Attackers have found that Venture Capital (VC) firms are often easy and lucrative targets. VCs have large and frequent money transfers with Capital Calls, fundings, and (hopefully) distributions. Most VCs are tech-savvy, confident, problem-solvers, which makes them easy targets for phishing and permission attacks. And smaller VCs might not have experienced and focused technology firms protecting them, even though these VCs have the most to lose. This article explores the top cybersecurity risks facing VCs today and provides practical strategies for GPs to mitigate these risks.

  1. Phishing and Social Engineering Attacks

    2. Phishing and social engineering attacks remain the most prevalent cybersecurity attacks targeting VC firms. Attackers use deceptive emails or text messages to trick executives and employees into revealing sensitive information, such as login credentials, financial data, or LP contact and capital call information. These attacks are personalized and targeted, which increases their effectiveness.

    What to Do About It:

    • Employee Training: Regularly educate your team on how to recognize phishing attempts and suspicious messages. Demand a culture of skepticism when handling emails and texts, especially DocuSigns. Warn new hires they will receive these attacks as soon as they update their LinkedIn. Enforce need-to-know.
    • Email Filtering: Configure your Google or 365 with advanced email filtering settings to flag and block phishing emails before they reach the inbox.
    • Device Approval: Multi-Factor Authentication (MFA) is a basic essential step, but for additional protection implement Device Approvals on your Google or 365. This means not only does an attacker have to compromise a password and 2nd factor, but they also must have access to a Firm-owned computer to access your data. This has the side benefit of blocking personal computer use, which is also essential for VC compliance.

  2. Vendor Invoice Fraud

    3. It is easy to find out what vendors a VC has, and the research departments of the better attackers have mapped out who has approval authority, whether it is a finance department, fractional CFO, or a Fund Administrator. A well-timed call or “payment details update” email can slip through, and the money will be gone within minutes of a wire transfer or ACH to the wrong account. VCs are particularly vulnerable to this attack recently because JPM’s takeover of FRB annoyingly changed the account payment information of former FRB clients.

    What to Do About It:

    • New Payees, payment destination changes: Any addition of a new payee, especially if at the behest of an email from a “GP”, and any change of payment destination needs to have a painful, multi-day, multi-person investigation and approval process. Transfer a small random amount first and have someone you know at the payee confirm the amount. Consider using a payee vetting service like TrustPair. Meet in person to confirm adds and changes if possible.

  3. Capital Call Wire Fraud

    4. Attackers completely understand the Capital Call process and have repeatedly been successful in inserting themselves into this process. Given the sums involved, attackers spend significant research and social engineering effort on these attacks. Friends and Family and Family Office LPs are particularly vulnerable to these kinds of attacks.

    What to Do About It:

    • Use an LP Portal: All LP data transfer, including K1s and Capital Calls, should be via a portal with individual login credentials and MFA. Some Fund Administrators provide these, notably Aduro’s great FundPanel, or you can run your own on Intralinks. Just make sure you never send these kinds of documents via email.
    • Keep telling LPs you will never Capital Call via email: Much like Google says “no-one from Google will ever ask you for this code” on every MFA call, you should repeatedly and consistently tell your LPs you will NEVER email them Capital Call account details. You will email them to tell them there is a Capital Call document in your portal, which they should access using their account and MFA to find the amount and payment details.

Conclusion

VCs have well over $1 Trillion dollars under management, and the Bad Actors are highly focused on getting a share of this. VCs need to be more paranoid and better defended against this onslaught of professional attackers. Besides the Federal obligations for all VCs to protect LP data and investments, a significant breach can be costly and even fatal for a VC. Mitigation steps are not expensive, but must be taken before an attack is successful.


Share this blog:

vc-cybersecurity