Cyber Security - Be Aware of Payment Scams

A common scam is for a hacker to pose as a payee in an email trail. The hacker will use a very similar email to a known contact and will ask for a payment to be diverted to a different account to that normally used. We look at a recent case.

Background

In respect of hire payment due under the subject fixture, Charterers received the following email, purportedly originating from the accounts department of Owners of the subject vessel:

“Reference to our previous email, we received a notification from our bank that our Account has been subjected to some tight scrutiny by the Income Tax Dept. and at this moment, we are unable to operate our previous Account, due to which, we cannot use the funds that you will transfer until the scrutiny is released.

Therefore, this might require a change of account for receiving the value of our invoice. On your confirmation that payment has not yet been sent we will forward you our company’s subsidiary bank details with a revised invoice.”

The email had seemingly come from the account of the Owners, Charterers duly made payment of two hire payments into, what they believed to be, Owners’ alternative bank account and evidenced, via swift confirmations, that this had been done.

It soon became evident that Charterers had fallen victim to a fraudulent diversion of hire payment. On closer inspection, it transpired the email address had been changed by one letter (for example mrbloggs@steamtank had been changed to mrbloggs@steamtenk – note the change from “tank” to “tenk” – this went unnoticed by Charterers). Two hire payments due to Owners under the fixture totalling over US$100,000 remained unpaid.

Under the terms of the recap, incorporating a SHELLTIME 4 form charterparty, Charterers were obliged to “ARRANGE TIMELY HIRE PAYMENT”. In circumstances where Charterers were in default of this obligation, Owners were entitled, pursuant to clause 9 (a) of SHELLTIME 4, to withdraw the vessel from service if the default was not corrected within 3 days of Owners giving notice to Charterers that payment of hire was late (the “Anti-Technicality Clause”).

Discussions between the parties failed to reach an amicable conclusion and Owners withdrew the vessel and accepted Charterers’ repudiation of the charterparty.

Lessons Learnt

• The email received, purportedly from Owners, originated from an account very similar to the Owners’ legitimate accounts department. Always check the email address carefully – any changes to the normal address should be treated as suspicious.
• In all prior correspondence originating from Owners’ accounts department, the email was personally signed off. In the email received from the fraudsters the email was simply signed off as ‘Accounts Department’. This is a clue that something is different – be suspicious in these circumstances.
• In circumstances where a bank account has been provided for in the charterparty/fixture recap, treat this as the main account into which payment of hire/freight should be made.
• Do not reply to the email account from which the instruction to make payment into a different account was received. Always use an email address that has been verified as legitimate.
• Never call the telephone numbers provided for in the suspicious email. Always use a telephone number that has been verified as legitimate.

Golden Rule

If you receive an email asking you to pay funds due to a different account telephone your counterpart DO NOT email them – the malware viruses will create automatic email responses that will appear genuine.

Contractual Arrangements

Talk to the other party about what may happen in the event of a cybercrime issue prior to contracting and agree what will happen (and evidence this in the contract) in the event that such an incident may arise.

Where the contract remains silent, charterers bear the risk of paying twice where they have been the target of fraud. Where charterers fail to adhere to hire/freight payment obligations, owners may be justified in withdrawing the vessel from charterers’ service where the contract provides that they are able to do so.

Cyber Security

North’s Loss Prevention Department has launched a dedicated Cyber Risks area on our website, where you can find a number of related articles and LP Briefings.  The new Cyber Risks area can be accessed in the Signals Online section of our website or by following the below link:

 /our-services/loss-prevention/signals-online/cyber-risks/

We would like to thank Mr Allen Marks of Campbell Johnston Clark for his contribution in writing this article.