As Investment Firms Continue to Be Targeted by Email Intruders, Authorities Release Tips to Prevent Intrusions and Mitigate Harm

Guest post by Kristen J. Mathews and Tiffany Quach – Morrison & Foerster LLP

Investment firms, such as private equity firms, venture capital firms and hedge funds, are an attractive target for cyber criminals because they regularly send and receive wire transfers of funds for investments. As a result, they are increasingly being targeted by “business email compromises,” that is, legitimate-seeming phishing emails that are used to gain access to usernames and passwords for the email accounts of firm employees. Once a criminal logs into  an email account using the stolen credentials, the intruder searches for emails about wire transfers, sets up rules for auto-forwarding and auto-deleting emails that meet certain criteria, and leverages delegate and administrator rights to access other email accounts at the same firm for the same nefarious purposes. 

Often, the end goal of the criminal intruder is to send a fraudulent, sometimes “spoofed,” email to someone who is involved in the approval of wire transfers to trick that person into making a change to the wire transfer instructions – causing funds to be wired to the criminal’s bank account. If the error is not caught, and the funds frozen, quickly enough, the funds are impossible to retrieve, making this scam extremely lucrative for criminals. And, even if that goal is not met, the intruder had full access to an email account that might contain sensitive information of companies or of individuals, possibly warranting notifying other companies and individuals of the intrusion, such as high net worth investors and other counterparties.

The FBI recently released a public service announcement reporting that $11 billion has been lost in the last six years due to business email compromises suffered by over 73,000 victims. In this client alert, we provide tips to prevent, and mitigate the harm from, business email compromises. These tips are gleaned from our experience assisting dozens of clients in the investment industry with business email compromises over the last six years.

To prevent and mitigate the harm from business email compromises, firms should consider these cybersecurity measures:

1. Implement multi-factor authentication (MFA) for email access and remote access (for example, VPN access). If MFA is enabled, an attacker would require more than a username and password to gain access to the system.

2. Disable legacy email authentication protocols (such as POP and IMAP), which are enabled by default on some email platforms. Under certain circumstances, legacy authentication protocols can be used to bypass MFA. Attackers frequently use legacy authentication protocols to perform brute-force and password spray attacks.

3. Enable audit logging and retain such logs for a period of time that is appropriate for your company, such as 90 days. Audit logging is not enabled by default on some email platforms, which can make it impossible to investigate what an intruder did while in an email account.

4. Deploy features that cause incoming emails that originate from external senders to be labeled as “external.” This measure is intended to thwart attempts by criminals to “spoof” emails to make them appear to have come from within the same firm.

5. Disable or restrict auto-forwarding of emails to email addresses outside your company domain. After email intruders have gained access to a mailbox, they frequently create a rule to auto-forward incoming emails to an external email account that they control, in order to continue to see new emails even after they have been blocked from the compromised account.

6. Review delegate rights and admin. rights of all email accounts to determine whether they are necessary. Email intruders often use these rights in one compromised email account to access multiple other email accounts at the same company.


Kristen J. Mathews, Partner

Kristen is a partner in our Global Privacy + Data Security Group. For more than 20 years, Kristen’s practice has focused on advising clients on the full spectrum of the most complex privacy and cybersecurity issues, including regulatory and compliance matters. An early leader in the privacy sphere, Kristen has developed comprehensive knowledge and long-term perspective, cultivated a client base across a broad range of industries, and established herself as one of the top lawyers in her field. More..

Tiffany Quach, Associate

Tiffany Quach is an associate in the New York office of Morrison & Foerster and a member of both the firm’s Global Privacy and Data Security Group and Technology Transactions Group. She provides strategic solutions to clients across a range of industries on complex matters and brings substantial experience with assisting companies on compliance with global data laws, regulations and industry standards related to digital marketing, the Internet, media, privacy and data security. More…

Morrison & Foerster LLP

Morrison & Foerster is a firm of exceptional credentials. Our name is synonymous with a commitment to client service that informs everything that we do. We are recognized throughout the world as a leader in providing cutting-edge legal advice on matters that are redefining practices and industries. More…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s