By this point, most businesses that regularly send and receive funds electronically have heard about the risk of wire fraud scams in which an intruder changes wiring instructions and diverts funds to its own account, insidiously crafted to look like the proper account. But detecting these scams before they come to fruition — and doing something about them after they occur — has proven challenging.
The scams have continued to increase in sophistication and wreak havoc on business relationships, transactions, and deal closings with increasing frequency and magnitude. This is especially the case for private equity deals, which often involve multiple parties and multiple closing wires, increasing the risk of a compromise.
HOW THESE PHISHING SCAMS WORK
In order to change the wiring instructions in a deal, the bad actor first must obtain access to the communications containing the instructions. Those instructions are most commonly sent by email and, unsurprisingly, email is the lowest-hanging fruit for attackers to access. The more individuals on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And one is all it takes.
Once the bad actor has access to a target’s email, the attacker learns the details of the pending deal and masters the tone and style of the parties’ written communications. The attacker then takes over or “spoofs” certain email addresses and interposes itself in the email traffic, often starting with innocuous communications to build trust. Ultimately, the attacker will go for the kill, announcing a change in fund transfer details, due to a bank “audit” or similar justification. If the attacker’s deception is undetected, the payment will transfer to the attacker’s account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very difficult, if not impossible, to claw the funds back, resulting in a significant financial loss. There is often a dispute as to who bears financial responsibility for the loss, and the dispute in and of itself creates added fees and distraction, and interrupts the flow of the deal.
BEST PRACTICES TO RESIST SCAMS
No single security measure can thwart all attacks on a deal, as would-be attackers have many targets to choose from among all of the parties, advisors and providers involved in private equity transactions. The good news is that there are basic steps that can significantly reduce the likelihood of a successful attack. To help protect against these dispersed risks, firms should consider multiple safeguards, such as:
- Maintaining robust payment authorization procedures that require a thorough review of wire transfers, particularly those above a certain amount, to limit the chance of making a payment to a fraudulent account. These measures can include requiring multiple approvals, getting verbal confirmations of wires from known counterparties, educating finance teams on these scams, and being on high alert for any change in protocol;
- Inserting an “EXTERNAL” label in all emails from external sources, which can remind employees to exercise caution and help them identify a purported internal email coming from a spoofed email address;
- Developing a checklist of “red flag” behavior that requires extra due diligence, such as wires to new recipients, destination accounts in countries in which the intended recipient does not do business, or any other change in normal protocol;
- Implementing multi-factor authentication for email, which can help prevent many, although not all, phishing attacks;
- Periodically training and testing employees to identify and report phishing attempts, as well as on general email security hygiene, such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source;
- Obtaining cyber insurance that includes coverage for misdirected funds transfers, which, if all else fails, can help defray the cost of an incident; and
- Considering allocating the risk of loss for such transfers in the deal documents themselves; pre-assigning the risk for such loss can reduce uncertainty and increase the diligence of all transaction participants.
Private equity firms and portfolio companies also should be prepared to respond in the event an attacker successfully infiltrates deal correspondence. Upon discovery, firms should act immediately to:
- Change account passwords for all employees on the impacted email chain and, if not overly burdensome, everyone at the entire company;
- Check relevant email accounts for any auto-forwarding rules, which attackers may create and which remain running even after passwords are reset;
- Contact outside counsel to determine appropriate steps to investigate and contain the incident, including retaining a forensic consultant and engaging with financial institutions to attempt to block the transfer of funds;
- Contact law enforcement to assist in recovery of the funds. While recovery can be challenging if funds have already been transferred out of the country, agencies such as the FBI do try to help; and
- If any accounts have been compromised, also work to determine whether any other information was affected, such as personal information for which there could be a breach notification obligation.
Publicly available guidance from U.S. government agencies offers additional information on measures businesses can take to protect themselves. This includes the FBI’s guidance on spoofing and phishing and business email compromise, as well as the U.S. Department of Justice Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents.
Privacy and cybersecurity updates and insights: please sign up for Goodwin’s public data protection update channel on Slack by sending an email (subject line: “Slack”) to firstname.lastname@example.org.
John R. LeClairePartnerCo-Chair, Private Equity