Phishing & Spoofing

snehalpatel

I have now had 2 incidences where clients of Actiflex Ltd (my company) have received emails purportedly from myself & authorizing change of Bank Account details.  The clients have been further asked to remit outstanding payments to these new accounts.  As mentioned there have been 2 incidents where in the first one USD 2,541.50 was remitted to an account in the US under my name & in the second incident Euro 7,536.90 was remitted to an account in France - an account under the name of Actiflex Ltd was opened here.

What is worrying is that the clients have received instructions on my company letterhead with my signature. I am really concerned.

I use an Office 365 environment & since the incident i have followed step suggested by Microsoft - changing all user passwords, Enabled 2 Factor Authorization etc

Yesterday i sent a client some invoices they needed to pay & they immediately received an email asking them to transfer the funds to an account created in the US under my company name. Luckily we had sent an email to all our customers earlier warning them of the situation.

How can i get to the bottom of this & ensure i am protected?

Alexandru_BD

Hello,

I’m really sorry to hear you’re going through this.

Since two customers have already sent money, I’d strongly recommend treating this as an urgent incident.

I think there are a few important steps to consider:

First, review your Microsoft 365 environment carefully for suspicious sign-ins, mailbox forwarding rules, inbox rules, delegates, and any unknown admin or app access. Reset passwords again for any affected accounts and revoke active sessions. Then check that your domain protections such as SPF, DKIM, and DMARC are properly configured.
Collect the full headers from the fake emails, as these can help identify whether the messages came from spoofing, a compromised mailbox, or a lookalike domain. I would also recommend to run full security scans on all devices used to access the affected mailboxes.
Ask affected customers to contact their banks immediately to try to stop or recover the transfers.
And of course, report the case to your bank, local authorities, and your IT/security team.
Going forward, make sure any bank detail change is confirmed through a second channel, such as a phone call to a known contact number. You should introduce a strict rule that bank account changes must never be accepted by email alone. It's very important at this stage to continue informing your customers that your bank details have not changed unless confirmed through an official secondary channel, and that they should forward suspicious emails to your security/contact address, and verify any requests for payments directly with you or an authorized person from your team.

If you are using Bitdefender business security, it would also be a good idea to open a support case so the team can help review the environment. If you can share the full email headers with your IT team or support, that will usually be one of the most useful next steps.

Wishing you the best, and I hope you’re able to get this contained quickly.

Regards