As recently as October 2019, hedge fund Arena Investors was the latest known victim of a phishing attack.  One industry expert was quoted as saying, “By targeting high-level executives in the financial industry, attackers are then able to send out wire transfer requests to someone in accounts payable, and then money is wired out to third parties. Make one mistake, and it could cost millions of dollars.”  Moreover, a recent report suggests that the governing body regulating hedge funds, the Commodity Futures Trading Commission (CFTC), is susceptible to compromise.  

Business e-mail compromise, or BEC, is a phishing scam that tends to target high level executives, finance personnel and wealthy individuals who are responsible for initiating wire transfers. BEC scams were previously referred to as “man-in-the-email scams” and attempt to compromise the target’s email account. Obtaining access to an account can be achieved through email spoofing, use of keyloggers or successfully phishing an individuals and collecting their user credentials. 

Once an email account has been compromised, the attacker will intercept emails and initiate fund transfer requests to other employees, business partners, your family office or vendors. These requests will include payment instructions that redirects the money to a criminal account. You may never even see these emails, as attackers can adjust the email routing rules and keep them hidden from your view. You may only become aware of the situation once the money has gone out the door.

In 2018, the amount of money lost by companies to this scam doubled, but the criminals will target anyone who has a lot of money. They tend to mark their requests for funding urgent or link them to dire consequences, as cybercriminals want you to be in an emotional state so you are not thinking straight.

How can you protect yourself and your business from this kind of scam? Here are some things you can do:

  • Use anti-virus software on your systems and keep them up-to-date.
  • Protect your e-mail account. Use a strong password and at least two-factor authentication on all of your e-mail accounts. If your email account has security questions attached to it, change them to something more obscure. For accounts which insist on using your mother’s maiden name or other easy-to-obtain information, it is often a good idea to create a unique answer. Just make sure that you keep track of the answers you provide.
  • Using a password manager can help you use stronger passwords without needing to remember them all, and you can store the responses to security questions here as well and keep them protected.
  • Have a policy of verifying all fund transfers by phone or in person. Contact individuals based on the phone number you have on file and not what is listed in the email.
  • Carefully review fund transfer email requests. Pay attention to the email address and timing of the request (is it out of the ordinary to be receiving such a request?). Thieves may create a free email account that uses your contact’s name, or which is one character away. For example, the real address might be doe@… and the thieves might make jonidoe@… Perhaps you sent the payment last month and you are not scheduled to send another payment until 2 months from now.
  • Keep yourself educated on new techniques and scams. Education is your strongest weapon against BEC and other techniques that target the human factor.

The key to avoiding falling victim to a BEC scam is to educate yourself, pay attention, and always verify the sender before transferring money. Make sure that everyone you deal with also stays up to date on these types of scams and follows proper procedures when transferring money, especially to overseas accounts. Retrieving money sent to a scammer’s account can be almost impossible, so it is very important to avoid this kind of scam. If you do fall victim to a BEC scam, you should contact your bank immediately regarding the incident, update your computer systems and software and scan your systems for malware. If malware is present on your systems, you will want to remove it before you update account passwords, etc.


If you need help protecting yourself and your money from hackers and thieves, the BLACKCLOAK team is here for you.