Law firm Reed Smith is reporting on a growing email scam being circulated amongst owners and charterers and, in particular, being sent to ships. These emails are being sent by scammers posing as law firms in order to distribute malware, including the latest ransom-ware.
The email scam reads as follows:
We have been appointed to proceed with legal steps in arresting your vessel due to your inability to clear your long overdue payment with our client. Our client claims that several reminder has been sent to you on this subject matter without getting any response from you.
Find attached lawsuit filed by our client including Court and lawyer cost. Kindly review and revert with your comment. Meanwhile, vessel will be arrested by the court till further notice.
Your urgent response will be appreciated.
THKS N B’RGDS
“Anyone receiving these unsolicited emails should be very careful and, if in doubt as to their authenticity, should send them to their IT support team before opening any attachments or links contained therein,” Reed Smith stated in a circular.
The law firm stressed that it is important for owners to discuss with their clubs which of their P&I liabilities will be covered and what their responsibilities are when protecting against any potential future attacks. In general terms, owners are likely to be required by their respective insurers to demonstrate that they are taking reasonable steps to avoid or minimise cyber risks under their insurance, and to avoid or reduce the risk of cargo claims.
“Owners are strongly encouraged to be proactive in developing effective cyber incident response plans internally,” Reed Smith said.
Risks are of course not limited to cyberattacks via email. Researchers also point to significant holes in the industry’s three key navigation technologies: GPS, marine Automatic Identification System (AIS), and Electronic Chart Display and Information System (ECDIS). Precautions should also be taken in respect of the potential corruption of computers on the bridge, in the engine control room, and in relation to cargo control mechanisms and port systems.
Similarly, charterers must also take steps to ensure the authenticity of any emails received containing invoices or payment demands.
Where owners operate within the EU, the potential to incur fines will increase exponentially once the General Data Protection Regulation (GDPR) becomes fully effective on May 25 next year. Under the GDPR, EU national data protection authorities will have powers to fine organisations the greater of 4% of worldwide annual turnover or €20m for the most serious of data security breaches. Failure to implement appropriate steps to safeguard against malware can qualify as a breach of the minimum security obligations under EU data protection laws.