Email is treated as an inherently trusted channel across shipping, yet it was never designed to carry the authority it now holds. Payment approvals, contractual changes and operational instructions are routinely executed on the strength of an email alone. This reliance has created a structural weakness that Business Email Compromise, commonly referred to as BEC, continues to exploit with precision and consistency.
Business Email Compromise is a targeted form of fraud in which attackers impersonate a trusted individual or organisation to manipulate recipients into transferring funds or disclosing sensitive information. Unlike traditional phishing, BEC does not rely on malicious links or attachments. The emails are deliberately crafted to appear routine, often aligning perfectly with normal workflows, authority and operational timing. From a technical standpoint, they frequently look legitimate.
In a maritime context, this may involve a message appearing to come from senior management while travelling, a long standing supplier advising of updated bank details or an agent requesting urgent payment to avoid delay. The language is familiar. The request is plausible. The pressure is real. When an email looks normal, it is trusted. That trust is the primary attack vector.
The operational impact of Business Email Compromise is often underestimated until it occurs. Financial losses can be immediate and irreversible. Investigations consume management time and disrupt day to day operations. Regulatory and audit scrutiny increases when organisations cannot demonstrate adequate control over financial communications. Beyond the financial impact, confidence between internal teams and external partners can be seriously eroded.
This is not an IT problem. It is an operational risk that directly affects continuity, compliance and commercial credibility.
Most organisations respond to BEC with awareness training and procedural reminders. These remain necessary and should not be discounted. However, they place the burden of defence on individuals who are already operating under pressure. Well crafted BEC emails are designed to succeed even when users are trained. Expecting perfect judgement in every situation is not realistic.
The solution is straightforward, yet often overlooked. Foundational email authentication controls such as SPF, DKIM and DMARC address a primary enabler of Business Email Compromise by establishing verifiable sender identity at the domain level. SPF defines which mail servers are authorised to send on behalf of a domain. DKIM applies a cryptographic signature to confirm that a message has not been altered in transit. DMARC builds on both by enforcing policy and providing reporting, instructing receiving servers to reject or quarantine messages that fail authentication checks.
When configured with enforcement policies rather than monitoring only modes, these controls reduce domain spoofing and impersonation risk. It replaces assumed trust with technical validation and removes a significant burden from crew and shore teams who would otherwise be expected to detect deception under pressure.
Approaches built around this principle of verified communication, including those reflected in solutions such as GTMailPlus, recognise that trust must be established at the infrastructure level rather than inferred from appearance or familiarity. By stopping spoofed and impersonated emails at the gateway, exposure is reduced before a decision ever reaches an inbox.
For maritime operators, this aligns closely with established risk management principles. It supports confidentiality by preventing unauthorised disclosure, protects integrity by ensuring instructions cannot be altered and safeguards availability by reducing the likelihood of financial disruption and investigation driven downtime. It also strengthens auditability and demonstrates due diligence where email carries financial authority.
Business Email Compromise is not an emerging threat. It is an established and growing one. As digital communication continues to underpin maritime operations, email can no longer be treated as an informal convenience channel when it governs money, contracts and mission critical decisions.
Operational resilience depends on verified communication, not assumed trust.
By Rob Preston, Senior Technical Sales Engineer