Case Study: A UK Warehouse Phishing Attack That Cost £62,000 in a Single Wire Transfer
By Daniel Agyemang Prempeh, Founder, DefendVistaLast reviewed:
Executive summary
A 40 employee third party logistics warehouse operator in the South East was hit by a targeted phishing campaign that compromised the finance manager's Microsoft 365 mailbox. The attacker sat quietly inside the account for nine working days, learned the payment patterns of the business, then sent a forwarded invoice from a long standing pallet supplier with new bank details. £62,000 left the business that afternoon. DefendVista was engaged the following morning. We contained the compromise within four hours, traced the lateral movement, recovered approximately £18,000 of the funds through the receiving bank, and rebuilt the client's email, identity and finance process so the same attack could not succeed again.
Who the business was
Sector
Third party logistics, contract storage and pick and pack
Site
Single 95,000 sq ft warehouse on a South East distribution park
Employees
40 across operations, warehouse floor, finance and customer service
Annual turnover
£6.8m, primarily storage and fulfilment for ecommerce brands
Key systems
WMS, customer portal, handheld scanners, Microsoft 365, Sage 200 accounting
Existing security
Microsoft 365 Business Standard, password only sign in, no EDR, no email security gateway
The starting point
The business had grown rapidly off the back of three ecommerce brands moving fulfilment in house from a larger 3PL. Margins were thin, the operations team was lean, and the finance manager handled supplier payments largely alone with sign off from a director via email.
Microsoft 365 had been deployed two years earlier by the previous IT provider with default settings, no MFA, no conditional access and full legacy authentication enabled. There was no email security beyond the Microsoft baseline and no managed endpoint protection.
Staff phishing training had last happened during onboarding. There was no simulation programme, no reporting button in Outlook, and no clear process for what to do if a supplier asked to change their bank details.
What went wrong
Three weeks before the loss event, the finance manager received what looked like a Microsoft sign in alert from a fellow employee, asking her to review a shared document. She entered her credentials on a convincing fake Microsoft login page. The attacker captured the password and her single use Outlook session token, bypassing the absence of MFA entirely.
For the next nine working days, the attacker logged in from a UK based residential IP address using a stolen session, set up silent inbox rules to hide messages with words like ‘bank’, ‘invoice’ and ‘payment’, and read the entire payments mailbox.
They then replied to a real supplier email thread, used a near identical domain (.co rather than .co.uk), attached a forwarded invoice with new sort code and account number, and asked for a payment of £62,478. The finance manager paid it within four hours.
The fraud was only discovered the following morning when the real supplier rang chasing a separate overdue invoice and the conversation revealed the wrong account had been used.
What was at stake
£62,478
Funds transferred to attacker
Single payment that landed in a UK bank account controlled by a mule, then rapidly moved overseas.
~£18,000
Funds recovered
Frozen and returned through the receiving bank's fraud team following same day reporting under the APP code.
~3 weeks
Finance team downtime
Pause on outgoing payments, manual checks on every supplier bank detail and reconciliation work after the fact.
~22,000 records
Customer data at risk
Customer names, addresses and order references viewable in mailbox attachments and inbox rules, with confirmed access by the attacker.
What would have happened if nothing changed
- Repeat fraud through the same compromised mailbox if the attacker retained access.
- Onward attacks against the warehouse's own customers using the credibility of the compromised account, with reputational damage and possible loss of contracts.
- ICO enforcement under UK GDPR following confirmed third party access to identifiable customer order data.
- Cyber insurance dispute, as the policy required MFA on all administrative accounts and tested email security controls.
- Loss of the largest customer, who had a contractual right to terminate on confirmed data breach with no remediation plan.
Worried this could be your business?
Book a free 30 minute consultation with a UK cybersecurity specialist who understands transport and logistics. No sales pressure, just a frank conversation about your exposure.
What the forensics showed
- Initial compromise was an Adversary in the Middle phishing kit hosted on a recently registered domain. The kit harvested both the password and the live session cookie, allowing the attacker to bypass MFA had it been enabled.
- Once inside, the attacker created three hidden Outlook rules that auto deleted any message mentioning ‘bank’, ‘fraud’ or the spoofed supplier's real domain.
- The attacker had read approximately 480 emails across the finance and operations mailboxes, including signed supplier agreements and a customer pricing schedule.
- There was no evidence of malware on endpoints. This was purely an identity and email compromise, the most common pattern we now see across UK SMEs in the sector.
- The look alike domain used in the fraud had been registered eleven days before the loss, consistent with the attacker's planning timeline once inside the mailbox.
What we did in the first 24 hours
- 01
Lock the mailbox and revoke sessions
Reset the finance manager's password, force expired every active token across Microsoft 365, blocked legacy authentication tenant wide and disabled the compromised account temporarily for forensic capture.
- 02
Hunt for inbox rules and forwarding
Searched every mailbox in the tenant for malicious rules, external forwarding addresses and unusual delegate access. Found and removed the hidden rules in the finance mailbox and two others.
- 03
Contact the bank inside the same day
Helped the director report the fraud to the bank under the Authorised Push Payment Contingent Reimbursement Model, contact Action Fraud, and produce a written statement that triggered the receiving bank's freeze process.
- 04
Notify the affected supplier and customers
Drafted notifications to the spoofed supplier, the largest affected customer and the ICO. Provided a written timeline and remediation plan that satisfied the ICO 72 hour notification requirement.
- 05
Pause and verify outgoing payments
Worked with finance to put a 48 hour hold on all outgoing payments while a new verification process was agreed and documented.
How we got the business back on its feet
- 01
Enforce phishing resistant MFA
Rolled out Microsoft Authenticator number matching for every user, blocked SMS based MFA, removed legacy authentication protocols and enforced conditional access policies that require compliant devices for finance roles.
- 02
Deploy a real email security gateway
Layered a managed email security gateway in front of Microsoft 365 to catch look alike domains, brand impersonation and AITM phishing kits, and added a single click ‘Report Phishing’ button across all mailboxes.
- 03
Add managed EDR and audit logging
Deployed managed endpoint detection and response across every laptop, enabled unified audit logging and shipped logs to a 90 day retention store so future investigations are quick and complete.
- 04
Rewrite the supplier payment process
Required dual approval on any change to supplier bank details, mandatory phone callback to a previously known number, and a two person rule on any payment over £2,000.
- 05
Run a tailored phishing simulation programme
Launched a quarterly phishing simulation programme with realistic warehouse and finance themed lures, plus short, role specific micro training for finance, customer service and warehouse supervisors.
What we built so it could not happen again
- Microsoft 365 hardened to Cyber Essentials Plus aligned baseline with phishing resistant MFA enforced for all users.
- Managed email security gateway with continuous monitoring of look alike domains targeting the brand.
- Managed EDR and 24/7 alerting across all endpoints and servers.
- Documented, two person supplier change and payment verification process embedded into Sage 200.
- Quarterly phishing simulations with role specific micro training, tracked at the individual level.
- Annual tabletop exercise rehearsing a finance compromise scenario with the directors, finance manager and operations manager.
Measurable results
~£18,000
Funds recovered through banking channels
Settled for net loss
Insurance claim outcome
11 weeks
Time from notification to ICO close
34%
Phishing simulation click rate before
4%
Phishing simulation click rate after 6 months
0
Repeat compromise events in 12 months since
The client absorbed a net loss of around £44,000, retained their largest customer after a frank disclosure conversation and a documented remediation plan, settled their cyber insurance claim, and used the incident as the trigger for a long overdue rebuild of their identity and email posture. Twelve months on, the warehouse has won two new contracts, both of which required evidence of MFA, email security and incident response capability that the business could now provide.
What other operators should take from this
Password only Microsoft 365 is no longer safe
If your team logs in with a password alone, they are one convincing email away from a £60,000 problem. MFA is essential, and even MFA needs to be phishing resistant in 2026.
Hidden inbox rules are the modern smoking gun
Almost every business email compromise we investigate involves silent rules that hide replies from the real victim. Reviewing rules across the tenant should be a routine monthly hygiene task.
Two people, every time, for bank detail changes
Process beats tooling for supplier fraud. A mandatory phone callback to a previously known number stops every single attack we have seen in this sector.
Speed of reporting determines what you get back
The £18,000 recovered was only possible because the bank was contacted within hours, not days. A pre agreed, written process makes that speed realistic at 9am the morning after.
Training has to be specific or it is noise
Generic ‘spot the phish’ training does very little. Role specific simulations using real warehouse, finance and customer service themed lures change behaviour, and the data proves it.
If this sounds uncomfortably familiar
If you operate a UK warehouse, 3PL or distribution business, we can harden your Microsoft 365, email and finance process to make this attack pattern fail. We deliver phishing resistant MFA, managed email security, managed EDR, supplier payment process design and a quarterly simulation programme tailored to warehouse and logistics teams. If you suspect a live compromise, we can be in the tenant investigating within hours.
Explore related services, guides and case studies.
Cybersecurity for Warehouse Operators
Practical security for warehouses, 3PLs and distribution centres.
Warehouse Cybersecurity Checklist
Free printable checklist for warehouse and depot teams.
Incident Response Plan Consultancy
Plan, exercise and retain a 24/7 IR capability.
Transport Cybersecurity Survival Kit
Free toolkit including a phishing awareness checklist.
Or browse the full case study library, our cybersecurity services, the industries we specialise in, or free transport cyber resources.
Common questions on this kind of incident
How common are phishing attacks against UK warehouses?+
Extremely common, and rising fast. Warehouse and 3PL operators handle high value supplier payments and large volumes of customer data, both of which make finance mailboxes a priority target. We respond to multiple incidents in this sector every quarter.
Does MFA stop modern phishing attacks?+
Standard SMS or push MFA can be bypassed by Adversary in the Middle phishing kits that steal the live session, as in this case. Phishing resistant MFA (number matching, FIDO2 keys or certificate based authentication) closes that gap and is essential in 2026.
Can we recover money sent in a supplier fraud?+
Sometimes, if the bank is told within hours of the payment leaving. The UK APP Contingent Reimbursement Model and CRM Code give businesses a real chance of recovering some or all of the funds, but speed is everything. A pre written escalation script makes that speed possible.
Do we have to tell our customers about an email compromise?+
If the attacker had access to customer personal data, then yes, you have UK GDPR obligations and almost always a contractual obligation under your customer agreements. Handled well, with a clear remediation plan, this rarely costs you the relationship. Hidden, it almost always does.
What does a realistic phishing training programme look like?+
Short, role specific micro training delivered quarterly, paired with monthly simulations using warehouse, finance and customer service themed lures. The goal is behaviour change, measured at the individual level, not certificates.
What should we do right now if we think a mailbox has been compromised?+
Reset the password, revoke all sessions, hunt for hidden inbox rules, check sent items for messages you did not write, and call us. The first 24 hours dictate how bad this gets.
Do not wait for your own case study to be written.
Book a free consultation with DefendVista. We will tell you, in plain English, where your operation is exposed and what to do about it first.