Agio has been helping hedge fund clients improve their cybersecurity posture for nearly a decade. Whether the client’s motivation stems from regulatory or legal requirements, the response to a recent breach or cybersecurity incident, investor due diligence, or a firm’s internal risk management practice, one common fact persists: hedge funds are now firmly in the crosshairs of cybercriminals. Agio’s cybersecurity clients are no different, and through our cybersecurity governance and testing work, we’ve identified the top three ways cybercriminals are targeting our hedge fund clients.
1. Targeted Social Engineering Attack
In the context of cybersecurity, social engineering can best be defined as the use of deceptive tactics to prompt individuals to grant access or disclose information for fraudulent or malicious purposes. We’ve all become very accustomed to seeing phishing emails, the most basic and most common form of social engineering. But social engineering attacks have evolved far beyond their early form, and today typically take the form of targeted social engineering attacks aimed at a particular individual or group.
Targeted social engineering attacks are most often spear-phishing emails – phishing emails custom-crafted to be particularly appealing to the target(s). These spear-phishing emails are most often informed by open source intelligence – the cybercriminals scour targets’ social media accounts and other sources of publicly available information and use that data to craft particularly compelling phishing emails. Spear-phishing emails purporting to be from alumni associations, running clubs, volunteer organizations, charities, and children’s schools are common, and are nearly always informed by the targets’ recent social media posts.
Other forms of targeted social engineering attacks include direct phone calls and attempts to gain unauthorized physical entry into offices, home offices, or other sensitive areas. Owners, Principals, C-levels, IT personnel, Executive Assistants, and individuals with titles that imply that they may be a party to the funds transfer process are the most common targets of these targeted social engineering attacks at our hedge fund clients.
Targeted social engineering attacks are by far the most common means of delivery of the other two most common cybersecurity threats facing hedge funds – business email compromise and ransomware.
2. Business Email Compromise (BEC)
BEC, sometimes called CEO Fraud, is an exploit in which bad actors gain unauthorized access to an individual’s corporate email account, and subsequently leverage that access to impersonate the target’s identity in an attempt to defraud the enterprise (or its employees, clients, or business associates) out of money or gain access to intellectual property. In less sophisticated attacks, bad actors sometimes simply use an email address very similar to the target’s real corporate email address.
BEC attacks against hedge funds most commonly take the form of a wire transfer request, trying to trick employees into sending money to the cybercriminal.1 And the numbers show it works – big time. The FBI’s Internet Crime Complaint Center’s (IC3) 2017 Internet Crime Report ranks BEC #1 in total victim losses, accounting for nearly half of the total losses recorded for the top 10 internet crimes.2 In the reporting period from October 2013 through May 2018, the FBI reports a total of over 78,000 BEC incidents resulting in more than $12.5B in losses.3
While the majority of BEC attempts reported to Agio involve attempts to get the firm to execute a fraudulent wire transfer, we have identified recent instances of a shift in targets and tactics. In some recently reported instances, the BEC target has changed from the firm to a third party. In these instances, the bad actors leverage access to compromised firm email accounts to monitor email traffic and inserted fraudulent wire transfer instructions into an existing email thread between the firm and its investors.
3. Ransomware or Crypto Malware
Ransomware, sometimes called Crypto Malware, refers to a family of malicious software designed to deny access to a system or data until a ransom is paid. Most often, this takes the form of a program that encrypts files and folders, presents a ransom demand, and provides instructions for remitting payment. If the target firm doesn’t have adequate backups, or the backups themselves have been encrypted, the firm must pay the ransom in exchange for the key required to decrypt and regain access to its data.
According to Intermedia Research,
approximately 75% of companies infected with ransomware endure two or more days
without access to the affected data, and nearly a third go five days or more
before regaining access.4 Such extended periods without access to key systems and data can be crippling
for a hedge fund. And paying the ransom is no guarantee you will regain access
to your data. According to the FBI, many victims that do pay the ransom never
gain access to the promised decryption key or are provided a key that doesn’t
Agio continually works with our hedge fund cybersecurity clients to assess, test, and update their cybersecurity controls to address these and other top cybersecurity threats. Through our governance and testing program, hedge fund clients undergo a continuous and systematic review and update of their cybersecurity controls and are prepared to defend against these and other threats. Want to know more? Give Agio a call. Our cybersecurity teams are hedge fund-focused, deeply in-tune with the cyber threat landscape, and passionate about cybersecurity.