B-Line Enterprises is a small, family-owned trucking company located in Raleigh, N.C. The company uses load brokers and vice-president Diane Burkle thought nothing of sending out standard contracts and invoices via e-mail. That is, until the payments stopped coming.
“Most of them pay in 30 days but we usually wait 45 days before inquiring about the payment,” says Burkle. “That’s how I found out. Then I discovered their e-mails were blocked so I started calling them.”
Hackers had obtained Burkle’s e-mail password. “Using my company e-mail, they submitted an ACH form to the brokers so they would get a direct deposit into an account they set up. They got into the back side of our e-mail so any replies would not come to my e-mail. They did this with 18 customers and got away with about $5,000 before I realized what was happening,” she tells Truck News.
The situation became more confounding when Burkle requested payment for the work B-Line had done.
“It was a nightmare,” she says. “They told us they had already paid. So, the question is on whose side is the liability? The broker was the one who was tricked into sending the payment to a fraudulent account. And what about the bank that allowed the hackers to open that fraudulent account?”
Burkle did some sleuthing and found out that her account had been infiltrated by an IP address traced back to Nigeria. She filed a police report and was told that not much could be done about the theft.
Information technology expert Bill Goutzinakis, owner of Billy IT in Surrey B.C., isn’t surprised that the IP address showed Nigeria – it’s become a cliche for Internet scams.
“These people use proxies to disguise their location so it might be anywhere,” he says. “They also access a lot of different routing systems and they can even piggyback and log in from another company’s system.”
Goutzinakis isn’t shocked that the local police service wasn’t any help. Often, the authorities won’t get involved unless the fraud is over $100,000, and even then a successful prosecution is rare.
“It’s illegal to hack someone’s e-mail but it’s unenforceable. The best she can hope for is getting her money back from the bank,” he says. “This kind of thing happens on a daily basis. It’s called phishing. Most likely the password she was using was not well protected. You’d be surprised at the number of clients I have whose password is ‘password’ or ‘123456’.”
According to Goutzinakis, once the hacker has infiltrated the e-mail, gaining the trust of other account users is fairly simple. Some companies post the names of the executives and employees on their website. The hackers can also use Facebook and other social media sites to find out additional details about the people or the organizations they want to compromise.
“It usually starts with an e-mail that looks like it’s from someone you know in the company,” he says. “They usually provide details that only insiders would know; they might reference something that would likely happen in the day-to-day operations.”
Once they have become friendly with the e-mail account holders, the hackers continue to collect information.
“They’re not really hacking your system, they’re hacking the brains of the people using the system,” says Goutzinakis. “They’re actually acting on information that an employee has freely given them. So when someone transfers funds into another account, they don’t suspect anything is wrong.”
Another case in point is the medium-sized carrier OutWest Express of El Paso, Texas, that suffered dire consequences after a company recruiter opened a Word document that was supposed to contain a resume from a prospective driver.
The recruiter had unknowingly let loose a malicious program that released a “ransomware” virus into the company’s system, as reported by Fleet Owner in October 2015. The hackers locked up the company’s access to the server and demanded payment. The situation was worsened by the fact the files were not completely backed up.
The company eventually had to hire an outside forensic recovery firm to get back most of its data – an expensive process. But the matter didn’t end there. While the company was beefing up its cyber defenses, the perpetrators had filched the company’s client list and started calling brokers, booking loads and asking for cash advances, up to $800 in some cases.
OutWest started getting calls when the loads weren’t picked up. Fortunately, the carrier had stipulated to clients that no cash advances were to be paid out. But what was more problematic, some crucial data was lost during the breach.
“We had all kinds of sensitive data files stored in our server; tax returns, social security numbers, things like that… So now we’re stuck waiting to see if they try to use any of that,” vice-president Zack Chilson, said during a presentation at the American Trucking Associations’ annual convention in 2015.
A quick survey of a few Canadian trucking companies reveals that cyber security awareness is somewhere between non-existent and adequate, with most falling somewhere in between. No surprise, those carriers hauling high-value goods are the most vigilant, while smaller carriers often don’t give Internet security much thought –until something goes wrong.
According to Goutzinakis, ransomware attacks are less prevalent now than a couple of years ago.
“But this serves as an example of why you should protect your server – crucial data should be properly backed up, preferably with more than one external local device,” he says.
“And you should have an IT expert check the system to make sure it’s working properly.”
More common, thinks Goutzinakis, is the kind of soft target phishing expedition that occurred to B-Line Enterprises. He suggests small carriers are often targeted because of their naivety.
“People assume that hackers are using the latest technology to commit these frauds when that’s not the case,” adds Goutzinakis.
What about anti-virus and malware programs, do they work?
“I’m not going to say they’re not useful, or that people shouldn’t have them, but every infected computer I’ve looked at has had some type of anti-virus program,” he warns.
Goutzinakis thinks the best thing you can do is get the latest updates to your operating system.
“Some companies are still running Windows XP to support their website. And you should also train your employees to be wary of anything suspicious. Just by passing your mouse over a link you can sometimes tell if the URL is bogus or doesn’t make any sense,” he suggests.
For her part, Burkle now changes her password frequently and gets a notification on her phone if anyone is trying access her account.
“I’m paranoid,” she admits. She’s also still fighting with the bank and checking to see if any more money was stolen. “Any new customers we get, we tell them that no changes can be made without talking verbally to me and my husband. And we’ve gone back to doing things the old way, sending out invoices by post.”
But Goutzinakis doesn’t think people should be afraid of the Internet.
“Keep your system up to date and you should be able to keep a step ahead of the bad guys. Usually it’s just a case of stopping to think for a few seconds before you click on something,” he says.