Three IT executives from venture capital firms share hard-won lessons on protecting their brands from increasingly sophisticated impersonation attacks.
When IT leaders from competing firms willingly share their security challenges and solutions, it signals something important about the threat they’re facing. In a recent Allure Security webinar, three executives from the venture capital and private equity space—Ryan Donnan of First Round Capital, David Grenetz of Notable Capital, and Kevin Mayer of Mayer Consulting—gathered to discuss their experiences combating brand impersonation fraud. Their candor about what they’ve encountered and what they’ve learned offers practical guidance for security leaders in any industry.
The conversation revealed a consistent theme: impersonation attacks have evolved beyond what internal teams can effectively monitor and address alone, and the peer networks that help leaders share intelligence have become as valuable as any technology investment.
The attacks they've faced
Each panelist brought specific examples that illustrated the breadth of impersonation tactics targeting their organizations.
Ryan Donnan, Director of IT at First Round Capital, described an attack that began with a simple domain purchase. “Someone purchased a lookalike domain for our domain, firstround.com,” he explained. “They looked at our website, found our portfolio companies, did some research, found email addresses, and they basically went on an email campaign, reaching out, impersonating our executives.” The firm learned about the campaign only because recipients found the messages suspicious and forwarded them along. “Luckily, no one fell for it,” Donnan said, “but they just kept coming.”
Without an existing vendor relationship, Donnan found himself navigating the takedown process manually. “I did research, found out where the domain was registered, reached out to our network to find out if anyone had a contact at a high level at GoDaddy,” he recalled. The experience crystallized a fundamental problem: “That’s not scalable. They were able to help us once, but there’s no saying if they could help us multiple times if it kept happening.”
Kevin Mayer, a CISSP and founder of Mayer Consulting who has worked in the VC and private equity space for nearly 30 years, described a different attack vector: fake job postings. “Their chief counsel and their HR people started to have job postings pop up,” he said of one client. “This wasn’t attacking our company; it was impersonating our company and attacking the general public, trying to get them to apply for jobs.”
The scheme worked by harvesting personal information from job applicants who believed they were applying to a legitimate firm. “People had their personal information breached by giving it away and paying some dollars,” Mayer explained. “My estimation was that the people doing it were doing it because it was valuable to steal someone’s identity and sell it.” The reputational damage to the impersonated firm was significant even without direct financial loss, and the attacks persisted despite response efforts. “We thought we had it licked,” Mayer said. “Once they had success, they just continue to bombard us with that.”
David Grenetz, Senior Vice President of IT at Notable Capital, encountered impersonation at a scale that overwhelmed his team’s ability to respond. “In June 2022, a coworker made me aware that there were hundreds and hundreds of impersonations in Telegram of our brand and of our key executives,” he recalled. “I had never used Telegram. I had no idea how to use it, much less how to go about figuring out how to take down all these impersonations.”
When Grenetz’s team investigated, they discovered an elaborate investment fraud scheme. “The general idea of the scam is they would pretend to be our firm’s managing partners, they would be giving out stock tips,” he explained. “If the tip was successful, then the community they had built in Telegram would become very excited and want to double down. And that’s when the victims would then pay into this investing club.” The attackers were exploiting Notable Capital’s brand recognition and executive credibility to defraud people the firm had never interacted with.
The scale problem
A recurring theme throughout the discussion was the impossibility of defensive domain registration as a protection strategy.
“My first gut reaction was, I just need to go out and buy all these domains,” Donnan admitted. “Going to something like DNS Twister to see all the permutations, not only are there so many top-level domains now, not just .com, .net, .edu, there’s infinite, it seems like at this point.” The number of domains required was “staggering in both cost and in me thinking through the complexity of owning them all.”
Mayer confirmed the scale: “Our initial estimate, we had 800 domains for this one firm.” The traditional advice to register defensive domains simply doesn’t work at modern scale. “I’ve seen some solutions where that’s the advice: just go buy every domain, every variation,” he said. “We quickly run out of time and resources to be able to handle that.”
The challenge extends beyond registration to ongoing management. As the moderator noted, “It’s not only buying all the domains, it’s having to manage that incredible portfolio of these domains. What’s active? What’s expiring? What do we need to do? Who’s in charge of this?”
The value of peer networks
All three panelists are members of VCPEIT.org, a peer networking group for IT executives in venture capital and private equity. Their discussion highlighted how this collaborative community has become essential for navigating security challenges.
“I became one of the founding members of the group in the early 2000s,” Mayer explained, “and it really became something very unique. I don’t know too many industries like this—where it wasn’t always competitive, but collaborative.” When he needed to evaluate brand protection vendors, he reached out to the group: “I called David and said, ‘Hey, who do you use for XYZ?’ And he narrowed my list down from 10 people I didn’t know to three people I didn’t know.”
Grenetz emphasized the trust that makes such sharing possible. “What’s great about this group is that everyone trusts each other and truly wants each other to succeed,” he said. “At some level, we are competing firms; my firm and Ryan’s firm technically should be competing with each other. But in this group, we honestly all want each other to do well. It’s more of a coopetition.”
The collaboration extends to active incident response. “When we as a firm started getting impersonated in the Telegram attack, I pinged the group,” Grenetz recalled. “I checked in to see, ‘Hey, is anyone else seeing what we’re seeing? What protections have other people tried? What are some of the risks?'” Finding others who had faced similar attacks provided both practical guidance and confidence: “When you find someone else who’s been through it already, it’s like having a big brother, big sister to take you under their arm.”
Donnan, who operates as a one-person IT team at First Round Capital, described the group as essential to his effectiveness. “It’s hard to be an expert in everything,” he said. “Being a part of this group where, for things that maybe you haven’t experienced yet, someone else probably has. I always say, I wouldn’t be where I am today in my career without the group.”
Practical recommendations
The panelists offered specific guidance for organizations building brand protection capabilities.
Build relationships before you need them. Grenetz emphasized the importance of establishing contacts at platforms, registrars, and law enforcement before incidents occur. “Think about it: Telegram, WhatsApp, X, LinkedIn,” he said. “If you know someone and you can pull in a favor, get that lined up ahead of time because you’re going to need it.” He specifically recommended building FBI relationships: “It’s great to know who your FBI contact would be in case there is an incident.”
Consider domain blocking services. Rather than purchasing hundreds of defensive domains, Grenetz suggested programs like DPML and Global Block Plus that can block trademark-infringing registrations. “You can essentially take your firm’s trademarks, submit them to a domain registry, and they will block those domains for you,” he explained. “You don’t actually have to buy them, you don’t have to manage them.”
Register your trademarks. Mayer noted that many firms haven’t completed the formal trademark registration process, which complicates protection efforts. “It’s very unlikely your firm has gone through the process of getting a service mark for the logo that you’re using,” he said. “If you have that, it’s a lot easier to protect some of the visuals that you may be using in your media.”
Educate your stakeholders. Donnan stressed the importance of ensuring customers and partners understand your normal processes. “Make sure that your customers—in our case, our LPs, our investors, and the founders we work with—are aware of what your processes are,” he said. “If someone impersonates your brand and those people are very acutely aware of how you typically handle requests, it’ll be easier for them to realize that they’re being scammed.”
Measure something. Mayer shared advice from his CISSP training: “If you want to improve your posture, measure something. He didn’t care what it was; just start somewhere.” Understanding the scope of your exposure is the first step toward addressing it.
Recognize when to outsource. The panelists were unanimous that in-house efforts have limits. “If you’re a small firm, you simply don’t have the time or resources to get this accomplished,” Mayer said. He described a recent takedown involving a domain registered in the UAE: “It literally took hours when Allure did it. We just couldn’t—I don’t even know where I would have started.”
Donnan put the business case simply: “While there is a capital expense related to moving forward with a brand protection company, having one really bad thing kill your reputation and have people not want to work with you because of it is worth any amount of money to try to stop that from happening.”
The Bottom Line
The webinar revealed a consistent pattern: IT leaders at investment firms have discovered that brand impersonation poses risks they cannot adequately address alone. The attacks target not just the firms themselves but their portfolio companies, limited partners, and the general public, anyone who trusts the brand enough to engage with what appears to be legitimate outreach.
For a deeper exploration of how security leaders across industries are rethinking their approach to impersonation threats, see our analysis of emerging CISO priorities around external threat visibility. The peer insights shared in this webinar complement that broader research with practical, experience-tested guidance from leaders who have faced these attacks firsthand.
Key Takeaways
Panelists described lookalike domain email campaigns targeting portfolio companies, fake job postings designed to harvest applicant personal information, and large-scale social media impersonation on platforms like Telegram used to run investment fraud schemes.
The number of possible lookalike domains has become unmanageable. One panelist estimated 800 domains would be needed for a single firm. Beyond acquisition cost, managing the portfolio (tracking expirations, renewals, and active threats) exceeds what small IT teams can handle.
IT leaders described their peer group (VCPEIT.org) as essential for sharing threat intelligence, evaluating vendors, and learning from others who have faced similar attacks. The collaborative nature allows competing firms to strengthen the entire industry’s security posture.
Panelists suggested that if impersonation incidents have occurred more than once, or if responding to threats consistently falls below other priorities due to time constraints, it’s time to engage specialized help. The speed and expertise of dedicated providers far exceeds what internal teams can achieve.
Recommendations included building relationships with platform contacts and law enforcement before incidents occur, registering trademarks to strengthen takedown requests, educating stakeholders about normal communication processes, and considering domain blocking services rather than defensive registration.
