A Sydney-based hedge fund has been forced to close its doors after paying cybercriminals more than $8.7M in fake invoices, signaling the importance of information security to minimise the potential of fraudulent transactions and actions from cybercriminals.
Reports are emerging that the hedge fund was forced to close after paying cybercriminals $8.7M in fraudulent invoices sent to the fund, that were paid without adequate oversight, with a number of its staff working from home.
It’s an almost identical invoice scam that saw one of Australia’s largest banks, ANZ, unable to stop more than $800,000 being transferred from a client’s account, which was paid to a collective of cybercriminals.
Michal Fagan, co-founder of Levitas Capital has issued a statement saying that “there were so many red flags which should have been spotted.” He continued to explain that “this is one example of the manifest failure of these checks and balances with dramatic consequences for our business.”
Levitas Capital was forced to close its doors after the Australian Catholic Super fund withdrew funds, following the September attack that saw cybercriminals pocket $8.7 million from an invoice scam, which is now being investigated by the NSW police.
A report from the Australian Financial Review says that digital crime experts have reported a spike “in attacks on hedge funds and private equity firms this year, as informal checks were weakened due to staff working at home as a result of the pandemic.”
That report continues to explain that the AFR “has been told of another fund which lost $25 million in client money from a similar cyber attack, while the trustee for another firm blocked a $1.8 million transfer after the fake invoice was spotted.”
Investigators say that cybercriminals were able to launch a cyberattack on Levitas Capital after either Mr Fagan or fellow co-founder Mr Michael Brookes accepted a Zoom call invitation from the hackers. From there, they were able to implant malicious software – malware – into Levitas’ system, and allow them to create and send invoices.
According to the AFR report, “Mr Fagan discovered the cyber attack on Levitas by chance on September 23, when the four-year-old fund was preparing to receive a further $16 million from Australian Catholic Super after a bumper year. ACS declined to comment.”
At the time of the attack, Levitas Capital was managing around $75 million on its books, meaning that hackers were able to snatch more than 10% of its funds with a successful invoice scam.
Mr Fagan has said that “the entire funds management industry relies on a range of important checks and balances to ensure the integrity of the system – in particular, the role trustees and administrators are supposed to play.”
“This is one example of the manifest failure of these checks and balances with dramatic consequences for our business,” he said, adding that “it makes you wonder where else in the system this could happen?”
The AFR’s report states that Mr Fagan entered the office early on a Wedneday morning, where he noticed that $1.2 million had been transferred from the company’s Commonwealth Bank account to an unknown recipient. Mr Fagan was unsure just who the recipient, ‘Unique Star Trading,’ was, and noticed that it had been transferred again to an ANZ account based in Western Sydney.
The AFR writes that “the payment was approved by AET Corporate Trust, Australia’s third-largest trustee with $55 billion under supervision, which holds money on behalf of bunds like Levitas and is responsible for protecting investors.”
AET is owned by a company called Sargon, who has issued a statement saying they were “continuing to investigate the compromise” to find out “how the manual process required to verify instructions may have fallen down.”
The fund’s administrator, Apex says that it attempted to contact Mr Fagan for verification of the transaction, but he was unable to answer the call; the transaction was sent through later that day.
Apex has issued a statement saying that the company “strongly disputes claims that insufficient attempts were made to inform the managers of potentially fraudulent transfers,” and that “we have robust internal procedures and controls in place. We are confident that our processes were followed appropriately,” the company said.
Angus Griggs writes that “the failure of fund administrators, trustees and banks to stop the transfers raises questions around the oversight of Australia’s $1.2 trillion superannuation industry and its readiness to deal with increasingly frequent cyber attacks.”
Business email compromise (BEC) attacks and fake invoice scams are becoming an increasingly common tool for hackers to exploit organisations.
One of the most effective ways to curb the risk of these attacks is to implement an Information Security Management System like ISO 27001.