Client: Confidential Client
Location: Ontario, Canada

About the Client

This Ontario-based organization operates multiple locations and manages a high volume of customer transactions, partner relationships, and finance operations.

With payments, reconciliations, and external communications happening regularly, trust and accuracy are critical to day-to-day operations. Any fraud attempt involving payment instructions could create immediate financial disruption, delayed cash flow, and reputational risk.

The Project

The client contacted ACT360 after learning that a fraudulent email had been sent to one of their business partners requesting updated banking information for a pending EFT payment worth over six figures.

The message appeared highly convincing. It used the name of a real employee, referenced an active payment conversation, and closely resembled legitimate company communications. Fortunately, the recipient paused the transaction and requested confirmation before releasing funds.

“BEC – Business Email Compromise- attacks are engineered to look normal. They use real names, real context, and real timing — because that’s what makes them work. When something feels off about a payment request, that instinct is worth acting on. In this case, one pause saved a six-figure loss.” Jeffrey Bowles, Partner & IT Services Lead, ACT360

The client needed urgent answers:

1. Had their Microsoft 365 environment been compromised?

2. Was an employee mailbox breached?

3. How was the fraud attempt carried out?

4. What should be done next to prevent it from happening again?

Objective

The objective of this engagement was to:

1. Investigate whether the client’s systems or accounts had been compromised

2. Determine how the fraudulent message was created and delivered

4. Protect the pending payment from redirection

5. Provide clear findings to leadership quickly

6. Restore confidence internally and externally

7. Improve future fraud-prevention controls

What Made This Case Difficult

This was not a typical spam email. It was a targeted Business Email Compromise (BEC) attempt designed to exploit routine finance processes and trust between known business contacts.

The attacker used realistic context, timing, and impersonation tactics to increase the chance of success. Because the payment value was substantial, even a short delay in response could have had major consequences.

The investigation also had to happen quickly while normal business operations continued.

Core Challenges

High Financial Risk: The targeted EFT payment exceeded six figures.

Convincing Impersonation: The fraudulent message used real names, accurate context, and a lookalike domain.

Urgent Need for Clarity: Leadership needed immediate confirmation on whether their environment was secure.

Business Continuity: Finance operations needed to continue while the investigation was underway.

Long-Term Prevention: The client needed stronger controls beyond resolving the immediate issue.

Key Tasks and Solutions

Microsoft 365 Security Investigation

ACT360 conducted a detailed review of the affected mailbox and related accounts, including:

– Sign-in history

– Mailbox rules and forwarding settings

– Permissions and delegated access

– Application connections

– Indicators of unauthorized activity

Login and Identity Review

All successful sign-ins were traced to expected locations and known activity. No suspicious successful access events were identified.

Domain Impersonation Analysis

The fraudulent message originated from a newly registered lookalike domain using a one-letter variation of the client’s legitimate domain. This strongly indicated a targeted impersonation attempt rather than an internal breach.

Email Forensics Review

The attacker copied content from a legitimate prior message to make the fraud attempt appear as part of an existing conversation. ACT360 confirmed the message was introduced as a new external email, not a genuine reply from the client environment.

Security Monitoring Validation

The client’s managed security environment included continuous monitoring for suspicious Microsoft 365 identity and email events. No compromise indicators or active incidents were detected.

Fraud Control Recommendations

ACT360 provided practical next steps to reduce future risk, including:

– No banking changes based on email alone

– Phone verification using known contact details

– Dual approval for payment detail changes

– Staff awareness training for impersonation scams

– Review of approval workflows involving money movement

What Would Have Gone Wrong Without Intervention

Without fast investigation and verification, the business could have faced:

– Misdirected six-figure payment

– Significant recovery delays

– Damaged partner trust

– Internal uncertainty and disruption

– Repeated fraud attempts through the same process gap

– Administrative and legal burden

Outcomes

Following the engagement:

– The payment was protected from redirection

– No breach was found in the client environment

– Leadership received fast, evidence-based conclusions

– Confidence was restored internally

– Partner communication improved

– Fraud prevention controls were strengthened

– Awareness of modern BEC threats increased across stakeholders

Strategic Impact

This case reinforced that cybersecurity is not limited to malware or system breaches. Many of today’s highest-impact threats target people, trust, and financial processes.

It also demonstrated the value of proactive monitoring, rapid incident response, and having an IT partner who can turn technical evidence into clear business decisions during a high-pressure event. For businesses that rely on email-based approvals and payment workflows, the real question is not whether a BEC attempt will happen — it’s whether your organization will catch it before funds move. That requires both the right technology controls and a team that knows how to respond.

Conclusion

This case study reflects ACT360’s practical approach to cybersecurity: protect the business, investigate quickly, and reduce future risk.

When a sophisticated fraud attempt created uncertainty around a major payment, ACT360 delivered more than technical analysis. We provided clarity, reassurance, and a stronger path forward.

If your organization relies on email approvals, payment changes, or vendor communications, your cybersecurity strategy should protect both systems and processes.

Learn more about our Cybersecurity Services or explore our IT Services to discuss how we can help protect your business. You can also see more of our work on the ACT360 Case Studies page.

T: 705-739-2281 E: [email protected]