*Note: We’ve redacted the names of the sender and everyone included on CC from “the law firm” in the supporting images. This is because the scammer was advanced enough to use the real names, email addresses and titles of the lawyers and revenue coordinator from the firm they were imitating, in order to make it look even more genuine. We want to protect their identity. 

At Black Creek Cybersecurity, we work exclusively with Private Equity Groups, and one thing we remind our clients often is this: even the most sophisticated PEGs fall for well-executed cyber scams. Not because they’re careless, but because today’s threat actors are annoyingly persistent, surprisingly clever, and extremely good at mimicking normal business behavior.

Recently, one of our PEG clients experienced a classic wire fraud event. 

The bad news is that they lost almost $400k.  

The good news? We contained the risk, might recover the funds from insurance and a third party claim, and the client is using the lessons learned to strengthen their processes. 

The better news? Their experience can help others avoid the same trap.

Here’s a high-level breakdown of what happened.

The Setup: An Email From “The Law Firm”

 

A finance director at the PEG received what appeared to be a routine invoice from a well-known law firm they regularly work with. The email looked legitimate, the tone was professional, and the attached invoice matched prior formatting.

But there was one problem:
It wasn’t from the law firm.

The threat actor had created a deceptively similar email address, off by just a few characters. Over the next 28 hours, the finance director and another team member exchanged multiple emails with the attacker, not realizing the subtle differences in the sender’s URL.

How many chances did they have to catch it? Fourteen.

Yes, 14 times the false URL appeared in their inbox. And before you judge, ask yourself: how often do you meticulously analyze every character of every email address you receive on a busy day?

Exactly.

 

Tactic #1: Manufacturing Urgency

Threat actors know that PEGs operate at high speed. They also know that finance teams are exceptionally busy. So what’s the easiest way to slip past someone’s defenses?

Create a false sense of urgency.

In this case, the attacker pushed “prompt payment discounts” and sent multiple follow-ups within short windows of time. 

Ask yourself: When’s the last time a law firm offered you a discount for paying early?

The abnormal speed, pressure, and tone were all subtle yellow flags that, in hindsight, glow neon.

 

Tactic #2: Switching the Payment Method

The attacker requested a wire instead of the ACH transfer the PEG normally uses for routine legal invoices.

Would this have prevented the fraud? Probably not.

But it would have added friction, meaning more time to pause, question, and double-check.

Any deviation from standard process is worth a quick sanity check, especially when money is moving.

 

What We Can All Learn

This incident highlights a few universal truths across the PE ecosystem:

  • Cyber risk isn’t about intelligence, it’s about timing, pressure, and human nature.
  • Threat actors succeed by looking normal and acting urgent.
  • Small process deviations (like unusual payment terms) can be early clues.
    Teams benefit enormously from creating a culture where slowing down is acceptable.

We share this story not to point fingers – far from it – but because transparency helps every PEG strengthen its guardrails. If it can happen to a seasoned finance director (and it can), it can happen to anyone.

And that’s why we exist: not to sell you tools you don’t need, but to help you navigate risk with clarity, plain English, and just enough candor to keep things human.

If you’d like help reviewing your payment processes or running a quick fraud-resilience workshop for your PEOps or PortCo teams, you know where to find us.