Business E-mail Compromise: The Problems It Can Lead To For Trucking Companies Are Serious

NMFTA - November 16, 2023

From October 22-25, NMFTA hosted its annual Digital Solutions Conference on Cybersecurity in Houston, TX. The presentations contained powerful information for any company in the trucking industry that’s concerned about cybersecurity for its enterprise and/or assets. Of course, that needs to be the entire industry. This is part of a series of blogs that summarize the information presented for those who could not be there.

TOPIC:           Cyber Assets and Cyber Crime Trends

Presenter:         Mike Alvarez, United States Secret Service (USSS)

The phenomenon of cybercrime is not only growing, it is also constantly evolving. As technologies advance, cybercriminals find new ways to attack trucking companies and other industries. And as the business community learns how to protect itself, the bad guys try to stay one step ahead and develop new methods of attacking.

Mike Alvarez of the United States Secret Service (USSS) shared insight on the latest trends in cybercrime, as well as a look at prominent cyber assets that have relevance for the trucking industry.

Alvarez works in the Secret Service field office in Houston, which works to prevent, detect, and mitigate complex cyber-crime threats. He works closely with state, county, and local law enforcement, as well as other federal agencies.

He noted that while ransomware tends to get much of the attention, attacks via business e-mail compromise (BEC) are much more frequent. In 2021, the Internet Crime Complaint Center received nearly 20,000 BEC complaints amounting to losses of $2.4 billion.

Attackers making use of BEC tend to target companies that regularly perform wire transfer payments. A key strategy for attackers is “social engineering,” which simply means convincing people to innocently take an action that facilitates the cyberattack.

In one recent situation, he said an attacker was able to inject malware into a company’s system by calling ahead and pretending to be a job applicant, asking if he could e-mail his application. When the company officer tried to open the attachment, it seemed that nothing happened, but in fact that action initiated the malware download.

“BECs financially cost companies a lot more than ransomware,” Alvarez said.

Once in, the attackers will add new rules to the inbox and redirect e-mails—especially e-mails with words like “bills” or “invoices” —to RSS feeds where the hacker steals the information and uses it to create phony invoices tied to phony domains.

Hackers who gain control of an e-mail domain can use it to create spoof e-mail addresses, then send messages pretending to be the client. In such messages, they might request a transfer of funds, usually to a newly created bank account.

They can also send what appears to be a legitimate e-mail with a link that claims to be for normal business operations but initiates the download of malware.

“They’ll sometimes send messages that cause people to panic,” Alvarez said. “They’ll suggest that you’re the only thing holding up the release of funds, for example, and no one wants to be responsible for that.”

Once a hacker steals funds, they will often attempt to launder it. The USSS will attempt to track the funds, and the best chance of recovering it comes within the first 72 hours.

That tracking is the work of a division called the Global Investigative Operations Center, which specializes in following the money involved with cyberattacks—and can often identify the perpetrators by using that investigative technique.

Another division is the Cyber Intelligence Section, which tracks down data on the dark web like people’s credit card information and passwords—and how they’re being used to attack unsuspecting people and companies.

Part of Alvarez’s job is to make sure cybercrime prosecutions don’t go awry because judges and attorneys don’t understand the nuances of the field.

“Whenever we prosecute these individuals, the prosecutors and the judges may not understand the lingo,” Alvarez said. “So, my training is to help (them) understand that background.”

The USSS also partners with the University of Tulsa, which has a lab that specializes in digital forensics of a broad range of mobile electronic devices. The lab can extract and analyze digital evidence from mobile devices including smartphones, drones, and other devices.

No one can stop every cyberattack, of course, and the USSS offers guidance to companies that have been hit. Alvarez told the group there are four steps in preparing for a cyber incident—understand, prepare, execute, and debrief.

“Typically whenever we see these, it happens overnight, 1 to 4 in the morning,” Alvarez said. “So, if you have IT working overnight, now we’ve got a timeline. It’s also common for them to hit you over the course of a long weekend.”

For the same reason, Alvarez urged people never to transfer funds on a Friday, because banks are not usually open on the weekend.

“By the time you get to Monday morning, the funds are long gone,” he said.

The USSS plays a critical role in responding to a cyberattack, but Alvarez wants companies to know the limits of that role.

“If they’re working with a third-party response team, we’ll try to coordinate with them,” Alvarez said. “Unfortunately, at that point, we’re not there to get them back up and running. We’re there strictly for a criminal investigation.”

But that doesn’t mean Alvarez and his team won’t do anything to help the targeted company.

“We’ll share our notes and reports with you to show you any vulnerabilities that we’ve discovered,” Alvarez said.

The USSS also works frequently with foreign governments, as the attackers are often overseas and frequently in countries that are not friendly to the United States.

“They’re eventually going to want to spend that money,” Alvarez said. “And we’re watching them. We watched one who eventually flew to an extraditable country. We were waiting for him and we took him back to the United States.”

Concerning ransomware, which is brought about by malicious software that denies access to systems or encrypts data so it can’t be used, Alvarez said the bad guys are often hostile foreign nation-states.

Ransomware attackers routinely collect multi-million-dollar ransoms as the price for releasing a company’s system and allowing it to be used again. But once that happens, there is often no way of knowing how much of the company’s confidential data has been compromised.

Finally, Alvarez updated the group on the possible compromise of trucks themselves, and the critical infrastructure on which they rely. That can include vehicle and driver license systems, traffic management systems, and transportation management systems (TMS) used by trucking companies.

“There’s a lot of information these guys want to exploit and get,” Alvarez said.

Useful steps to prevent such attacks include:

  • Ensuring that technical measures receive due attention, including network segmentation, anti-malware software, and patching.
  • Building backup systems.
  • Audits of cybersecurity infrastructure to test systems and exploit vulnerabilities.
  • Creating an incident response plan, which should include the legal department.

To view photos from the conference, access our event photo album.


The National Motor Freight Traffic Association promotes, advances, and improves the welfare and interests of the motor carrier industry and less than truckload carriers operating in commerce, both domestically and/or internationally.