Private Equity Firms Report Receiving Phishing Emails and Scam Capital Calls

Multiple private equity firms have recently reported scams, including receiving targeted phishing emails and fake capital calls to their clients. Typically, these phishing emails target the firm directly and are structured in a way that entices the receiver with an “investment opportunity” encouraging them to click on the fraudulent links included in the email for additional information. By clicking on links, hackers can install malware and/or attempt to gain access to user credentials.

In contrast, fake capital calls target the investors themselves with the overall intent to convince them to wire money to a fraudulent bank account. Due to hackers’ increased sophistication and understanding of private equity firms, they have been able to utilize these tactics to impersonate firms and send out fake capital calls to investors.

ACA Guidance

ACA Aponix^® tracks click rates and credential submission rates for mock phishing tests as part of our phishing prevention service. Our tracking shows that 60% of phishing tests performed in April - July of this year had at least one person who clicked the link, and 40% of phishing tests had at least one person who submitted credentials. This points to the continuing need to build up staff members' ability to detect phishing attempts.

ACA recommends that employees receive security awareness training (including phishing prevention) upon hiring and as part of an annual required refresher/update. In addition, firms should include mechanisms for employees to report phishing attempts and to notify IT if they did indeed succumb to an attack. Alongside training employees on how to detect suspicious emails, firms should also teach their team members what legitimate messages should look like so they can more effectively identify suspicious emails.

Phishing training does not stop at the firm, but instead should be extended to investors as well. Remind investors to call the firm directly and verify the legitimacy of a request before they make any payment. Likewise, the firm should ask investors to verify any changes to account numbers, addresses and other PII before they make a payment. By implementing these verification controls, you will be able to help keep your firm and investors’ funds secure.

Infographic: 8 Ways to Spot a Phishing Scam

It is critical everyone in your organization as well as your clients are educated on how to detect a phishing attack. Our team of cyber experts have put together the following 8 tips for identifying a phishing attack that are detailed in an infographic you can easily share with employees and clients. With these verification controls, you will be able to help keep your firm and investors’ funds secure. Download the full infographic.

How we help

ACA Aponix offers the following solutions that can help your firm protect itself as well as comply with regulatory demands in this area.

ACA recommends that employees receive security awareness training (including phishing prevention) upon hiring and as part of an annual required refresher/update. In addition, firms should include mechanisms for employees to report phishing attempts and to notify IT if they did indeed succumb to an attack. Alongside training employees on how to detect suspicious emails, firms should also teach their team members what legitimate messages should look like so they can more effectively identify suspicious emails.

• Threat intelligence, phishing testing and monitoring
• Risk assessments and regulatory compliance testing services 
• Operational resilience and governances

If you have any questions, please contact your ACA Aponix consultant or contact us.