SITUATION
An international energy company identified that multiple client payments were being misdirected to a fraudulent account over the course of several months. The company retained FTI Cybersecurity to determine how this occurred and if any of the company’s systems had been compromised.
OUR IMPACT
The FTI Cybersecurity team performed a review of internal logs to identify if there was any suspicious activity or logins that would indicate if accounts were compromised. Our team also reviewed email chains to determine when the switch to fraudulent accounts occurred and analyzed the fraudulent domains to identify if and when additional domains were created by the threat actor. Through this process, FTI Cybersecurity discovered that the misdirected payments were the result of a business email compromise (BEC), where a threat actor used multiple fraudulent domains to impersonate one of the company’s vendors. Clients believed that they were receiving authentic emails from a vendor, when in actuality, they were communicating with a threat actor who directed the funds into their account through a payment information change.
OUR ROLE
Our analysis uncovered that the threat actor used multiple lookalike domains throughout the BEC and created many different email addresses on these fraudulent domains. This allowed the threat actor to mimic the usual recipients of payment related emails, leading to successful misdirection of payments. After a thorough review, FTI Cybersecurity did not find any evidence that client systems were compromised, and we provided the client with a detailed report of the findings that outlined the facts of the investigation.