Email attacks continue to be the most used and most effective method bad actors select in attempts to compromise accounts and steal money from private equity firms and their portfolio companies. Phishing has been the most common form. Educating users on the appearance and common elements of phishing emails has been a major component of security awareness training for PE firms for years—for good reason. Phishing still works (90% of data breaches involve some form of phishing1) and allows bad actors to manipulate recipients into providing credentials, installing ransomware, or changing wire transfers to fraudulent accounts. But email attacks have changed over time, and what PE firms and their portfolio companies have to do to recognize them needs to change as well.

Phishing emails originated, like spam, as messages broadcast to a massive, often random, group of recipients. The senders of these messages hope someone will take the bait and click a link, open an attachment, or perform some action that benefits the sender. These messages often come from common email platforms with email addresses that do not look like typical business communications.

Not much later came spear phishing—emails targeted at an individual or firm, tailored to resemble emails they would normally receive from trusted parties. More and more, this is done with domains registered to emulate the actual email domain of a trusted sender. Instead of an email from, spear phishers register new domains, such as,, or, in hopes it will look close enough to a familiar email address for the recipient to let their guard down. The challenge for many PE firms is that bad actors will target their partners, vendors, and portfolio companies with emails impersonating them, having with no way to know about these communications. Whaling, a form of spear phishing that targets “big fish,” goes after executives with the greatest influence and access to funds, or IT administrators who often have the most access to systems and data.

The third wave of email attacks is in the form of business email compromise (BEC). This occurs when one party in the email communication chain has their actual email account breached by a bad actor. In almost all cases, the compromised account does not have multi-factor authentication (MFA) enabled, and the password can be obtained through password spraying (trying common passwords, e.g., August2019!, September2019!, or October2019!, over a period of time until they find an account it works for) or by attempting to login with breaches of other companies’ credentials found on the dark web. In the case of BEC, the emails look like legitimate messages from trusted senders because they are coming from their actual email addresses. There is no way to examine the message header or sender details to tell this is from a compromised account. Once compromised, the bad actors leverage the trusted email to initiate wire transfer fraud or install malware or ransomware on their targets. In 2018, according the FBI, BEC scams accounted for over $12 billion in losses2.

See also  Vital Lessons from LPL & Ameriprise Ahead of Copilot Implementation

Indicators of Email Attacks and How to Combat Them

  • Phishing – email addresses from common public email providers, but the “display name” is set to a known person or organization.
    • Mousing over or inspecting the sender address can reveal the true sender. More and more often, email filtering can recognize and protect against these bulk phishing emails.
  • Spear Phishing – spoofed email domains. Bad actors will often register a domain name for email similar to a legitimate sender. PE firms may receive such emails from contacts, but bad actors also may impersonate them, sending emails to investors, vendors, or portfolio companies that look like they come from the GP or members of the firm.
    • Look closely at the sender to verify it is from a verified sender’s domain. Many phishing prevention tools will alert if the sender is external to the firm. This is even more important to notice when the sender claims to be someone in the firm. Some tools will also alert if the sender’s domain has only recently been registered.
    • Notify investors, vendors, portfolio companies, and contacts how you will communicate with them and what domain you will always use to send emails. Also provide clear guidelines on what the firm will never do via email, such as request payment or account information, ask for personally identifiable information (PII), such as Social Security numbers, or login credentials.
    • Many firms will register a number of domain names (.com, .net,, .biz, etc.) and common variants to prevent someone else from registering them. Firms can also set up alerts if a domain is registered that contains a key word, such as the firm’s name.
  • Business Email Compromise – weak password policies and email security that allow email compromise.
    • All externally accessible applications like email should require MFA.
    • Firms and their portfolio companies should establish strong password policies. Increasing the length of passwords to at least 12 characters is the best way to enhance password security. The most secure firms will also regularly try to crack their users’ passwords to validate they are not common, easily cracked weak ones, as well as check the dark web for any of the firm’s user names. Upon discovery, the firm will require the user to change their password.
  • All Email Attacks – sense of urgency, appeal from authority, infliction of pain.
    • Be suspicious of emails that have a short timeline for you to take some action.
    • Be skeptical of emails that appear to come from a manager, supervisor, partner, or investor asking you to take some action.
    • Be cautious of emails that indicate bad consequences, such as account suspension, removal of access, or fines, if you do not act.
    • Follow up directly, outside of email or a link in an email, for all such requests.
  • All Email Attacks – log in, click a link, buy gift cards, make a change.
    • Be suspicious of emails that ask you to click a link, open an attachment, change a password, buy gift cards for clients, or change an account where money is sent.
    • Be suspicious of all emails.
    • Follow up directly with a phone call to a known number or a face-to-face check in for any email request involving money.
See also  Guide to Managed IT, Cybersecurity Operations & Cyber Governance
world wide web

As email attacks evolve, PE firms and their partners need to be aware of the changing landscape and how to protect themselves and their investors. Agio has a team specialized in and dedicated to the cybersecurity of PE firms and their portfolio companies. Contact Agio today for more information.

Learn More