Hacker hijacks email, steals $100,000 charter deposit

Jul 23, 2018 by Dorie Cox

By Dorie Cox

A client who enjoyed his previous Mediterranean charter wanted to do it again. He had the captain’s phone number and called to book the 50m-plus yacht. To get started, he requested a contract and soon received it by email. With personal details filled in, he hit reply and emailed it back.

He and the “captain” emailed back and forth with details about where the family would visit and what they were most excited to do. Finally, with everything set, the charter client was ready to secure his dates with a deposit. He sent a wire transfer to the details on the contract, more than $100,000.

Then, all emails stopped.

After not hearing back from the captain, the charterer called him. “What happened? I haven’t heard from you?”

“It was the first indication that this money had not been received by anyone legitimate,” said Graeme Lord, president and owner of Fairport Yacht Support.

Fairport offers management support for the vessel and was one of the first to learn something was wrong.

The client’s money never arrived at the charter company. His deposit was gone.

A hacker had intercepted the email communications, posed as the yacht captain, and altered the email and wire transfer information, Lord said.

“What was going on in the background was the hacker read all the client’s previous emails and figured out he had chartered this boat before,” Lord said.

Way back to the first phone call and email of the contract, the real yacht captain never heard back from the charterer again. At that point, the communication had transferred to the hacker. The yacht captain assumed the client had decided not to charter.

This was a man-in-the middle cyber theft, said Corey Ranslem, CEO at International Maritime Security Associates.

“Those are attacks where someone inserts themself into communication between two parties and takes over the identification of one of those parties,” he said. “It’s a pretty popular one. The hacker profiles you, gets to know you, what you do, where you are, and tries to gain access to your network through phishing or other cyber penetrations.”

Lord worked with the U.S. Secret Service to unravel the situation. The money left the country when it was wired, and this branch of the U.S. government is the one to investigate across international borders in incidents of financial and computer-based crimes. They learned that the hacker had studied the emails and social media accounts to better play his role, learning details about the great experience the charterer had previously and the ports visited. The hacker even learned the names of the charterer’s children.

Questions remain on exactly how the hacker committed this crime. The Secret Service did discover that the phone number and the wire transfer account information had been changed before the contract made it to the client, and that when the money was finally sent, it went to a bank in Hong Kong, Lord said.

Now Lord is on a mission to warn others in the yacht industry about such dangers. He has spoken at several maritime events in an effort to raise awareness of the problem.

“No one thinks it can happen to them, until it does,” he said. “It’s like with your home – if you’ve never had anyone break into your home, you may be lax on security.

“Fishing [phishing] on a yacht used to mean something different,” Lord said.

What it means now is an internet scam where the user is duped into revealing personal or confidential information through emails or in other ways that the scammer then uses illegally.

“We’ve all seen the emails where the grammar is bad, the English is bad and it is clear it is a hack,” Lord said. “That’s changed. The hackers we’re seeing now are sophisticated, English is their first language, the grammar is perfect and the appearance is perfect. The invoice you get is from a company that is familiar, you recognize it and it looks identical, with one or two key pieces of information embedded into that.”

Email is a vulnerable portal, said Keith Perfect, director of technology and intelligence for Northrop & Johnson.

“Any crew member, or anyone, can get an email and that’s one of the largest phishing hacks we see today,” Perfect said. “It’s one of the easiest ways that bypasses all your security systems –  they click it and type in email or other information and suddenly the hacker has that information.”

Spam filters only work to some extent, but training people not to click bad links in email is important, he said.

“These emails look very real with grammar, graphics, the links look correct,” he said. “People need to learn not to fall for these kind of emails.”

This type of hacking is a full-time career for these criminals, even down to regular business meetings and corporate structure.

“There are groups of people whose job it is to get into the system,” Lord said. “They get in, then sell the information. Then that group sells to the next group, which is spear phishing. Your computer could have an active virus that is dormant for eight months and they’ve sold your information five times. You click today, but it looks like nothing happened.”

There are many damaging aspects to the charter client’s story, but one is that it affects a long line of people, Lord said. That list can include yacht captains and crew, contractors, marinas and yards, as well as yacht owners and charterers. And as people come forward with their incidents, the industry is beginning to realize potential impacts.

“In terms of the risk to your industry from the Homeland Security point of view, yes, the fraud is a very significant risk,” said John Tobon, Homeland Security investigations deputy special agent in charge for U.S. Department of Homeland Security. “The U.S. government has been hacked; everybody is at risk. It’s the things we do on a day-to-day basis that put us at risk. One of the biggest ones, the most popular, is social media.”

Unfortunately, it also happens to be the best way to keep in touch with families, especially for people who travel the world, he said.

He recommends everyone become aware of the risks and what can be done to safeguard information, he said.

“Something as simple as making our social media accounts private so the only people that can see are people we know,” Tobon said. “It’s more important than being popular.”

But there are other types of cybercrimes, frauds that cause financial loss and other financial crimes such as money laundering, that can not only cause financial loss, but can put a company at legal risk, especially in yachting, Tobon said.

“In your industry, it is sought out because the high net worth individuals are very, very attractive,” he said. “We saw a similar thing in real estate and the majority of transactions occurred with LLCs (limited liability company) – and LLCs that were not your traditional type.”

One segment of concern with LLCs is with beneficial ownership, he said.

“High net worth individuals will almost always have an LLC that will be paying for services in your industry. That’s normal,” he said. “What isn’t normal is a high net worth individual that is paying with an LLC that is owned by another LLC, which is nested within another group of LLCs so there really isn’t one person that can be traced.”

Tobon recommends a couple of priorities to safeguard transactions.

Educate your staff on how to identify fake emails, phishers and other types of cybercriminals, he said. Realize that employees are the ones who will keep you out of trouble. As hackers continue to become more sophisticated, more specialized training is required to spot red flags, he stressed.

Cyber and data breach insurance options are now available, said John Jarvie, vice president of Oversea Yacht Insurance in Fort Lauderdale.

“Cyber [insurance] didn’t exist a couple of years ago and is being created as we go,” Jarvie said.

Part of the complexity is culpability, he said. There are many kinks in the chain that may not be the yacht’s cyber liability. Just one example is wi-fi use.

“Those cyber passwords get handed out pretty freely, especially on charter, or if crew are in Antigua at the pub and sharing Wi-Fi with friends,” Jarvie said. “That information gets out very easily, so I think this means training for our entire industry.”

Learning how to stay safe from the multibillion-dollar illegal industry is complex, said Jubal Inman, vice president of sales and support and a partner at Advantage Services in Fort Lauderdale.

Multifactor, or two-factor, identification creates a safety level by requiring internet users to put in a password. It will then text you a code as a second verification, he said.

“It still goes back to training,” Inman said.

Unfortunately, staying safe is not so simple. The factors vary with the way each person uses their network: how they log on, type of passwords, wi-fi use and more. The complexity is exacerbated with the travel aspect of people in the yachting industry.

Nothing is foolproof, as each scam can be unique, but there are some best practices for the type of man-in-the middle cybertheft that happened with the charterer, said Ranslem, of International Maritime Security Associates.

He recommends two things that can help.

  1. When corresponding with someone, verify that the email matches what you have on file. If it does not, give them a call. Not an email. The hacker may have changed one letter or one detail.
  2. When it comes to wiring or banking, companies’ information doesn’t change. If a company sends you something with different details, pick up the phone and give them a call. Make sure their banking information really has changed.

“It’s an extra step, but it’s worth it if you’re sending half a million dollars,” Ranslem said.

Cybercrime’s effect on the yacht industry can be long-term.

“I can tell you, some of the trust was eroded and it’s hard to get that trust back,” Lord said of the incident. “You may not be cash-out-of-pocket, but trust is so hard to build, it does erode.”

And each day, people learn more about the dangers, Lord said. Most everyone has heard of scams, and may personally know someone who has been affected.

“We’re not going to beat these hackers through normal means, we’re going to beat them through education,” he said. “Education is key to not letting this happen to you.”

“These things are happening around us every day, and one day it’s going to affect your business,” he said. “You’ve done the work, you supplied the widget, you deserve to get paid, but you’re not going to.”

Although the charterer’s story is but one incident, Lord said he does not want to see the industry suffer. He doesn’t know if this client will book a charter again, but he hopes that by raising awareness more people can be protected.

“Most yacht owners start as charter clients,” Lord said. “If the first charter is negative, that’s the end of the road.”

Dorie Cox is editor of The Triton. Comments are welcome belowLearn more about cybertheft laws and regulations for the maritime industry from Triton expert Corey Ranslem in his Secure@Sea column monthly.


About Dorie Cox

Dorie Cox is a writer with Triton News.

View all posts by Dorie Cox →