Wire and payment transfer fraud are two of the top ways alternative investment firms lose significant money to attackers. Agio has a team dedicated to providing strategy and governance of cybersecurity for firms that manage funds in private equity, credit, debt, and real estate. Here are the current threats we see in the industry.
Areas of Payment Fraud
- (Outbound) Major deal fraud for purchases of companies or real estate
- (Outbound) Vendor payment fraud including mortgage, rent, contractor work, and software licenses
- (Outbound) Employee direct deposit especially around EOY and bonus periods
- (Inbound) Accounts receivable—bad actors impersonate your firm to third parties intercepting their payments to you
- (Firm Impersonation) Bad actors impersonate the firm and ask LPs, portfolio companies, or trusted third parties for fund transfer
Addressing Outbound Risks
For wires related to major deals, use conference calls or video conferencing to establish and communicate the payment details. Include instructions for validating any changes to the established process.
For vendors, establish a communication process and specific contacts within the organization to verify all change requests.
Never trust email or inbound calls. There’s been an increase in clients reporting that they’ve received messages from compromised vendor email accounts asking them to click a link or change passwords through a portal. Be aware that even emails from legitimate addresses of known and trusted parties may be compromised. Think before you click.
For employees, establish a process they can use to initiate changes to direct deposit account information. This is often done online through a portal or payroll application.
Addressing Inbound Risks
For third parties that send payments, establish how you will communicate with them about any changes to your AR processes or contact information so they can verify those changes.
Addressing Risks for Firm Impersonation to Trusted Parties
Tell LPs, portfolio companies, and other trusted third parties about the methods you will use to communicate with them and provide guidelines of what you will (or will never) ask for. For example, let LPs know that you will never ask them for personal information (e.g., SS#, Tax ID) or to wire funds via email or a phone call. Provide details of how you’ll manage capital calls and how LPs should verify them. Provide a contact number if they have any questions about suspected emails or calls they receive.
Our team at Agio are experts in cybersecurity for PE firms, their portfolio companies, and alternative investments. Contact us today to discuss how we can help.