.1)

Kate B. Belmont

Once upon a time, a shipping com­pany in a land far, far away fell victim to a sophisticated, yet common, e-mail scam that resulted in the loss of more than a million dollars. Due to a slight manipulation to a legitimate e-mail address, in the stroke of a key this company transferred millions of dollars into the account of a cyber-criminal. The story you are about to read is true, and should serve as a cautionary tale to all players in the maritime industry who rely on e-mail communications to conduct business and transfer funds on a regular basis.

A Cyber-Criminal Strikes Again

One day, in the not-so-distant past, a shipping company received an e-mail communication in the regular course of business from what appeared to be their counterparty, requesting the payment of an invoice. This particular e-mail communication, sent from what appeared to be their counterparty, requested that payment be made to a differ­ent account than previously advised. The e-mail commu­nication also provided a cell phone number for the shipping company to use to confirm that the new account information was indeed correct. The ship­ping company subsequently exchanged a few e-mails to confirm and verify the payment and account information. The shipping company also took an additional step, and proceeded to call the alleged counter­party, using the cell phone number provided in the e-mail exchange. After confirming the new account information, the shipping company paid the invoice as instructed, transferring more than one million dollars into a cyber-criminal’s account in the United States.

It Happens All the Time

This story might be familiar to many. As is common in the maritime industry, many transactions are completed by e-mail communications, and due to the growing threat of cyber-crime, many companies throughout the world become victims of hacks, data breaches, and the frequent and sophisticated e-mail scam, a Business E-Mail Compromise (“BEC”). The Federal Bureau of Investigation (“FBI”) defines a BEC as “a sophisticated scam targeting businesses working with foreign suppliers and companies that regularly perform wire transfer payments. The scam is carried out by compro­mising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” (See fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud.) It is this type of cyber scam that poses a legitimate and recurring threat to companies worldwide, which results in the loss of millions of dollars in ordinary transactions, most often unrecoverable. In May 2017, the FBI released a report noting that BEC scams worldwide have resulted in a loss of more than five billion dollars between 2013 and 2016. (See ic3.gov/media/2017/170504.aspx.) Between June 2016 and December 2016 alone, the FBI reported more than $300 million in U.S. financial recipient exposed loss. The number of victims and risk exposure is growing exponentially.

The Scheme of the E-Mail Scam

How a BEC scam works is simple. A party will receive an e-mail communication from an e-mail address that appears to be from a familiar, trusted counterparty. In this e-mail communication, the alleged counterparty usually asks that payment of an invoice be made to a different account. Upon further review, however, the e-mail address is not from the familiar, trusted counterparty, and is usually slightly modified and may be spelled incorrectly with a single letter misplaced, manipulated, or added. Without realizing this, payment is transferred into the account of a cyber-criminal.

In the story noted above, this is exactly what happened. A shipping company received an e-mail communication from an address that appeared to be its counterparty, but the e-mail address was slightly modified with a single letter having been altered. Without realizing this attempt at subterfuge, the shipping company also used the cell phone number that was provided, spoke directly with a cyber-criminal, and subsequently processed payment to an account in the United States. At this point, most stories involving a BEC scam end similarly—with the realization that a company has been scammed and there has been a loss of hundreds of thousands, or even millions, of dollars that cannot be recovered. However, this particular story has a different ending.

Targeting the Maritime Industry

This particular shipping company was quickly notified by its actual counterparty after realizing that funds were trans­ferred to a different account. After an initial investigation, it was determined that the shipping company had been the victim of a cyber scam. Within 72 hours, the shipping com­pany notified its attorneys in the United States to alert them of the scam in an attempt to recover the lost funds. Due to its quick actions and immediate outreach to counsel with specialty in cybersecurity and personal contacts in the FBI, the shipping company was able to recover their fraudulently transferred funds. More than one million dollars was recov­ered and returned within 30 days.

While the cyber scam that triggered these events may appear simple and common, there were a few additional components that make it extraordinary. It should be noted that in this instance, funds were transferred from an account abroad to an account in the United States, which is rare. Most BEC scams involve fraudulent transfers from accounts based in the United States to accounts abroad. To achieve the transfer of funds from a foreign account to an account in the United States, the cyber-criminal recruited a will­ing participant to open an account at a local bank. In this instance, a local resident responded to a “work from home” online scheme, and unknowingly and unwittingly became an accomplice in this BEC scam by opening an account at a local bank to facilitate the transfer of funds. Lastly, it was also determined that the cyber-criminal who had initiated the scam was in fact targeting the maritime industry. The domain registration e-mail address associ­ated with the fraudulent e-mail address was determined to be the owner of more than 100 domain names with slight misspellings, most of which were related to the maritime industry. This was a calculated and targeted attack on the maritime industry as a whole, which will continue.

Fight for Your Happily Ever After

This story had a happy ending with the shipping company recovering its lost funds, but most BEC scams do not end in such a way. To avoid becoming a victim of cyber-crime and to mitigate loss, this tale proves instructive. It is important that when doing business through e-mail communications, e-mail addresses must be verified and scrutinized critically. Know with whom you are doing business. If you receive an e-mail communication that alters material terms, such as payment information and processes, verify the instructions with your trusted counterparty. Lastly, if you suspect you have been the victim of a BEC scam, you must act quickly. Make the call—notify your cybersecurity attorneys as soon as possible. A few hours can make the difference between a total loss and recovering most of your fraudulently transferred funds. Cyber-crime does not discriminate, and cyber-criminals create sophisticated, yet detectable, scams that can drastically affect your business. For additional information on how to best protect your company from cyber-attacks and to mitigate loss, please contact a member of our Cyber Risk Management Team.