Fake logistics actors exploiting cyber weaknesses in the supply chain15th November 2021
Cargo thieves, like criminals and legitimate companies alike, have proven to be adaptable in recent times and continue to represent a leading risk for supply chain security globally.
The current world circumstances combined with the disruptive measures put in place by governments around the world has, in many ways, forced criminals to adopt alternative methods of operations, exposing cyber weaknesses in the supply chain.
This is exemplified by the way cargo thieves increasingly targeted facilities over trucks in some regions and the spike in thefts of essential products, such as personal protective equipment and other related medical goods, last year. However, another trend that has increasingly come to light over the past year and a half is the use of fraud by cargo thieves to successfully carry out thefts. This is not a new phenomenon; however, it is a tactic that presents a significant challenge for organisations, which have to contend with thieves combining this tactic with a cyber-based approach, increasing the difficulty of determining the actual identity and legitimacy of business partners.
Despite this being a seemingly daunting process, organisations can take solace in the fact that there are actions that can be implemented to mitigate the impact that these challenges of fraud and cyber risk have on supply chain resilience.
While fraud has historically not been the most prominent method employed by cargo thieves, with criminals more commonly using other methods such as more straightforward hijackings or thefts of cargo trucks, pilferage, and facility burglaries and robberies, the tactic has been used periodically by thieves in regions around the world. In the United States, for example, thieves have used a form of fraud known as a fictitious pickup, which most commonly involves cargo thieves deceiving employees at shipping facilities and warehouses by posing as truck drivers working for freight transportation companies. In these instances, thieves arrive at a pick-up location driving a tractor-trailer with fraudulent paperwork, insurance information, and phone numbers – all similar to the information of a legitimate transportation company. In some instances, thieves have inside knowledge about what load to pick up and at what location and time a truck should arrive for pick-up. The thieves then leave the site with the shipment of goods.
Already one of the more nuanced forms of cargo theft, fraud can fool even the most seasoned employees if done correctly. It has evolved over the past year and a half to often be conducted either fully or at least aided by electronic means, as organisations increasingly shifted to a work-from-home model. Known in some parts of the world as fake carriers, thieves in locations like Brazil and Peru in Latin America or in countries across Europe are leveraging services provided via phone applications to deceive organisations. These apps range from person-to-person messaging platforms to even online marketplaces or freight service exchange platforms in which organisations and transporters communicate and negotiate pickups and deliveries of shipments. The apps offer another vector for cargo thieves to pose as legitimate providers, and deceive companies into parting with cargo shipments or delivering goods to a waiting group of thieves. In these cases, thieves will represent fake companies and utilise fake documentation such as purchase orders, and then use these apps to communicate with companies. From here, thieves follow a similar process where they have the delivery scheduled for a location in which thieves are waiting to steal the cargo.
In response to this issue, the French government has modified legislation to regulate these avenues in which companies and transporters can connect. Known as the Mobility Orientation Law (LOM), the recent update to the legislation goes beyond defining both marketplaces and participants by requiring those who are active on the platforms to verify their legitimacy through registration and communication requirements. The legislation now holds participants who engage in contractual services through these electronic marketplaces responsible for a range of potential issues that could occur during the execution of the service, such as damage or loss of goods or the arrival of goods outside the designated timeframe. This legislation highlights the growing focus on not only the accessibility and usefulness of these types of online freight transportation service exchange sites, but also the inherent risk that comes with communicating and ultimately conducting business with parties via the internet.
This shift in the use of fraud via electronic means takes on a new light as more supply chains are falling victim to cyber-attacks. In general, criminals have recently targeted larger supply chains with the use of ransomware, a form of attack in which hackers gain access to and hold hostage key data or software system functions until the victim company pays the specified amount of ransom money. This tactic is evidenced by such incidents including the ransomware attack on the Colonial Pipeline in the United States, ransomware attacks on three major ocean freight companies between 2017 and 2020, and, most recently, a major cyber-attack on South Africa’s state-owned seaport and rail freight operator that all but halted trade in the country.
In addition to these widely publicised incidents, other attacks have occurred that have not received as much attention but have still resulted in significant disruption for affected companies. In 2020, for example, five major road freight transportation companies in the United States and France similarly fell victim to hacks of personal or proprietary data or ransomware attacks. The European Union also recently highlighted a supply chain cyber-attack that targeted a cloud-based cybersecurity company that provided services for email accounts. In this case, the attack targeted data for acquisition and further exploitation rather than holding information or systems hostage like in ransomware attacks, and allowed the hackers to intercept network connections and steal email information. Criminals could leverage this type of cyber-attack to gain information on shipment details and enable theft operations.
Beyond these types of disruptive ransomware cyber-attacks that often result in the interruption of business operations, supply chain criminals have previously set a precedence of leveraging cyber-attacks to target and exploit the supply chain as far back as at least 2011. It was only in 2013 that police at the port of Antwerp in Belgium discovered an ongoing scheme in which a drug trafficking organisation recruited hackers to breach IT systems of the port that controlled the movement and location of containers. Upon acquiring this information on the arrival and location of drug-laden shipping containers, the group would send in cargo truck drivers to pick up the shipments before the actual owner of the consignment arrived. Officials at the port reportedly did discover this issue prior to 2013 and deployed a firewall to prevent further attacks of this nature; however, the drug traffickers adapted and instead broke into the physical premises of the facility and installed key-logging devices on the port terminal computers that enabled the group to bypass the security measures, and continue the scheme.
These attacks on IT infrastructure certainly underscore the risk that the supply chain is now facing from a cyber perspective, highlighting that even larger international companies that have a broader set of resources to guard against such cyber-attacks can still fall prey to hackers. Moving forward and based on the trend in which thieves are more and more using electronic means to supplement deceptive tactics aimed at stealing cargo, it is possible that criminals could begin to shift targets and launch cyber-attacks at smaller companies with the intent of gaining knowledge of shipment times, routes, and other information that could be leveraged to intercept or fraudulently pickup loads of goods.
Although the overall return may not be as large on a single cyber-attack operation as those targeting multinational companies with ransomware, it is possible that smaller companies may not have the same level of security in place to mitigate cyber risk and therefore present an easier target. This could expose these organisations to the same type of risk despite a likely lowered financial return for a single operation, as thieves could have easier means of obtaining the necessary information from company systems that allows for a successful theft operation.
In addition, given the complexity of many supply chains, it is also possible that hackers could target a business partner downstream to use as a vector for targeting the primary organisation. As such, companies should prepare and implement measures to guard against both fraudulent and cyber-attack tactics that thieves may launch to carry out cargo thefts.
Mitigating the risk
Whenever sub-contracting to a new supplier is necessary, it is important to undertake adequate due diligence on the business you are contracting with. Ensuring that they are a reputable, reliable business and that they will deliver on your service commitment to your customer. Fraudulent activity in the haulage industry is a growing concern; bad actors can easily replicate documents and identifications to fool stakeholders into providing them access to valuable cargoes. Implementing a robust and consistent due diligence process will assist in reducing your businesses exposure to fraudulent activity.
Developing an approved contractor list for road haulage services and only using those businesses is the ideal solution. These risks increase where urgent, ad hoc shipments are required, and a pre-approved haulier is not available. Due diligence management controls are vital in protecting your business. Take your time, do not be pressured into rushing through the process, the risks of handing a cargo to a fraudster are far more significant than not meeting a timed delivery.
The primary objective is to verify the contractor’s identity to combat theft and fraud, protecting your interests, including your business’s reputation. While not exhaustive, when conducting due diligence consider confirming the following minimum information, prior to physically auditing the organisation:
- Full legal name and registered address of the supplier
- Details of other branches (nationally or internationally)
- Contact details (telephone and email)
- Web address
- The main activity of the supplier
- Verify ownership (taking account of regulations, such as sanctions, as appropriate)
- Legal form (limited company, sole trader, public limited company)
- Company registration number
- Tax (e.g., VAT) registration number
- Governmental or similar audit scheme (e.g., AEO) membership
- Key personnel and their roles
- Authority of the individual to sign on behalf of the supplier
The expert view
David Fairnie, BSI Principle Consultant, Supply Chain Security
“We are seeing a significant number of false suppliers acting as genuine potential suppliers in supply chain logistics provision – warehousing, distribution centres, transportation companies – and actually, they are criminal groups utilising technology to fraudulently infiltrate the logistics supply chain.
“Arguably today more than ever, you do need to know your suppliers intimately. Knowing your supplier goes back to verify before trusting. First and foremost, when you’re bringing new suppliers onboard, you need to conduct proper due diligence.
“Robust due diligence and onboarding is just the start of the journey, to confirm the supplier service capability and capacity, we strongly advocate that you physically audit the supplier. It’s all about being proactive as an organisation to continuously monitor your supply chain risks.”
Ian Allman, NMU Risk Control Manager
“As we see with many aspects in our day to day lives, technology eventually takes over. Whilst the concepts are undoubtedly designed to make transactions and the movement of goods between one party and another more simplified, this unfortunately can sometimes increase the vulnerability of supply chains to fraudulent activity.
“It seems the more technologically advanced we become, the more sophisticated the organised criminal gangs are in their methods for stealing cargo, to the point where the actual act of theft can now almost go undetected.
“The links between cyber-crime and cargo crime are growing ever closer and present new challenges to businesses when it comes to maintaining the integrity of supply chains.
“Whether it is spotting fake carriers or potential fraudulent transactions, providing adequate training and developing awareness amongst employees is essential if businesses are to protect themselves from falling victim to this type of crime.”
Prevention is better than cure!
Our collaboration with BSI Supply Chain Services and Solutions enables NMU brokers to further support clients, through leveraging the consultative partnership, to better understand their supply chain risks to address potential areas of vulnerability.
With BSI’s vast experience in supply chain security and risk management and our understanding of the cargo and freight liability insurance industry, this partnership will provide NMU policyholders with the necessary knowledge and skills to take a proactive approach to becoming more resilient in their supply chain operations, as well as helping to reduce losses and claims.
For more information about Risk Control, Cargo Insurance or Cyber Insurance, contact your NMU Development Underwriter.
Sign up to receive our content via email
If you’re not already receiving our Risk Control Bulletins and reports via email, NMU insurance brokers can sign up to download the report and receive future exclusive cargo crime content in partnership with BSI, using the form here or use the QR code below.