August 5, 2021
Hedge funds are enticing targets of sophisticated cyberattacks, according to a recent article in the Financial Times. “Finance firms are 300 times more likely… to be targeted by a cyberattack,” and hackers are honing in on hedge funds. Compared to banks, hedge funds don’t spend nearly as much on cybersecurity, and fund executives are highly visible, making them prime targets.
The Times’s article highlights two hedge fund phishing attacks. In this post, we summarize each case and cover how the crimes could have been prevented using payment controls.
Case 1: The Dark Web and the Long Con Phish
Seemingly innocuous data stolen in a data breach can find its way onto the dark web, where it can be used against hedge funds and their clients. John, a private investor, thought he was exchanging sensitive emails with his trustee. What John didn’t know was that a malicious actor obtained his information from a fund admin data breach leaked to the dark web. The cybercriminal used this information and a spoofed email address to mimic the conversational patterns of John’s trustees and build confidence discussing loan repayments, John’s art collection, and other personal information.
Several months and dozens of emails later, the hacker, acting as John’s trustee, convinced John to route a loan repayment to a different account than the one to which he was accustomed. John authorized the payment with his bank, and it was only after calling the real trustee that he discovered he’d been conned. Luckily, John was able to cancel the payment before it was executed.
Case 2: Phishing for Funds
The second story involves Levitas, a Sydney-based hedge fund that fell for a more typical phishing attack. Levitas’s co-founder, Michael Fagan, mistakenly allowed entry into their systems by clicking a spoofed Zoom invite. The hackers gained access to Fagan’s email and authorized nearly $9 million in fraudulent wires. Fagan eventually discovered the scam and attempted to stop payment but was too late to prevent the theft of $600,000. Investors pulled their funds and Levitas is closing shop.
Protecting Against Payment Fraud
Cybercriminals are increasingly targeting hedge funds with complex wire fraud schemes. Security controls that could have prevented fraud in the cases above are available and affordable even for emerging hedge funds.
We’ve highlighted some of the ways a secure payment system could have prevented the cases of fraud above.
Enforced Secure Workflows
It is an obvious best practice to prevent wire creators from approving their own wires. Unfortunately, administrative controls are easily bypassed. A secure wire system uses technical controls to enforce workflow roles preventing a single social engineering victim or compromised account from releasing fraudulent wires.
Multi-Factor Authentication (MFA)
Multi-factor authentication prevents up to 100% of phishing attacks according to Google. Multi-factor authentication, or MFA, requires users to prove their identity using a second factor, usually a one-time passcode or digital prompt (something they have) in addition to a password (something they know). Secure wire systems require MFA for login and wire release, protecting against payment fraud even if an account was compromised.
As recent cyberattacks have shown, even the most hardened environments can be susceptible to a data breach. Rogue nation-states have turned to hacking as a source of income and hedge funds are high-value targets. While the goal is to prevent an attack in the first place, using a secure payment system to encrypt your payment data prevents a potential hacker from making use of stolen data or leaking it to the dark web for others to make use of.
Protecting Yourself Against Cyberattack
To protect against cyberattacks, it is imperative hedge funds invest in a payment processing system that allows for enforced workflows, MFA, and encryption. Otherwise, funds may find themselves victims of the next wire fraud scheme.