Close this search box.

Imagine you’ve just made a huge investment in your business after months of research and discussions. This year has been difficult financially with COVID, but you are pushing through with a will to succeed. Youre all set to make the funds transfer and have just pressed the ‘confirm’ button, yet something is bothering you about the last few emails with your investment company. Why did the investment company change their banking details at the last minute? And why have some of the key people in the deal not weighed in on those changes? The investment is a lot of money for you, and you’ve lost sleep over this. 


The next day you review your emails with the investment company and everything looks fine, except for an old signature being used which catches your eye – a near-undetectable difference. Have you been hacked? Why did this happen? 


You were hacked, and you were being watched for a long time. How did the hackers insert themselves into an email chain without being noticed? How did they know all the relevant names, places, and details going months back? They are incredibly skilled, and now you’ve wired a large sum of money to a stranger 


This exact scenario has happened to a client of ours, and unfortunately similar hacks happen far too often. Since COVID the number of hacks we deal with has grown by 75%. COVID is the perfect scenario for hackers as people are stressed, financially under pressure, and more vulnerable to scammers. Hackers prey on people during difficult times such as natural disasters and pandemics, and they often target the elderly or disadvantaged. Below is a story of a recent hack, how CROFTI helped the client, and how you can put the proper security procedures in place to prevent this happening to you. 

The hack


At CROFTI we have helped many clients track down suspicious wire transfers. In one example recently, our client had nearly become the victim of a million-dollar wire transfer fraud scheme, and they only caught it at the last minute. Thankfully, they were able to contact their bank, report the fraud, and have the transfer cancelled. It took more than 48 agonising hours for the bank to confirm the cancellation and save their business from losing millions of dollars. It could have gone so wrong, and unfortunately in most cases people are unable to recover the money. 


Our client wanted to know how they got hacked and scammed, so our investigation set about uncovering the truth. Not long before the hack, company staff had their Office365 accounts compromised. The hackers were able to successfully log onto the client’s Office365 account and set up forwarding rules that sent all received emails to Gmail accounts owned by the hackers. The forwarded messages on the clients Office365 accounts were then deleted to hide the any evidence this had ever happened.  


All the hackers had to do was sit back and watch the Gmail account for discussions of contract negotiations and fund transfers. In our client’s case, the hacker had hit the jackpot with a million-dollar investment in the works. They created a new rule forwarding any emails about the wire transfer, applied this to multiple email accounts within the organisation, deleted evidence of the forward, and used previous email chains to write a fake response. 


To the client, aside from the slight change in email signature, the forgery looked exactly like a reply to an ongoing email conversation they were expecting. The hacker wrote a convincing response about a last-minute change in banking details. While our client thought it was odd, they proceeded with the wire transfer. This is what hackers are waiting for, and their response with the change of banking details came less than 15 minutes after the last legitimate email. 


Shortly after transferring the fundsour client realised something wasn’t right and contacted CROFTI to assist themWe started by investigating the situation and running tracers throughout Office365 to confirm the event happened. Once confirmed we reset all users Office365 passwords and removed all rules found within multiple user account inboxes. 


We also ran a search through the DarkWeb and found 15 accounts that had been comprised over the year. We then used PowerShell to investigate the Office365 tenants and found multiple accounts had been hacked, watched and multiple inbox forwards were setup. 


Nextwe ran a message trace to all emails sent to the offending Gmail account and we hit reporting limitations for Office365. The offending Gmail account was reported to Google, Australia Government – Office of Australian Information Commissioner for the Notifiable Data Breaches scheme, and the client had to send out a notice to their entire customer database notifying them of the compromised mailbox and potential leaked information. 


A hack like this can cost companies millions. There’s the hack itself, plus the down time required from internal staff members helping with the investigation, to the external resources required on the ground throughout the entire process. Not to mention the huge amount of stress it puts everyone under. 

The moral of the story is to put preventative measures in place to protect yourself from hackers. Don’t let this happen to you! 

How to Protect Your Business against Hackers

There arseveral security policies Office365 users can implement that prevent or limit damage from this type of compromise. We’ve outlined some of these strategies below (at different levels and price points) and recommend discussing which option is most suitable for your business.  

Zero cost mitigation strategies: 

Low cost mitigation strategies:

High cost mitigation strategies: 

The threat to your business from data breaches is not going away. Hackers are only becoming more sophisticated. Whether through your email or a weak point in your network, hackers will find any vulnerability and try to exploit it. At CROFTI we can help you prepare for threats and put the proper tools and practices in place to prevent and limit the damage. We have a team of professional IT engineers ready to educate you and prevent these cyberattacks from happening to your company. Visit us at, send us an email at or give us a call at 07 3067 0001.