Hedge fund Tillage Commodities filed a lawsuit last September alleging its fund administrator ignored its own security protocols when it fell for a spear phishing attack and inadvertently wired millions of dollars out of Tillage’s accounts. The fund admin has struggled to get the case thrown out, but a judge denied their request last week. As the case crawls through the courts, we thought it was a good time to discuss the risks spear phishing poses to the hedge fund industry.
What is Phishing? How is Spear Phishing Different?
Phishing is a form of social engineering in which an attacker masquerades as an honest source to obtain sensitive information or have the victim act in the attacker’s benefit. Phishing is usually email spam designed to trick consumers into handing over relatively small sums. If phishing is hunting with a shotgun, spear phishing is hunting with a high caliber rifle (or to use another analogy, fishing with a spear). In spear phishing, sophisticated criminals perform extensive research to craft attacks aimed at high-value targets, like hedge funds.
One of the most common forms of spear phishing is CEO fraud or a Business Executive Scam. In CEO fraud, criminals use the name of a senior executive and a nearly identical domain name to trick recipients into thinking a spoofed email is legitimate because it appears to come directly from that executive.
What happened to Tillage?
Tillage’s fund admin appears to have fallen victim to the definitive CEO fraud. Chinese hackers used a spoofed email address (@tillagecapital.com vs. @tilllagecapital.com) and the name of a Tillage executive to request funds be moved from Tillage’s account to a bank in Hong Kong. Tillage argues its fund admin was grossly negligent in failing to follow its own security protocols to authenticate the wire requests.
How can I protect myself?
Social engineering is difficult but not impossible to prevent. Strong security controls around the wire process could have protected Tillage and its fund admin from wire fraud. We’ve listed some best practices below.
1. Multi-step Wire Request Workflows
In the Tillage case, attackers exploited a process that allowed a single executive to make a wire request. To protect against this, it is critical firms follow the four-eye review principle. Wire requests should consist of a workflow involving at least three people (a creator, reviewer, and approver, for example). A single individual should never be allowed to create and approve their own wire request. It is also key to use a wire system that ensures approvals can’t be forged and the workflow is consistently enforced.
2. Required Account Relationships
Debit and credit relationships should be explicitly defined and approved before money is allowed to move. The attackers in the Tillage case requested funds be sent to an unused bank in Hong Kong. As Tillage had no relationship with that bank, the wire request should have been denied and an approval workflow for the banking relationship initiated. Leading wire systems automate this process and prevent money moving places where it doesn’t belong.
3. Digital Signatures
The Tillage case proves the word of a supposedly trusted source isn’t enough. Message authenticity must be validated to prevent identity theft and email fraud. The best way to ensure authenticity is the use of digital signatures. A digital signature is a unique id tied to the signatory that can be verified by a third party. This is how it works: Each wire request is stamped with an encrypted digital signature that is automatically checked by the recipient. If the digital signature is missing or tampered with, it would fail validation and instantly be rejected.
Spear phishing has dire consequences and the number of attacks continues to grow. It’s time to take this growing risk seriously. Hedge funds must improve their wire controls to protect themselves against cybercrime.