- Home
- / Insights
- / Case Studies
- / Business Email Compromise for Private Equity Firm
Business Email Compromise for Private Equity Firm
-
June 10, 2024
-
A private equity firm’s limited partner (“LP”) was impacted by a business email compromise (“BEC”), resulting in the threat actor stealing funds from the firm. The threat actor used a compromised email account within the LP’s system to hijack an email thread between the private equity firm and the LP regarding a cash transfer, allowing the threat actor to call the private equity firm for verbal approval of the transfer, and creating confusion within the email thread, ultimately leading to a fraudulent wire transfer. The private equity firm retained FTI Cybersecurity to investigate the situation and attempt to recover the stolen funds.
Our Impact
FTI Cybersecurity experts discovered that the originating mail servers were all the same. In other words, the threat actor sent the email using a legitimate account from the LP’s domain, and that the LP was compromised. The threat actor had created fake domains that closely resembled those of the LP and the private equity firm to execute the fraudulent wire transfer. FTI Cybersecurity also concluded that none of the email attachments analyzed contained malware, and identified that the fraudulent wire instructions were made using online PDF tools. These investigative efforts allowed FTI Cybersecurity to assist in partial recovery of the transferred funds.
Our Role
The FTI Cybersecurity team performed a digital forensics review of the Microsoft 365 environment, which included a review of the email headers of communications between the firm and their LP. The goal of the review was to determine if the account sending the fraudulent wire instructions was being spoofed or was a legitimate email account of the LP. FTI Cybersecurity also analyzed email attachments to determine who they were created by, and if they contained malware.
Published
June 10, 2024
Key Contacts
Senior Managing Director