Earlier this year, the FBI released a report showing that a record $10 billion had been stolen from Americans via online fraud in 2022. In May, Microsoft reported increased cyber-threat activity from a Chinese-sponsored “threat actor” it called Volt Typhoon, targeting critical military and transportation infrastructure—including maritime infrastructure.
More recently, Inland Rivers, Ports and Terminals reported that “the maritime transportation sector has seen a very sudden rise in the number of phishing emails making it through security filters.”
In all these attacks, phishing remains the most popular point of entry for threat actors. Phishing is not new; it refers to fraudulent emails by threat actors that use various tricks and psychological pressure to get recipients to open them, giving them further access to systems. The FBI’s Internet Crime Complaint Center (known as IC3) reported that in 2022, phishing attacks were by far the most common, at 300,497 complaints. The next most common complaint, personal data breaches, numbered 58,859.
Most companies have filters in place to screen out spam along with unknown, unwanted or obviously suspicious emails. To get around these defenses, hackers obtain real credentials. “Part of the problem is that many of the phishing emails are coming from known addresses that have been compromised through credential harvesting techniques,” according to IRPT. Today’s phishing hackers can spoof the addresses of your boss, someone senior in your organization or family members. If you are a business, a seemingly legitimate email from a client, partner or business associate could be a spoof. Simply refusing to open emails from people you don’t recognize is not enough.
Spoofers who know something about your company or organization can refer to real events to create a sense of urgency. Citing the Coast Guard in a warning email, IRPT notes that recent phishing emails targeting maritime transportation entities used “bid-themed” appeals urging action on a pending bid. Any email that urges immediate action, especially if it requires you to give out your own information or passwords, even if it’s seemingly from someone you know, should be treated with caution and confirmed with a phone call if necessary.
Screened-out phishing emails should also be examined by qualified personnel for clues to their origins and reported to the proper authorities.
Cyber experts remind us that no matter how technology evolves, human behavior remains the ultimate vulnerability. Regular training in how to respond to emails is already part of most maritime companies’ safety training. As we spend more of our lives online, the need for that training and awareness will, sadly, be with us for the foreseeable future.