Sydney-based hedge fund Levitas Capital recently shut down after a fake Zoom e-mail phishing attack resulted in multiple fraudulent wire transfer attempts and the loss of over $800k. As a result, Levitas Capital’s largest institutional client, Australian Catholic Super, pulled a planned $16M investment following the September incident.
Cybersecurity investigators hired by the capital fund have since determined a fake Zoom invite was opened by either Michael Brookes or Michael Fagan, who co-founded the business.
The fraudulent invite then planted malicious software on the Levitas network, allowing the hackers to take control of email systems and create multiple fake invoices from various non-fake firms. The attackers then spoofed email approvals for the fake invoices resulting in payments that initially totaled over $8M.
What can American Asset Management firms learn from this event?
Criminals continue to successfully target asset managers with clever phishing e-mails that appear to be valid activities. Whether it is a Zoom, Teams, BlueJeans, or any other type of fake e-mail, if you click, you could become a victim. However, there are simple controls that can prevent this from happening:
- Staff Cybersecurity Training Conducted Annually
- Simulated Phishing Attacks Conducted Quarterly
- Enterprise Cybersecurity Risk Assessment Conducted Annually
- External Oversight to Your Internal IT Program (trust but verify the security provided by your IT team)
- Wire Transfer Voice Confirmations – No Exceptions
How BW Cyber Services Can Help
If you or an employee of your firm clicked on a link to a meeting invite you didn’t expect, we strongly recommend you seek assistance to determine if it was malicious.
While there is no single way to prevent being on the receiving end of a malicious phishing campaign, BW Cyber Services provides a comprehensive cyber compliance security program to help your firm identify and prevent future attacks from affecting your operations. For more information on how BW Cyber Services can assist you, please contact us at firstname.lastname@example.org.