Phishing attacks targeting private equity firms’ portfolio companies aren’t new, but the uncertainty surrounding COVID-19 has upped the game. A recent post on Security Intelligence cited a 6,000% increase in spam related to COVID-19 since the pandemic was declared in March 2020. Why? Because businesses and their employees are grasping for hope, and they’re lowering their defenses against phishing emails offering relief.
The Small Business Association (SBA) and state agencies have infused nearly $350 billion in assistance for businesses, but it isn’t available for all. Some have moved to a work-from-home structure or shut down completely; employees are unsure of their job security.
Before the economic chaos, most people were careful about filtering phishing scams; now, they’re falling victim to them. These scams can seek to steal money in the form of loan processing fees, personal information such as banking details or tax returns, or credentials to applications like Office 365. Some scams install malware on business computers.
Emails and text messages targeting portfolio companies often sport subject lines like PPP loan approved! Click here for details. Or, Relief payment on hold! Click here for details. In many instances, the phishing email promises to approve an SBA loan for a fee, upfront payment, or high interest rate. Some claim they could speed up PPP payments in a matter of hours. Others, using a classic phishing formula, ask recipients to verify personally identifiable information such as social security number or bank account number or tax returns.
One private equity firm was contacted to verify whether they were truly backing a business loan, as claimed in an email—they were not. The phishing recipient forwarded a long email conversation where the bad actor fraudulently used the name of the PE firm as a guarantor of a loan and misrepresented the lending institution he claimed to be from.
Portfolio Companies Can Protect Themselves
Now is the time for portfolio companies to provide a refresher course on how to spot and avoid phishing emails and what to do about them.
Here’s some advice to protect yourself if you receive a possible phishing threat:
- Contact the true source (e.g., the institute supposedly offering assistance) by manually typing in the URL for the official site of the organization in question—don’t click a link!—or calling them directly.
- Be aware that fraudsters have registered domain names to try to impersonate real sites; clicking a link could trigger malicious downloads or code.
- Protect workstations and laptops from malware by using next-generation endpoint protection/anti-malware.
- Restrict the use of accounts with administrative access to install new software.
Remember, most government domain names will end in .gov, and they will not text, call, or informally ask for personal information.
Here are resources portfolio companies can use to verify COVID-19 phishing emails:
- U.S. Small Business Association: https://www.sba.gov/content/beware-scams
- California Governor’s Office of Business and Economic Development: https://business.ca.gov/coronavirus-2019/
- New York State Information on Novel Coronavirus Virus for Business: https://esd.ny.gov/novel-coronavirus-faq-businesses
- Georgia State COVID-19 Support for Business: https://georgia.gov/covid-19-state-services-georgia/covid-19-support-businesses
- New York City Assistance & Guidance for Business Impacted Due to Novel Coronavirus: https://www1.nyc.gov/site/sbs/businesses/covid19-business-outreach.page
It’s imperative to provide regular security awareness training to all team members, especially those with roles involving finance, vendor relationships, and IT administration.
PE Firms Must Communicate Consistently
It’s nearly impossible to prevent a criminal from trying to defraud others by claiming to be connected to your firm. Those communications almost always take place out of the firm’s sight.
One practical step PE firms can take is to notify portfolio companies or partners how you will always communicate with them without deviation. You can do this by
- Whitelisting domains used by the firm for emails.
- Blacklisting likely spoofed domains.
- Establishing callback numbers to verify any requests received via email on the firm’s behalf.
Some email filtering platforms like Mimecast can flag trusted email addresses and filter out ones that attempt to spoof that sender.
Agio knows the cybersecurity of private equity firms and their portfolio companies. Firms rely on our SEC Cybersecurity Governance Program to help them remain secure and compliant, and they look to our Portfolio Company Cybersecurity Assessment Program to evaluate their portfolio cybersecurity risk. Contact us, we can help.