How (and why) are investment management firms targeted by phishing?

Industry news

Hear from Jack Chapman, Egress VP of Threat Intelligence, on why US wealth management firms are top phishing targets.

Share Video

Cybercriminals are ramping up their attacks on financial institutions, and diversifying the tactics they use to carry out successful breaches. But contrary to popular intuition, common targets have not been limited to the largest, most powerful banks and organizations, and hackers are showing increased interest in small to mid-sized asset and wealth management (AWM) companies.

In fact, according to a report released in 2019 by Boston Consulting Firm, AWM companies and independent investment management firms have been 300 times more likely to be targeted by phishing scams than other organizations.

New targets for cybercriminals

The growing threat to AWM companies can primarily be attributed to the level of wealth being overseen today by even the “smallest” firms, as well as their tendency to have significantly smaller cybersecurity budgets and staff compared to larger institutions.

According to a report by Digital Shadows, a trusted source for the detailed evaluation of digital risks, hedge funds and similar independent financial managers are currently on track to control nearly $148 trillion in global assets by 2025.

In the absence of truly novel and proactive efforts to enhance cybersecurity protocols, this evaluation will likely equate to the further, more calculated targeting of wealth management firms and their clients into the future.

It all starts with an email

There are a number of sophisticated methods used by cybercriminals today, whether to gain access to funds directly, or to procure valuable information related to a firm's operations and/or high-profile client base.

Most of the methods concerning investment management firms are variations of phishing scams, in which attackers leverage email as the delivery method for malware technology, or to impersonate known clients or associates in order to manipulate targets into complying with their demands.

This is hardly surprising when you consider the increasing availability of information online, which allows many cybercriminals to acquire the email addresses and personal business accounts of their targets with little to no difficulty. And while each individual cyberattack tends to follow its own unique trajectory, there are two common methods that seem to be particularly threatening to investment management firms today.

Ransomware: A rapidly growing problem

Ransomware attacks have been dominating cybersecurity headlines lately, as the approach has become increasingly popular among hackers. In a ransomware attack, cybercriminals gain access to an individual or institution’s sensitive data, after which they demand payment to keep the information under wraps.

This leaves firms in a very precarious position. They either have to pay up (which still leaves no guarantee the cybercriminals won’t further blackmail them) or go through an immensely expensive IT rebuilding process. And it can all come from an innocent click on a malicious link.

These attacks are increasingly well organized and carried out by large hacker collectives, often referred to as “gangs.” At the end of 2020, at least two such groups, Sodinokibi and NetWalker, were found to be in possession of data from AWM companies, and had even published glimpses of what they had acquired on various blogs.

Sophisticated phishing: Business email compromise (BEC)

BEC attacks represent a particularly pervasive threat to investment management companies, as advancements in technology have enabled hackers to carry out impersonation campaigns in increasingly convincing ways.

Typically, cybercriminals will assume the identity of an executive, client, or any involved party who might regularly request access to information or the transfer of funds. In one such case, cybercriminals assumed the identity of a U.S. firm’s client, requesting the transfer of $80,000 for a home renovation.

Because the hackers had done their homework, they knew such a request was not out of character for the client, and might have succeeded if the firm hadn't called the actual client for confirmation. These sorts of attacks are happening with more frequency and are increasingly unpredictable, as they can happen within the immediate network of the firm itself or be carried out as the result of a compromised external vendor.

As cybercrime evolves, so should cybersecurity

While we know that widespread digitalization calls for advanced cybersecurity technology and training, many investment management firms still lack adequate protection against these threats.

Of course, not all firms currently have the budget to compete with that of global banking institutions, and at Egress we believe that having strong cybersecurity shouldn’t be solely dependent on increased spending. With this belief in mind, we have designed our Egress Defend platform to empower your users to become security assets – not security threats.

Egress Defend: Protecting wealth management firms with intelligent tech

Egress Defend uses the latest in machine learning and natural language processing (NLP) technology to detect the most convincing, and therefore damaging, inbound phishing attacks. This includes advanced threats such as business email compromise (BEC) and brand forgery, CEO fraud and impersonation attempts, and spear phishing.

Defend is the only solution globally to operate on a zero-trust model, analyzing the context and content of every inbound email before it’s delivered to an employee’s inbox. Going beyond the analysis provided by SEGs and social graphing, Defend can determine every sender’s authenticity, detecting when cybercriminals are using compromised accounts on authenticated domains or have used open-source intelligence to make their attacks more convincing.

Using a traffic-light warning system and insight summaries, the solution alerts users to both of the most dangerous types of phishing: hyperlinks weaponized with ransomware, and ‘payload-less’ attacks; those that don’t contain a malicious attachment or link, but instead build trust with the recipient over time to request an action be carried out, such a payment transfer.

Want to learn more?

Interested in how the Egress platform can offer your law firm the depth of protection it needs? Find out more here, or arrange a no-strings attached product demo today.

You might also be interested in ...