Caution: Storage Spoofing (part 1) at Port of Rotterdam (English version)
At FERM we regularly take a closer look at a topical subject that relates to cybersecurity in the port of Rotterdam – both at our periodic get-togethers and on our website ferm-rotterdam.nl.
[this article in Dutch? Click here]
You can visit the FERM website to read about phishing and other digital threats for SMEs, for example, or about CEO fraud: a perennial favourite among cybercriminals (articles in Dutch only, for now). In our latest series of articles, we will be paying attention to the concept of ‘storage spoofing’. We kick off the series with an interview with Ronald Backers, who works as a Business Intelligence Adviser for the Port of Rotterdam Authority.
Let’s start by giving a definition of ‘storage spoofing’ itself. We came up with this umbrella term to describe all varieties of the sale of non-existent storage capacities and stocks of resources and materials at the terminals in Rotterdam’s port area. The ‘marks’ for this type of fraud are national and multinational companies that either operate or are looking for storage facilities in the port area, as well as all potential buyers of the goods stored at these terminals. These goods are offered under false pretences but turn out to be non-existent.
At FERM, we study the development of this type of fraud and trends within this variant, with a specific focus on prevention. Among other things, we do this by approaching the issue from a number of different perspectives. This includes targeted companies (and firms that have already been affected), the Public Prosecutor’s office and the Seaport Police, and by sharing concrete tips and recommendations.
Storage spoofing isn’t a new phenomenon. “It has been going on for five or six years by now,” says Ronald Backers. “A fake order is posted online – by a supplier of JP54, for example, who claims to have 1 or 2 million barrels in store.” JP54 is a specific type of kerosene that is used as an aviation fuel. “The ‘seller’ then purposely steers towards some form of advance payment, with the intent of misleading the victim. After that, the perpetrators usually disappear without a trace.” When the client arrives in the port to collect the order, it turns out the terminal doesn’t store the product in question. In some cases, the storage facility itself doesn’t even exist.
“These transactions are often accompanied by all sorts of documents, which involve a variety of forged stamps and certificates. The criminals also set up fake versions of the terminals’ websites to draw the victims into a sale.” These fake company websites often vanish as quickly as they appear: the criminals tend to shut them down after a few attempts or a successful transaction so that they can try the same scam somewhere else, under a new name.
WHAT CAN WE DO ABOUT IT?
In practice, it proves difficult to root out storage spoofing entirely. A lot of companies – particularly internationally – are insufficiently familiar with the business community in the port area, which makes it easier for criminals to seduce them with an ‘attractive’ but fraudulent offer.
“It’s a persistent problem – it keeps rearing its head,” says Backers. At the same time, we aren’t powerless when it comes to fighting it. “For example, the Port of Rotterdam Authority’s Facts & Figures brochure includes a listing of all companies and terminals set up in the port. This helps you to check whether an offer’s legitimate.” While this is a start, it isn’t fail-safe, with all the copies and fake versions of company names and websites going round. The scammers often make use of the very same listing to establish credentials for their fictional enterprise. That's why we will be posting a list of all companies and their official websites shortly. In the meantime, please find our blacklist of known fake websites at ferm-rotterdam.nl/blacklist.
WHAT SHOULD YOU LOOK OUT FOR?
Do previous attempts have any distinguishing aspects that we can use as teaching material? “We can definitely see a number of recurring details,” says Backers. “To start, the offer usually concerns 1 or 2 million barrels: often JP54, but also D2, for example – a type of diesel fuel. In addition, many cases have a Russian connection.” This could be a Russia-based sender, for example, or .ru in the domain name of the website or email.
Backers also regularly finds emails of this kind in his own inbox. They’re often sent via Gmail and other channels that diverge from those commonly used for official corporate communications. The sender claims to have a quantity of product X in store and makes an attractive business proposal. “While I do file them for reference, I generally don’t respond to them. Unless they mention an existing terminal of course, in which case I get in touch with the terminal in question to inform them.” He also receives emails asking him whether he knows of anyone selling JP54. Or the sender claims to be looking for a facility to store this product. This could indicate that the scammers are fishing for companies that trade in this product, so that they can take on their name when they contact their unsuspecting marks.
TO BE CONTINUED
The emails also show that storage spoofing is alive and kicking. This means that in the period ahead, we will need to increase our focus on this particular problem, in the hope of developing new tips and guidelines for companies in order to reduce their risk of falling prey to this type of fraud. We will shortly be publishing the next article in this series on ferm-rotterdam.nl, so stay tuned. And if you have any information or experiences you would like to share, please find us at firstname.lastname@example.org.