A global not-for-profit oil and gas industry association engaged Crowe to investigate a fraudulent payment of over £160,000. The client's vendor claimed the payment was made to the bank account listed on an invoice, but it was later found that the bank details had been altered, and the funds were sent to the wrong account.
An initial review by the client’s IT team showed no suspect activity or system compromise, leading them to seek Crowe's expertise to uncover the fraud's source.
Crowe’s forensic team examined email chains related to inbound payments and performed advanced forensic analysis on audit logs and employee mailboxes. The investigation revealed that an ex-employee's email account was compromised, and emails were sent from spoofed domains, impersonating legitimate employees at both our client and the vendor. The hacker used inbox rules to manage communications through the deleted Items folder or a controlled Gmail account.
Once Crowe determined that the mailbox had been compromised, the team helped to identify what personal data may have been impacted. The mailbox included 81,254 emails, of which 26,709 were responsive to Crowe’s search terms. Within the 26,709 files Crowe identified personal information belonging to 291 individuals. The data associated with these 291 individuals included sensitive information, including: names, mobile numbers, email addresses, bank account numbers and sort codes, National Insurance numbers, salary, next of kin, next of kin contact details, passport details and login details for various websites.
Crowe identified the fraud as a ‘man-in-the-middle’ attack and discovered the hacker had been controlling the account for over a year.
The compromised account was shut down, and Crowe provided feedback on how the fraud occurred, mitigated immediate risks, and offered steps to improve future resilience against fraud and cybercrime.
Additionally, Crowe delivered training to help the client recognise typical hacker activities.