When a maritime shipping company's vendor-payment process was hijacked by a business-email-compromise crew, Law & Forensics traced the intrusion, supported a fast recall of diverted funds, and closed the gaps that let it happen.
The situation
A global maritime shipping and vessel-management company learned that a routine vendor payment had gone to the wrong place — an account controlled not by its supplier but by a fraudster. The mechanism was a business-email-compromise: an attacker had quietly gained access to a finance mailbox, observed how and when the company paid its vendors, and slipped fraudulent payment instructions into an otherwise legitimate invoice thread. By the time anyone noticed, the wire was out the door.
The diverted funds were only the visible damage. The company had no idea how long the attacker had been inside the mailbox, whether other payments or threads had been manipulated, or whether the intruder still had a foothold. With vessels, vendors, and counterparties spread across the globe, it needed fast, forensically sound answers.
Our approach
Law & Forensics mobilized a digital-forensics and investigations team that worked in parallel:
Email and identity forensics. The team reconstructed the attacker's access to the finance mailbox — authentication logs, malicious inbox and forwarding rules, and the timeline of the compromise — to determine exactly what the intruder saw, altered, and still controlled.
Fund-flow tracing. Working against the clock, Law & Forensics traced the diverted wire and assembled the evidence package needed to support a rapid recall effort through the banking system and to brief law enforcement.
Scope and lateral-access review. The team confirmed whether the compromise was confined to a single mailbox or extended to other accounts and systems, removing attacker persistence wherever it was found.
Control remediation. Law & Forensics redesigned the company's payment-verification and email-security controls — out-of-band confirmation of payment changes, hardened authentication, and monitoring for the inbox-rule tradecraft the attacker had used.
The impact
The investigation scoped the full extent of the mailbox compromise within days and supported a rapid recall effort on the diverted funds. The attacker's forwarding rules and persistence were identified and removed, and the email and payment-verification gaps that made the fraud possible were closed. The company emerged with both an evidentiary record for its bank and law enforcement and a payment process materially harder to hijack.
| Metric | Result |
|---|---|
| Time to scope the mailbox compromise | Days, not weeks |
| Diverted-fund recall | Supported rapid recovery effort |
| Attacker persistence and forwarding rules | Identified and removed |
| Payment-verification controls | Redesigned to close the gap |
