Look closely at these two web addresses:
vantorcapital.com
vantorcapltal.com
If you didn’t catch it, don’t feel bad — neither did anyone at the firm that lost a great deal of money to the difference. In the second address, the i in “capital” has been quietly replaced with a lowercase l. In most fonts, on a phone, at 5:45 on a Monday morning, the two are indistinguishable. A whole fraud was built in the gap between them.
What follows is the story of a business email compromise — a BEC, in the trade — that a Cyberange team was eventually called in to investigate. It has a new employee who did everything he was asked, a trusted client whose identity was wearing someone else’s face, a genuine signature that should have been impossible to obtain, and, at the very end, a lawyer’s letter insisting the whole thing couldn’t have happened the way it plainly did.
A note before we start: every name, firm, domain, and date below has been changed. The mechanics — the tradecraft, the order of events, the artefacts the investigation recovered — are faithful to the real case, because that is the part worth learning from. The people are pseudonyms. Call the new analyst Marco, the spoofed client executive Adil, the administrator he worked for Brightwater, and Adil’s firm Vantor Capital.
The new guy
Marco joined Brightwater in the middle of July. Brightwater is the kind of firm most people never think about: a corporate and fund administrator, the back-office plumbing that moves money between investors, managers, and the companies they own. Discreet, procedural, trusted with other people’s fortunes. Exactly the sort of place a patient thief wants a foothold.
Two weeks into the job, at the end of July, Marco’s email address was added to an internal distribution group that handled one particular client — Vantor Capital, an investment company. On the 8th of August, a Wednesday, he was formally introduced to his counterpart there: Adil, who signed off on Vantor’s payments. The introduction was unremarkable. Marco asked Adil for a signature on a routine expense reimbursement and chased a standing invoice. Adil replied that afternoon, and again the following evening. Friendly, brief, ordinary. By the end of that week, the sum total of Marco’s relationship with Vantor was a handful of polite emails about housekeeping.
He had no idea how Vantor ran its money. He had no history with them, no feel for their rhythms, no reason to. He was four days into the account.
Someone else, however, knew Vantor intimately.
The watcher
Long before Marco ever heard the name Vantor Capital, an intruder had been sitting inside Vantor’s email. We can say this with confidence for an uncomfortable reason: phishing messages were still being sent from a genuine address inside Vantor’s corporate group a full year after the fraud we’re about to describe. Whatever door had been propped open into that firm’s mail was still open long after the money was gone. This was not a smash-and-grab. It was tenancy.
From that vantage point, the watcher had the luxury of time and the luxury of context. They could read how Vantor talked to Brightwater. They could see which invoices were normal, which phrasings were habitual, who deferred to whom. They learned how a payment instruction was supposed to look and sound. And critically, they saw the introduction: a new, green administrator named Marco had just been handed the Vantor relationship and clearly didn’t know the firm from a hole in the wall.
A green counterpart with signing authority on the other side, and no relationship history to contradict a forgery. For a fraudster, that is the moment.
One day before
On the 12th of August, the attacker bought a domain: vantorcapltal.com — the
look-alike, the l-for-i swap. The registration timestamp is one of those
small forensic details that ends up doing enormous work later: it was
registered the day before the first fraudulent email. Not months in advance
as part of some speculative net. One day before, with a specific target and a
specific plan.
This is the oldest trick in a very modern playbook. A look-alike or
“homograph” domain exploits the fact that human beings read words as shapes,
not as sequences of characters. rn looks like m. A lowercase l looks like
an i, or a 1. Cyrillic and Greek letters can stand in for Latin ones
entirely. Once you own a domain that reads as the real thing, you don’t need
to break into anyone’s inbox to send mail that appears to come from inside it.
You just register the costume and put it on.
rn for m, a zero for an O, a one for an l. Own the costume domain and you can write from “inside” a company you never broke into.5:45 a.m.
The first fraudulent email landed in Marco’s inbox at 5:45 on the Monday
morning. The subject line was a forward: an invoice for a Hong Kong supplier.
It came, as far as Marco could tell, from Adil — the man he’d been emailing
politely the week before. The address read [email protected]. One letter
off, at an hour when no one is reading carefully.
The message did something clever that betrays exactly how much homework had been done. In passing, it referenced the way a senior Vantor director normally communicated with Adil — a small, knowing detail of internal etiquette that a random scammer could not possibly have invented. It was there to do one job: to make Marco feel he was reading a continuation of a real, ongoing, internal Vantor conversation. To borrow authenticity.
Marco, to his credit, didn’t simply pay. At 6:28 a.m. he replied and asked for a signed wire instruction — a perfectly reasonable control, the kind of thing you’d hope a back office would insist on.
Twenty minutes later, at 6:48, the attacker sent it. A signed attachment. And the signature on it was real.
The signature
This is the detail that should make the hair on your neck stand up, and it is the hinge of the entire investigation.
The signature in that attachment was not a clumsy forgery. It was Adil’s actual signature — the very same one that appeared on a genuine email Adil had sent just a few days earlier, during the real, innocent introductions. We were able to place the two side by side: the signature the real Adil used on the 9th of August, and the signature on the attachment the fraudster produced on the 13th. They matched, because they were the same signature. Lifted.
There is no honest way to obtain a person’s genuine signed document except to have access to it. You cannot guess a signature. You cannot reconstruct it from the outside. The presence of Adil’s real signature, mere days old, in the hands of someone emailing from a look-alike domain, is not a coincidence — it is a fingerprint. It tells you the attacker was inside the real mail, reading real attachments, harvesting real material to spend later.
Marco saw a signed instruction from his client, on what looked like his client’s address, referencing his client’s internal habits. He did what he was hired to do. The money moved.
Thirty days of quiet
It would be a tidier story if it had stopped at one transfer. It didn’t.
Over the next month — more than twenty-five days — the impersonator kept writing, kept invoicing, and kept moving money. The fraud wasn’t a single shocking event; it was a relationship, conducted entirely by an actor who had studied the part. The real Adil was, for the most part, out of the loop, while a counterfeit version of him conducted business in his name.
And here is the quietly devastating part. It wasn’t only Marco who was fooled. An entire internal group at Brightwater was copied on these exchanges. Multiple people, over a month, watched a fraudster negotiate transfers and felt nothing prick. The attacker even made mistakes — in several cases the same conversation arrived twice, duplicate copies of messages that should have made someone frown and ask why. Nobody did. The tell was on the table, face up, for weeks.
There’s a temptation, reading this, to be hard on the people involved. Resist it a little. The fraud was engineered specifically to feel routine, arriving in the busy, half-attentive texture of ordinary work, wearing the face of a known contact. That is the whole design. BEC works not because its victims are foolish, but because it impersonates the normal so well that vigilance has nothing to catch on.
The key under the doormat
When the Cyberange team finally reconstructed how the attacker had such an easy time on the Brightwater side, one artefact stood out with a kind of grim comedy.
Marco had saved his email password. Not in a password manager — in a plain text file, on his computer, with a filename that announced exactly what it was. If his machine or account was reachable to the attacker — and the evidence suggests it was — then the keys to his mailbox were sitting on the doormat with a label on them.
That mattered, because the attacker didn’t only impersonate Adil to Marco. At points they appear to have used Marco’s own account to send messages onward — including to the real Adil — which is the move that lets a fraudster manage both ends of a conversation and keep the genuine parties from comparing notes. One forensic breadcrumb makes this concrete: a message that purported to travel from Marco to Adil carried an originating IP address that traced to a residential broadband connection in the UAE. Neither Marco nor Adil was in the UAE. The puppeteer was.
Investigating a year later, with the lights off
By the time Cyberange was engaged, the trail was cold and the conditions were miserable — which, frankly, is the normal state of affairs for this kind of work.
There were no centralised logs to speak of. No SIEM correlating events, no SOC watching them, no endpoint detection on the machines, and email security that amounted to whatever came in the box. When an investigation can’t lean on logs, it has to be rebuilt from whatever durable artefacts survived: the email headers, the timestamps buried in message metadata, the registration record of that look-alike domain, the saved files, the signatures. Detective work in the literal sense — assembling a sequence of events from physical traces rather than reading it off a dashboard.
From those traces, the picture resolved. An intruder with long-standing access to the client’s email had studied the relationship, waited for a new and unfamiliar face to take over the account, registered a costume domain the day before striking, and used genuine stolen material — signatures, phrasings, internal context — to run a month-long fraud that no control on either side was positioned to stop. The homograph domain wasn’t the whole attack; it was the final prop. The real compromise was older, deeper, and on the client’s side.
The lawyer’s letter
There is a coda to this case that is worth telling, because it captures something true about how these incidents are argued after the fact.
At one point, the client’s lawyers put forward a formal position. It ran, roughly:
The fraudster could not have had access to the real Vantor account — because if he had, he would never have bothered to register a look-alike domain in the first place. Why build a fake door when you already hold the keys to the real one?
It’s a reasonable-sounding argument, and it is wrong, for two reasons that go to the heart of how this crime actually works.
First, a competent attacker who controls a real mailbox almost never sends the fraud from it. Sending from the genuine account is loud and dangerous: it leaves obvious traces in the victim’s own systems, risks tripping the real owner’s attention, and ties the crime directly to the compromise. The look-alike domain isn’t evidence that the attacker lacked access — it’s evidence that the attacker had the discipline not to use it. Registering a costume is standard practice in these frauds precisely because it compartmentalises the operation away from the breach. The two facts — controlling the real account and sending from a fake one — are not in tension. They’re the textbook.
Second, and decisively: the genuine, days-old signature. You do not get a person’s real signed document by standing outside their email. Its presence in the attacker’s hands is, on its own, proof of access to the real material. The look-alike domain was the delivery; the stolen signature was the theft, and the theft happened somewhere the lawyer’s letter insisted it hadn’t.
We laid this out plainly, with the artefacts attached. It is a useful reminder that a forensic report does two jobs: it explains what happened, and sometimes it has to defend that explanation against a confident, well-funded account of why it didn’t.
Lessons learned
Invoice fraud and Business Email Compromise (BEC) are entirely industry-agnostic. Whether it’s real estate, finance, manufacturing, or law, this attack plays out the exact same way anywhere major transactions are authorized on the strength of an email. The logos and the dollar amounts change, but the playbook remains identical.
The reality is that disrupting this class of attack doesn’t require cutting-edge technical wizardry. The vulnerability rarely stems from a lack of security awareness, it happens because of a breakdown in daily operational discipline and process verification.
Think of the following principles not as a specialized checklist, but as your absolute baseline for operational security.
Verify high-value payments out of band, every time. The single control that would have stopped this cold has nothing to do with computers: a phone call, to a known number, confirming any change of beneficiary or any large transfer, before it moves. Email confirming email is not verification — it’s the same channel the attacker already controls. For high-value transactions, require a second channel, a second authoriser, and a call-back to a number you had before the request arrived.
Make the look-alike visible. People cannot reliably eyeball i versus l
at speed. Systems can. Email security that flags newly-registered domains,
near-miss look-alikes of your contacts’ domains, and external senders dressed
as internal ones removes the human eye from a job it was never going to do
well. A banner that says “this domain is four days old and one character off a
domain you trust” is worth more than a year of awareness posters.
Treat a known contact as a channel, not a guarantee. The most dangerous word in this story is “trusted.” Marco trusted the address because it carried a name, a signature, and the right internal gossip. Build processes that authenticate the request — its amount, its destination, its timing — rather than the apparent sender, because the sender is the easiest thing in the world to counterfeit.
Never store credentials in a file. A password saved in a plainly-named text document turns one compromised endpoint into a compromised mailbox. Password managers exist; multi-factor authentication exists. Both were available and neither was used. MFA in particular would have made a stolen password far less useful on its own.
Watch the duplicates and the small wrongnesses. The same message arriving twice, a reply that doesn’t quite acknowledge what you said, a thread that seems to fork — these are the signs of someone managing a conversation from the outside. Give people permission and a place to escalate “this feels slightly off,” and make it cheap to ask. Several someones noticed nothing for a month because noticing wasn’t anyone’s job.
Keep logs, or accept that you are investigating blind. Much of what made this investigation slow and some of what made it uncertain comes down to the absence of durable logs, a SIEM to correlate them, endpoint detection to see the intrusion, and email security to have caught the costume on arrival. You do not need all of it on day one. But an organisation that handles other people’s money should be able to answer, with evidence, “was this account accessed, when, and from where?” Brightwater could not, a year on.
Push security down the supply chain. The deepest compromise here wasn’t even at the firm that lost money — it was at its client. If your business runs on trusted exchanges with outside parties, their hygiene is your risk. It is entirely fair, and increasingly necessary, to make minimum security practices — out-of-band verification, named authorisers for transfers, basic email hardening — a condition of doing business, written into the service terms.
Why this one stays with us
Most of the intrusions we investigate are loud at the end — a ransom note, an outage, an obvious catastrophe. This one was never loud. It looked, from the inside, exactly like work. A new colleague did his job. A client sent an invoice. Money moved, the way money moves a hundred times a day in a firm like that. The crime’s genius was that nothing about it ever felt like a crime until someone, much later, looked very closely at two web addresses and noticed that one of them had a letter in the wrong place.
That’s the thing about business email compromise. It doesn’t break your defences. It walks through the front door wearing a face you know, speaks in a voice you recognise, and asks for something you’d normally say yes to. The only reliable defence is a habit of verifying the request itself — slowly, out of band, every time — precisely when everything about it is telling you that you don’t need to.
This account is drawn from a real investigation and has been thoroughly sanitized: the names, firms, domains, dates, and identifying details have all been changed, while the tradecraft and sequence of events are faithful to the case. If you work in financial services, fund administration, or any business where instructions to move money arrive by email, and you’d like to discuss out-of-band verification, email hardening, or a forensic-readiness review of your own environment, the team is reachable through the contact page.