Digital forensics following sophisticated investment fraud
Problem
An investment firm lost £5 million while attempting to invest in a pre-IPO company.
The fraud was facilitated through the compromise of a law firm’s business email account, which allowed cybercriminals to intercept and manipulate sensitive transactional communications.
The attackers gained unauthorised access to the lawyer’s email account, used forwarding rules to monitor and conceal email activity, and impersonated both the law firm and the investment target via a spoofed domain.
The fraudsters orchestrated a convincing email thread involving all parties and ultimately issued fake instructions directing funds to a fraudulent bank account. The deception was sophisticated enough to include forged documentation and phone validation using details of real bank staff found on LinkedIn. By the time the investment firm realised the fraud the funds were untraceable.
Response
Toro was engaged by the investment firm to conduct a digital forensics investigation and incident response. The investigation focused on identifying how the fraud was executed, preserving evidence, and supporting litigation efforts against the compromised law firm.
Forensic analysis revealed how the attacker used subtle email forwarding rules, domain spoofing, and social engineering to maintain the deception without alerting the law firm or the investors.
Outcome
While the stolen funds were irrecoverable, Toro’s forensic investigation provided critical evidence supporting the investment firm’s legal action against the law firm. The incident highlighted severe vulnerabilities in email security and the risks of failing to detect business email compromise (BEC).
The case serves as a cautionary example of how attackers exploit trust in professional communications, and underscores the importance of proactive cybersecurity measures and thorough due diligence in high-value financial transactions.