E-Fraud

North has recently been notified of a number of cases concerning the fraudulent misdirection of payments due under or in relation to charter parties and other shipping contracts. As this suggests a worrying and rising trend, the following guidance is issued to alert Members, brokers and other concerned parties to this problem, including providing some practical suggestions on how to manage and avoid the risks involved.

The Scenario

A common scenario is that an unauthorised third party obtains access to the email system of a party involved in the brokerage correspondence chain. This could be owners, charterers or brokers. The unauthorised third party then seeks to misdirect payment elsewhere – sometimes using the “hacked” party’s email address and sometimes, using an email address which is very similar to a legitimate address.

The consequences of this fraud can be substantial losses of revenue, an obligation to pay again, damage to commercial relationships and the potential for expensive litigation.

Who Bears the Loss?

There is no simple answer to this question. It depends on the terms of the contract in question and the circumstances of the case.

Often the paying party will bear the losses unless they can establish that the payment as directed amounted to a good discharge of their obligation to pay under the contract, or resulted due to the actionable fault of their counterparty, or another party involved in the transaction.  

This can become a complicated issue when messages to redirect payment come via the brokerage channel, as questions arise as to whether or not the payer could treat such messages as being made with the authority of the genuine beneficiary under the contract.

Protecting the Transaction

Ideally the parties should include the details of beneficiaries and bank accounts in the contract itself, rather than leaving the provision of banking details for payments until afterwards.

Exchanging payment details after the contractual stage gives fraudsters an opportunity.

If they can insert themselves into correspondence it allows them to misdirect payments, usually by substituting fake invoices for genuine ones.

If the beneficiary and bank account details are agreed at the outset, along with a formalised process for substituting the beneficiary and bank account if variations are required, there is less room for error or doubt, provided the payer is diligent in double checking to ensure payments (or variations) are being made in accordance with the contract.

Any request via the brokerage channel to redirect payments, especially if contradictory invoices are circulated, should be treated with caution. It is good practice to double check these requests by telephone with the brokers and/or the contractual counterparty. They may also be confirmed in writing by alternative means, such as fax or telex.  

Going outside the brokerage channel email chain in this way is important as more sophisticated fraudsters can go to elaborate lengths to avoid the abuse of the email system being easily detected by the innocent parties.

This can include using deceptively similar email addresses to those legitimately used and altering the protocols on the email system to which unauthorised access has been obtained to block certain in-coming emails.

Make Yourself a Hard Target

Prevention is better than cure. Good IT security is the key defence to protecting the financial interests of everybody involved in shipping transactions.

This should include simple practices such as:

• regular changing of passwords;
• not sharing passwords or sensitive transactional information with others not involved;
• avoiding opening suspicious attachments to emails that could contain viruses designed to obtain unauthorised access to email systems; and
• periodic review and upgrading of IT security hardware and software.

In the case of any suspected unauthorised access, IT security and email protocols should be checked promptly by qualified technicians and appropriate action taken to mitigate against the risk of further attempts or incidents.

The fraudsters are out there – take steps to ensure that you are a hard target.