Investment firms, such as private equity firms, venture capital firms and hedge funds, are an attractive target for cyber criminals because they regularly send and receive wire transfers of funds for investments. As a result, they are increasingly being targeted by “business email compromises,” that is, legitimate-seeming phishing emails that are used to gain access to usernames and passwords for the email accounts of firm employees. Once a criminal logs into an email account using the stolen credentials, the intruder searches for emails about wire transfers, sets up rules for auto-forwarding and auto-deleting emails that meet certain criteria, and leverages delegate and administrator rights to access other email accounts at the same firm for the same nefarious purposes.
Often, the end goal of the criminal intruder is to send a fraudulent, sometimes “spoofed,” email to someone who is involved in the approval of wire transfers to trick that person into making a change to the wire transfer instructions – causing funds to be wired to the criminal’s bank account. If the error is not caught, and the funds frozen, quickly enough, the funds are impossible to retrieve, making this scam extremely lucrative for criminals. And, even if that goal is not met, the intruder had full access to an email account that might contain sensitive information of companies or of individuals, possibly warranting notifying other companies and individuals of the intrusion, such as high net worth investors and other counterparties.
The FBI recently released a public service announcement reporting that $11 billion has been lost in the last six years due to business email compromises suffered by over 73,000 victims. In this client alert, we provide tips to prevent, and mitigate the harm from, business email compromises. These tips are gleaned from our experience assisting dozens of clients in the investment industry with business email compromises over the last six years.
To prevent and mitigate the harm from business email compromises, firms should consider these cybersecurity measures:
1. Implement multi-factor authentication (MFA) for email access and remote access (for example, VPN access). If MFA is enabled, an attacker would require more than a username and password to gain access to the system.
2. Disable legacy email authentication protocols (such as POP and IMAP), which are enabled by default on some email platforms. Under certain circumstances, legacy authentication protocols can be used to bypass MFA. Attackers frequently use legacy authentication protocols to perform brute-force and password spray attacks.
3. Enable audit logging and retain such logs for a period of time that is appropriate for your company, such as 90 days. Audit logging is not enabled by default on some email platforms, which can make it impossible to investigate what an intruder did while in an email account.
4. Deploy features that cause incoming emails that originate from external senders to be labeled as “external.” This measure is intended to thwart attempts by criminals to “spoof” emails to make them appear to have come from within the same firm.
5. Disable or restrict auto-forwarding of emails to email addresses outside your company domain. After email intruders have gained access to a mailbox, they frequently create a rule to auto-forward incoming emails to an external email account that they control, in order to continue to see new emails even after they have been blocked from the compromised account.
6. Review delegate rights and admin. rights of all email accounts to determine whether they are necessary. Email intruders often use these rights in one compromised email account to access multiple other email accounts at the same company.