CEOs, CFOs become main targets in cyber-theft at PE firms

Thieves are using fake emails from executives so they can transfer money into their own bank accounts.

Chief executives and chief financial officers are becoming the main targets of cyber-thefts at private equity firms, where thieves are attempting to access sensitive information so that money can be transferred into their bank accounts.

One speaker at sister publication Private Equity International‘s Operating Partners Forum in New York on Thursday said that “the CEO is a major target” of thieves seeking to steal information. His comments were followed by audience members who put CFOs and accounting departments as additional marks.

One popular software used in cyber-theft is Microsoft Office 365, particularly Outlook. Thieves will attempt to activate a CEO or CFO’s automatic forwarding function so that all work emails will be sent to an external email account without the person knowing. But information technology staff should be able to thwart this by blocking the functionality.

“Office 365 in particular has something set up where if a bad actor or anybody sets up email forwarding, administrators are notified,” a consultant said. “It’ll say, ‘Forwarding has been set up for this. Is this OK?’”

The consultant also went on to say how easy it can be for thieves to create a fake LinkedIn account. They will send an email to targeted executives pretending to have met at an event with an invitation to view and follow the bogus profile. Through that connection, thieves can access personal information such as date of birth and connect with other LinkedIn users.

Humans are more susceptible than computer systems to attacks because people take it personally when confronted with financial matters; hence the target on CFO and accounting departments at private equity firms. “You have to teach people to be vigilant,” the consultant said. “It’s much easier to hack a human than it is to hack a machine.”

Concerns also extend to the portfolio company level. One person in attendance shared his experience of an incident at a company where he served as CEO. A thief posed as him to create an email to a newly hired employee and asked for detailed information of all employees in the company, he said. Using that information, the thief then impersonated the employees to make fake accounts and send generic letters to the Internal Revenue Service requesting money back from overpaid taxes. Without going into details, the participant said that in some cases the IRS did repay. The fraud was discovered in a matter of weeks when some employees received letters from the IRS inquiring about the overpayment.

An incident like this emphasizes the importance of constant training for employees. Firms that make compliance and harassment part of annual job training should include cyber-risk management, one speaker said. One method firms are using to prepare for cyber-threats is through what a speaker referred to as “social engineering” testing, which means creating a plan to raise employee awareness on cyber-risk.

A private equity firm could hire a company to conduct a test to gauge how good employees are at identifying cyberattacks, such as phishing, and whether they are handling them properly. Phishing is the act of a person pretending to be someone else through email to steal personal information like passwords and credit card numbers. The test is also a way for CEOs and CFOs of firms to find out what aspects of their cyber-risk management programs are lacking and how to fix them, the consultant said.

“We have a firm that basically does this for us,” a speaker from a private equity firm said. “They’ll actually do their own spear phishing campaign targeting a company or our own firm and they’ll give us feedback.”