Anonymous Reporting
MCA Chatter
V-ID Terminal
My Account


Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019

Invoice Fraud November 2017

December 18th 2017
At the end of NOVEMBER 2017 three attempts of invoice fraud came to surface involving 3 vessels sailing under Luxembourg flag. If successful these attempts would have cost its owner, an internationally operating shipowner, over 18000 EUR. Thanks to a combination of awareness, procedures and attentive employees none of these attempts succeeded.

The attempts are clearly not the doing of amateurs as the level of detail in all aspects of the fraud attempt is impressive. All invoices were sent by the same fraudsters to different e-mail addresses in the same company. The layout of the three invoices is very similar and the modus operandi was identical in all cases. Moreover there are reasons to believe that these fraud attempts are part of a campaign also aimed at several other maritime companies.

Modus operandi

• A fraudster contacts the company through e-mail, reminding them to pay an invoice;

• The company can’t find a purchase order nor a reference to the company and asks for a copy of

the invoice;

• The company receives the fake invoice which is very realistic both when it comes to

• Layout and

• Contents:

• Names and identifications of the vessels are correct;

• The invoices carry stamps and signatures of the captains which are in most cases (copies of?) the real ones. In one case a blue stamp was used which in reality is black;

• Services very similar to the ones mentioned on the invoice were actually procured, albeit from other companies and in slightly different quantities. In one case even the quantities were correct;

• Timings (port arrival, ETA) are more or less correct;

• Prices are realistic.

The company’s bookkeepers discovered the fraud attempts every time by lacking purchase orders, the fact that the supplier/ account number/ VAT number isn’t known, the originating companies mentioned on the invoice can’t be found on the internet, etc.

On the invoices no account numbers are specified. Although in all cases the receiving company prompted the fraudsters for an account number it strangely enough seemed as if the fraudsters were reluctant to give an account number – only in one case an account number was communicated.

Actions taken

• Staff on vessels and in accounting depts. were informed of the attempts;

• Fraudsters’ e-mail addresses were blocked, making it impossible to target the company again from these specificy e-mail addresses or domain names;

• The company’s e-mail servers were scanned for other occurrences. Negative;

• Another shipowner was contacted. Although the information was new to them they, too, found two similar yet less sophisticated attempts. This may suggest that other maritime companies as well may be targeted and we hence may call this a campaign;

• The fraudsters’ e-mail domain names were checked. They were created anonymously as early as FEBRUARY 2017. This suggests that the scam has been going on for a longer time and furthers the idea of a campaign;

• Several national CERTs were informed.


• The language used by the fraudsters is pretty ok as long as templates seem to be used but goes downhill in one-on-one e-mail messages;

• The fraudsters make use of a wide range of logos/ templates/ addresses/ stamps/ layouts/content/ etc. which they combine digitally;

• It seems as if either the fake invoices were really signed by the captains (in between a whole range of other documents) AND/OR that the signatures and stamps were copied from other legitimate documents.

• In either scenario a person with access to this information is required. This person should also be able to provide the other members in the gang with realistic information for building the invoices’ content.