By October 2020, Australia has already tirelessly battled not only horrific bushfires but a global pandemic too. While these events have drastically impacted the everyday life of Australians and businesses, at the same time, we have seen a spike in cyber attacks which can affect anyone, particularly the vulnerable and distracted.
The Australian Department of Foreign Affairs and Trade and the Australian Cyber Security Centre have come together to denounce these cyber attackers who are “seeking to exploit the pandemic for their own gain”. In particular, the recent attacks have highlighted data vulnerabilities for investors. It goes to show that the saying ‘never let your guard down’ remains relevant – especially in a crisis.
RISKS FOR INVESTMENT MANAGERS AND SUPER FUNDS
According to NTT’s 2020 ‘Global Threat Intelligence Report’, in Australia, financial services was the third-most targeted industry with 13% of cyber attacks. Since the COVID-19 pandemic began, we have seen a further increase in cyber attacks in the industry; resulting in attempted, and actualised, incidents of fraud and data breaches. Scammers are targeting not only the large players in the market (i.e. the big four banks) as they have in the past, but are now targeting smaller organisations, including boutique investment management firms and small superannuation funds. Some of the most worrying trends for the investment management and super fund industry include:
Spear phishing attacks are fraudulent emails targeted at a specific individual, organisation or business. GreatHorn’s ‘2020 Phishing Attack Survey’ found that US organisations are remediating on average nearly 2,000 phishing attacks every month, with more than half of all respondents saying their enterprise has seen an increase in phishing attacks through email since the start of the pandemic. While most of these have been, and remain, laughable due to the spelling inaccuracies and the ludicrousness of the requests, spear phishing attempts have become significantly more sophisticated in the last year.
Recently we have seen multiple instances of scammers, who clearly have knowledge of how the industry works, targeting organisations through their third parties. They often pose as a member of the finance or accounting team at an investment manager or super fund, and target the appointed fund administrator or custodian to gain information regarding the organisation’s bank accounts.
The scammers often know details about these third-party relationships. This can happen when a corporate email account has been compromised (which is also increasing in frequency) but generally, it should be noted that information regarding third-party fund administrators and custodians can usually be found publicly online.
Manipulation of instructions sent via email
The most troubling trend we are seeing is the interception and manipulation of emailed instructions. As with spear phishing, the most-successful attempts have been between investment managers and super funds and their third parties.
Recent incidents include manipulated cash payment instructions (such as for settlements of collateral movements), application and redemption requests, and capital call and distribution notices. This has involved scammers intercepting emails between organisations, changing just the bank account details, and then sending on the email with a near-identical email address and with the original recipient’s name displaying.
This has been observed across multiple asset classes, for instance, attempted fraudulent $100+ million capital calls for direct infrastructure assets, and in relation to lesser settlement and redemption request for equities and fixed income funds and mandates.
WHAT CAN BE DONE TO MITIGATE THE RISK?
No organisation, regardless of size, has unlimited resources – and the increasing sophistication of cyber attacks means that no organisation can be 100% secure. Unfortunately, data breaches present enormous financial and reputational risk for businesses. A few of the baseline steps that organisations should take to help protect themselves include:
Conduct an IT security risk assessment – Performing an IT risk assessment helps to identify key assets and corresponding vulnerabilities and threats. There are a number of external IT security consultants in Australia who can assist, and there are also great resources online (such as NIST-based risk assessment templates).
Use secure transfer protocols – Secure web portals or SFTP are recommended, but if sending confidential data via email attachments, then attachments should be encrypted. While not nearly as secure, it will at least create an extra hurdle for scammers.
Employ multi-factor authentication (MFA) – Not only for remote access to the network but also to key applications hosted externally and mobile email. Many of the instances we have seen where email accounts have been compromised are where MFA is not employed for email accessible on mobile phones.
Conduct penetration testing – Penetration testing can help to identify exploitable vulnerabilities, including for online web portals, applications and networks which may contain proprietary and confidential client data.
Deliver comprehensive staff cyber security training – Employees are an organisation’s greatest line of defence, but can also be their greatest weakness. All the controls in the world will not prevent data breaches if employees are not aware of threats. Research from KnowBe4 found that when organisations implemented phishing testing and subsequent training, within 90 days employees that clicked a simulated phishing email link or opened an infected attachment during a testing campaign was cut in half from 37% to 14%.
Perform adequate due diligence on third parties – While onsite due diligence is difficult in the current environment, in-depth due diligence should be performed on key third parties annually and should include a review of data security measures.
The recent increase in attempted cyber attacks have highlighted security vulnerabilities for the financial services industry, heightened by the ongoing remote working environment. Particularly, with the greater sophistication of these attempted cyber attacks and our growing dependence on digital tools, the likelihood of serious data breaches occurring has never been greater – or the consequences never more costly.
No organisation can be 100% secure from a cyber attack; however, implementing proactive and robust practices such as these may help minimise the potential risk of cyber attacks.
George Takesian is principal at Mercer.