Shipping companies should come forward if they are hit by IT fraud, so that others can learn from their mistakes.

Unfortunately, the topic remains taboo, and many companies are afraid to share their experiences, an IT security expert tells ShippingWatch.

"It's gotten a little better, and some companies have begun to share their experiences, especially in relation to smaller fraud incidents," explains Henrik Larsen, head of IT security organization DKCert.

"But it's very difficult to get them to come forth, as it's seen as embarrassing. As such, we don't really have an overview of how widespread it is, even though everything indicates that the scope is increasing," he tells ShippingWatch.

According to police estimates, Danish companies are defrauded of a couple of hundred million kroner by IT criminals every year. This also applies to shipping companies, where large sums often change hand in relation to ship operations.

ShippingWatch reported Monday how ship owner Thorco Projects was last year tricked into transferring around USD 85,000 to a hacker who posed as one of the company's business partners in a series of false emails.

The company declined to comment on the case, which only became known because it is described in a series of publicly available court documents.

However, it is clear that Thorco Projects is far from the only shipping company hit by attempts at fraud by cyber criminals who either hack into companies' email systems or create false email addresses for the purpose of luring companies to transfer money into their accounts.

ShippingWatch will in the coming days describe a series of attempted fraud on Danish shipping companies in recent years.

Shipping is vulnerable

There are several versions in play of the trick of using false emails to defraud companies.

Most famous are the so-called CEO emails, in which an employee in bookkeeping is asked to transfer money to a company's chief executive in a false email, that subsequently turns out to have been sent by a criminal.

There are also more sophisticated versions, such as the one used against Thorco Projects. Here a hacker gained access to the business partner's email system and was thus able to enter the companies' correspondence and send emails from the real domain.

ShippingWatch is also aware of a case in which a hacker intercepted a legitimate invoice sent to a US-based shipping company and changed the account to that of the hacker.

It could be individuals perpetrating the fraud, though the methods are also used by organized crime. In recent years experts have also noted a rise in the number of emails written in perfect Danish and which thus seem to originate in Denmark.

This fraud hits virtually all sectors, but the shipping sector could be particularly vulnerable, as many ship owners do not have the proper protocols in place despite often handling large sums of money.

"There are not as such any sectors dodging this, but the success rate might be higher in the shipping sector, as it has not necessarily kept up with digital developments. The sectors that are often hit the hardest are the ones where employees are perhaps not trained to be critical toward technology," explains Jens Monrad, senior analyst at FireEye, which works in strategic intelligence and analysis of cyber attacks.

Use encryption

The shipping companies can protect themselves against fraud by using a series of fairly simple tools.

Larsen of DKCert recommends that companies use signed and encrypted emails when messages concern money.

"We can recommend using signed emails. This helps in part because the sender will have to know the password for a certificate stored on one's computer. It's also a good idea to encrypt sensitive emails so that traffic can't be monitored during transmission," he says, noting that everyone can in principle access an email correspondence unless precautions are taken.

"It is of course a bit more difficult, as it takes some extra work. But it's a good idea to use these tools when exchanging confidential information, for instance about payments," he says.

FireEye senior analyst Monrad also calls on shipping companies to tighten security.

"It should no longer be enough to activate a transfer on the basis of just an email. Companies cannot live with this in the current threat scenario," he tells ShippingWatch.

This article is part of a series in which ShippingWatch takes a closer look at how scammers are trying to defraud shipping companies through the use of false emails.

English Edit: Daniel Logan Berg-Munch