Skip to main content
Top Button
Private Equity Firms Lose $1.3M in Simple Cyber-Crime Attack Private Equity Firms Lose $1.3M in Simple Cyber-Crime Attack

Private Equity Firms Lose $1.3M in Simple Cyber-Crime Attack

We continue to see cyber-criminals successfully stealing large sums from financial services and private equity clients using simple, tried and true attacks that are not difficult or costly to prevent. Three private equity firms in the UK recently learned that lesson the hard way, as a hacker group calling itself “The Florentine Banker” stole nearly $1.3 million from the three firms through a months-long cyber-fraud. These firms are not alone: as Ice Miller’s Data Security and Privacy team chronicled in a February 2020 publication, internet scams and crimes reported to the FBI increased by three times, from $1.1 billion to $3.5 billion, between 2015 and 2019, and latest FBI data shows the work-from-home environment is opening more doors for increased fraud. Our team has extensive experience advising our private equity and venture capital clients on strategies to mitigate phishing scams, business email compromise attacks, and other cyber-threats. We highlight a few cybersecurity tips below.

The Florentine Banker Attack

According to an investigation by Israeli cybersecurity company Check Point, The Florentine Banker first targeted two staff members with phishing emails and successfully obtained one of the staff members’ logins. Over the next several weeks, the hackers used the logins to target other members of the firm and its associates, which provided the hackers enough information to organize the transfer of funds from several different companies. The criminals had to try four times before they were able to successfully wire money to bank accounts in Hong Kong and the UK—an indication that, had these firms implemented even halfway decent cybersecurity, they could potentially catch the criminals in the act. Although the repeated attempts to transfer funds eventually alerted the victims to the fraudulent transfers, they were only able to recover less than half the stolen funds as an emergency intervention to try and halt the transfers came too late.

This type of attack—which combines elements of phishing (wherein employees are tricked into downloading malicious software onto devices) and business email compromise (wherein hackers “spoof” domain names to impersonate employees with similar email addresses)—is an increasingly common attack vector. Our Data Security and Privacy team has handled similar schemes in 2020, and wire transfer fraud continues to victimize private equity and venture capital firms across the globe. For example, last year criminal hackers deployed combination phishing and business email compromise attack to induce a Chinese venture capital firm to transfer more than $1 million—funds intended for an Israeli startup company—to fraudulent bank accounts. Another iteration of these attacks relies on inserting ransomware that is used to wipe the trail the thieves have left behind and destroys the company’s IT systems, causing damage that cannot be restored.

Three Tips to Mitigate Phishing and Business Email Compromise Attacks

Cybersecurity is particularly important for private equity and venture capital firms not only because they manage millions of dollars in assets, but also because they often perform transactions exclusively online. And while online transactions are efficient and convenient, they are an easy target for hackers. Below are three tips our Data Security and Privacy team recommends to our private equity and venture capital clients to improve their cybersecurity.
 
  1. Training
    Hackers rarely need sophisticated technical skills or tools to initiate a phishing scam or business email compromise. Instead, they often exploit a vulnerability found in every company: people. The Florentine Banker attack began by obtaining the credentials of a staff member—a far easier attack than technical ones that try to find misconfigurations or brute forcing passwords. Social engineering—the manipulation of employees to obtain information— is the most common feature of phishing scams because it is by the far the easiest. For example, employees may receive an email from someone purporting to be an IT professional that contains a link to reset their passwords. By clicking the link and entering his password, the employee has unwittingly downloaded malicious software that may expose other confidential information and credentials.

    We encourage companies to train employees to recognize and report suspicious emails, email addresses, and unverified requests from those outside the company. Although basic training materials and programs can be purchased online, training should be tailored based on the company’s size and business function. For private equity and venture capital clients, we suggest that training programs focus heavily on identifying spoofed email addresses and verifying requests for wire transfers through a second authentication method, such as a phone call with the requesting entity to verify the transfer request is legitimate. Technology can help to mitigate the phishing threat by blocking unknown links and by allowing only certain websites to be accessible from inside the company’s network. We recommend a combination of training and technology to provide so-called defense in depth.
  2. Multi-factor authentication

    Multi-factor authentication is another tool companies can use to prevent phishing scams and business email compromise. With MFA, passwords alone no longer suffice to authenticate a user, instead a random, one-time code is typically used as a second means to authenticate.  Not all MFA are equally effective, and many criminals are successfully bypassing the more basic MFA such as sending a numeric code by text message. We, along with many security experts, strongly recommend moving away from SMS/text-based communications and MFA as the entire mobile phone and data eco-system is rife with insecurity and is often easy to compromise.

    Far better options that we recommend include using a multi-factor authentication application like Okta Verify or Google Authenticator or even better, a hardware-based security key using the FIDO/U2F protocols that not only provide the second authentication factor but also block fraudulent websites that are often used to capture the user’s login credentials. Multi-factor authentication applications maintain convenience (these applications are available on Android and Apple devices alike) without sacrificing security.
  3. Incident Response Planning and Testing

    The first few hours after your company is victimized by a cyber-attack are crucial—a well-tested incident response plan can potentially save your company from many of these attacks by giving you back time to respond before the attackers complete their crime. In the Florentine Banker attacks, the three private equity firms might have been able to prevent the entire theft had their security program triggered a response after the first three unsuccessful attempts to wire the funds. An incident response plan should set out protocols that allow a security or finance team member to quickly respond and report to the key decision-makers any issues of concern. The plan should have all members of the incident response team identified ahead of time, describe individual responsibilities, and list appropriate authorities and other stakeholders—such as outside counsel—to immediately contact upon notification of a suspected incident.

    Our team has developed numerous incident response plans for our private equity and venture capital clients. Testing response plans is just as important as having them in place. Conducting periodic table top exercises, for example, can simulate a security incident we have seen in practice and provide an opportunity to identify the plan’s flaws and advantages. Your company’s response to a phishing scam or business email compromise should be well-rehearsed so it is second nature should a real event unfortunately occur.
Conclusion


With COVID-19 threatening the health and safety of companies’ employees and finances, executives are understandably concerned with ensuring business continuity and protecting employees from exposure to the virus. This has led to many companies providing enhanced work from home access to employees, but often at the cost of security, and criminals are well aware of this. Ice Miller Data Security partner Guillermo Christensen recently spoke about ways to mitigate the heightened threat from COVID-19 scams to an audience of private equity and investors on a panel hosted by Opus Connect, which is available on https://www.youtube.com/watch?v=Qj4Hc4_ggvA. Our Data Security and Privacy team can also provide legal and cybersecurity guidance as you navigate these challenge times. Please contact Stephen Reynolds, Guillermo Christensen, or Mason Clark for more information. Stephen and Guillermo are partners in our Data Security and Privacy Group and have years of experience assisting private equity and venture capital clients. Mason Clark is an associate in the Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 

View Full Site View Mobile Optimized