A scam that began with a fake Zoom invite has brought a Sydney hedge fund to its knees after hackers sent $8.7 million worth of invoices from the fund manager’s email account.
Levitas Capital – which managed some $75 million before the incident – closed down after the September cyber-attack caused one of its biggest clients to withdraw its money, the Australian Financial Review reported on Monday.
After opening a dodgy Zoom invitation, one of the hedge fund managers, Michael Fagan, had his system infected by malware that ceded control of his emails.
The bad actors then requested a transfer of $1.2 million from the fund to an account owned by a company called Unique Star Trading.
Tracking a proceeding email chain about the money movement, the hackers authorised the transfer on Fagan’s behalf.
Soon a man named Muhammed Bhatti – the owner of Unique Star Trading – began withdrawing the money first in the form of two bank cheques each worth $240,000 and then through over 60 other transactions.
Bhatti took around $780,000 from the account before jumping on a plane and leaving the country as NSW Police began investigation.
Meanwhile, another two transfers were underway through fraudulent invoices to shell companies authorised via Fagan’s compromised email: one for $2.5 million to a Bank of China account in Hong Kong and another $5 million to a United Overseas Bank account in Singapore.
Fagan fortunately clocked the money as it was on the way out, noticing the missing $7.5 million the next day.
He was able to stop the transfers in time to save the money but the damage was done and now Levitas Capital is no more.
Business email compromise scams like the one that brought Levitas Capital undone have been an ongoing scourge for businesses with the Australian Competition and Consumer Commission (ACCC) estimating this scam type cost Australians $132 million in 2019.
These scams see the attacker monitor and intercept email traffic, often sending and approving bogus invoices or other payments for their own gain.
This year alone NSW Police have made multiple arrests of people who were conducting business email scams with one syndicate robbing businesses to the tune of $2.6 million through fraudulent invoices.
For ACCC Deputy Chair, Mark Keogh, business leaders need to be aware of the risk that email compromises can pose to their operations.
“Scammers are increasingly using email scams to target businesses of all sizes,” Keogh said.
“It is important to have strong processes in place for verifying and paying accounts and businesses should ensure their systems have up-to-date anti-virus software.”
Indeed, cybersecurity has received renewed focus from regulators with the Australian Securities and Investments Commission (ASIC) taking financial advice company RI Group to court for its lax cybersecurity.
ASIC was seeking penalties of at least $11 million for multiple incidents where RI Group failed to implement proper cybersecurity, resulting in major breaches.
ASIC did not comment on the Levitas case, but a spokesperson said it had “for several years” warned businesses of the need “to adopt robust and reliable procedures to deal with the growing threat” of cybersecurity.