Executive summary

• This is an anonymised case study of a complex investigation into an authorised push payment fraud.

• This case illustrates the benefits that rapid investigation can provide if conducted as part of a wider strategy for managing the incident and downstream risks. 

• Lessons are identified for organisations that have been affected by similar fraud, or that are considering their approach to managing this security risk. 

Case description

This case describes in an anonymised fashion the results of a complex investigation. A company had suffered an authorised push payment (APP) fraud. We were retained to investigate how the fraud was completed, to assess any residual risk to the company, and if possible to identify the perpetrators of the fraud. 

This investigation was conducted under legal instruction. It involved a combination of technical investigation and assessment, interviews with affected members of staff, and open-source investigation of criminal activities. 

Investigation of the fraud

Investigation determined that the fraud was conducted through social engineering, rather than through network or business email compromise. 

The attackers used open-source information to produce messenger and email accounts impersonating the CEO of the business. Other accounts were created for fictional senior figures in a prominent professional services organisation. This allowed the attackers to provide the appearance of independent credible corroboration for their deceptive narrative.

The attackers used these accounts to contact the company’s chief financial officer (CFO). Traditional social engineering techniques such as urgency, secrecy, and appeal to authority were deployed to create a state of trust and dependency.

Following the attackers’ instructions, the CFO authorised a series of payments to an account in a third country. These amounts fell below a threshold at which the CFO would have required additional authorisation to make the payment.

At around this time, the CFO responded to an email from the attackers but accidentally responded to the email address of the real CEO. This lucky mistake led to the discovery of the fraudulent activity, triggering incident response, attempts to halt or reverse the transfers, and our investigation. 

Assessment of residual risk

The outline above summarises the result of the first aspect of our investigation. The second strand was to determine whether the company faced any residual risk from the incident.

Our illumination of the methods used to conduct the fraud did not identify any evidence of the compromise of company networks or emails. The information exploited by the attackers was available online and their modus operandi did not display any specific knowledge of internal company processes. 

At a later stage during the fraud, the attackers directed the CFO to make a payment that would have exceeded the funds available within the account in question, again suggesting a lack of visibility into the company’s internal operations. 

This fact pattern, along with other aspects of the investigation, led us to determine that there was no evidence of insider threat in this instance. This was an important consideration for the company as it assessed its future exposure to similar incidents.

Alongside this investigation we conducted a technical assessment of the company’s digital estate, with the aim of identifying evidence of compromise. This assessment did not detect any evidence of compromise related to this incident. However, as is often the case, our assessment did identify multiple apparently unrelated security events – these were flagged to the company during regular updates during the investigation.

The assessment also identified a range of configuration issues with the company’s workspace. These included not enforcing multi-factor authentication for all accounts. Recommendations for addressing these issues were included in the final report provided to the company. 

Identification of perpetrators

The third aspect of our investigation sought to determine the identity of the actors behind the fraud. This is a challenging task as the ready availability of disposable online infrastructure can make attribution challenging for investigators without visibility into network or internet traffic. 

In this case, our investigation centred on the company used by the attacker to receive the initial transfer of funds from the fraud. It is almost certain that the funds were transferred onwards again from this company to complicate the tracing process; nonetheless, the first jump provided an initial point of investigation. 

This company was registered in a third country. Analysis of the company’s registration data in isolation provided little information of intelligence value. However, expanding the aperture of the investigation led to the identification of a large number of apparently unconnected company registrations that displayed certain similarities. This enabled the identification of a specific geographic location in the third country that appeared associated with the mass registration of companies, most likely for criminal purposes.

The identification of this site and its clear association with mass criminal activity provided important grounding for the victim company’s subsequent recovery efforts and legal activities. 

Lessons identified

Rapid investigation can determine the cause of incidents and assess residual risk.

• Bringing in expert investigators early on enables more effective investigation and increases your room for manoeuvre in terms of responses.

• Organisations should consider conducting investigations under legal privilege where possible. 

Investigations invariably reveal multiple previously unidentified issues. 

• In our experience, technical assessment of organisational security practices will almost certainly reveal additional security events and misconfigurations. 

• The aftermath of an incident – when organisational attention is focused on security – can be an opportunity to address longstanding security issues.

Attribution is challenging but not impossible in complex investigations.

• A combination of open-source and technical investigation will often produce findings that can support organisational strategy.

• Organisations should also consider how attribution would support a broader strategic approach to managing the incident and downstream risk.

At Tyburn, we specialise at countering evolving threats to risk-sensitive organisations. Our experts bring experience in government, military, and academia to bear in delivering solutions to challenging problems.