Maritime phishing: analysis of US Coast Guard cyber bulletin MCB 01-26
On March 18, 2026, the US Coast Guard published a cyber bulletin titled MCB 01-26: Awareness for Increased Phishing (available at the end of this article). This short document aims to shed light on the evolution of cyber threats in the maritime sector, and more specifically on the growing role of phishing attacks in incidents affecting the Marine Transportation System (MTS). It is not specified—although it naturally comes to mind—whether the release of this bulletin is directly linked to the current conflict in the Persian Gulf and the risk of phishing attacks originating from Iran.
The report states that in 2025, Tactics, Techniques, and Procedures (TTPs) involving phishing were used for reconnaissance and initial access in 43% of cyber incidents reported within the MTS (compared to 25% in 2024). As always, such figures and trends should be interpreted with caution.
The use of phishing, and more broadly social engineering, is not new. However, it reminds us that exploiting users is sometimes more efficient (in terms of speed) than exploiting complex technical vulnerabilities.
This trend is consistent with broader observations, such as those found in annual reports from organizations like CISA or ENISA.
Sophistication built on internal trust
The bulletin nevertheless emphasizes a frequently underestimated point: the exploitation of internal trust.
The widespread use of AI (unsurprisingly) allows attackers to refine their techniques and make their attacks increasingly realistic. They also leverage existing accounts to relay phishing campaigns internally or toward partners.
One case mentioned is particularly illustrative: the compromise of nine employee accounts enabled the sending of thousands of fraudulent messages to external contacts. This type of scenario, also known as business email compromise (BEC), is especially effective in the maritime sector, where exchanges with partners, charterers, agents, or clients rely on chains of trust that are often, unfortunately, only implicit (for example, without the use of cryptographic tools).
Identity spoofing (executives, clients, partners) is also highlighted as a common modus operandi, particularly to initiate fraudulent transactions or divert financial flows.
A central role from the very early stages of attacks
The bulletin confirms that phishing is now primarily used for:
- reconnaissance,
- initial access,
- and account compromise.
In other words, it can also serve as a precursor to more complex attacks. Once initial access is obtained (valid credentials, compromised session), the attacker—or another actor who has purchased those credentials—can move laterally, collect information, and potentially prepare more targeted actions against critical systems. In the maritime context, this initial phase is particularly sensitive given the high level of interconnection between IT systems, OT environments, and external partners.
A regulatory response taking shape in the United States
The document explicitly mentions the introduction, in July 2025, of new cybersecurity training requirements codified in 33 CFR 101.650(d). These requirements make personnel training mandatory, particularly to identify phishing attempts.
Standard measures… but still necessary
The recommendations outlined in the bulletin are already well known, but reiterating them remains relevant.
These include:
- multi-factor authentication (MFA),
- regular scenario-based training,
- implementation of verification procedures for sensitive requests,
- deployment of advanced filtering solutions,
- and adaptation of incident response plans.
These measures now form a baseline.
However, their effectiveness depends less on their existence than on their actual implementation. In many maritime environments, operational constraints, system fragmentation, and the multiplicity of stakeholders often lead to uneven application. It also depends on the size of organizations, their maturity, and related factors.