Hacker in the house: 4 ways cybercriminals are targeting advisors' personal networks
This article originally appeared in Financial Planning.
It’s well known that cyberattacks pose a growing threat to financial advisors and wealth managers. But what many in the industry may not realize is that these attacks are increasingly pivoting to planners’ personal digital spaces as they target them on their home networks and personal accounts.
These attacks are likely to ramp up in the coming months as the growing global crackdown on ransomware continues to thwart cybercriminals’ efforts. This is worrisome because even the best cybersecurity programs have major blind spots when it comes to personal devices and accounts. Hackers know this and they are taking advantage of this weakness to “backdoor” corporate networks. The ultimate goal is to gain access to an advisor’s accounts in order to pull off a compromised email attack known as business email compromise, or BEC, to trick the customer or advisor into wiring funds to the criminals, steal customer information or gain deeper access to the advisory firm’s network and accounts.
Here are four ways hackers are targeting advisors where they live:
Personal accounts like email, social media and messaging apps are invaluable to cybercriminals, as they often contain personal or professional information and other intelligence which can be useful for conducting a targeted attack on the advisor’s clients or colleagues, particularly if they have communicated about investments or work matters through those personal channels before.
By hijacking or “spoofing” the advisor’s account, the attacker can then trick the client into sharing personal or financial information and, in a worst-case scenario, into conducting a transaction. These accounts may also contain conversational snippets, documents or other sensitive personal information sent over email that is valuable enough to be stolen directly — or to be used in an extortion attempt. My firm has seen a steady increase in document extortion attacks over the last year, posing a growing risk for high net worth individuals.
Unfortunately, hijacking a personal account is relatively easy. A hacker will begin by identifying the person’s accounts through searches in the public web, dark web and data brokers. They will then try to steal the advisor’s account password through a phishing attack. One common tactic is to send a fake account alert notification, which will redirect the person to a password-stealing “login” page. However, hackers can skip this step entirely by simply buying a person’s passwords online. How? After years of countless corporate cyber breaches, most of us have one or more passwords for sale on the dark web through so-called “password dumps.”
A stolen Netflix or retail account password may seem insignificant to a firm’s overall cybersecurity, but if the advisor reuses that same password on other more important accounts such as Office 365, Teams or Slack , it becomes a much bigger problem. As personal accounts are not monitored or protected by a company’s IT department, these attacks will escape attention. This means an attacker can hack into one of an advisor’s personal accounts and then worm his or her way into more meaningful business accounts at their leisure.
Hackers will also target advisors through text message phishing attacks (also known as SMS phishing, or “smishing”) on their personal cell phones. The goal of such attacks is often to steal the login credentials for the person’s work email, VPN or remote access software. The hackers will also try to steal the multifactor authentication codes used to secure these accounts.
Smishing attacks are becoming increasingly common. As I write this, a large-scale SMS phishing campaign called “Oktapus” is targeting the employees of many well-known technology companies in an effort to steal their credentials. Uber also appears to have been breached through an SMS attack on an employee. What makes these attacks so attractive to criminals is that, as with other personal accounts, text messages aren’t monitored by company IT departments — even if the company has mobile device management (MDM) solutions in place. The attacks are also simple to carry out and often difficult for victims to detect.
Phone number spoofing and fake virtual phone numbers are an easy task for the accomplished cybercrook, leaving no way for the object of the attack to verify whether the phone number that contacts them is real or fake. Whereas in email a recipient can always check the “return-path” line in the email header to find out the real email address of the person contacting them, there is no such tracking information available in text messages. The simplistic nature of SMS — short, unformatted, plain text messages — makes it easier for hackers to impersonate an organization or employee, for instance the firm’s IT administrator, and craft convincing messages which are less likely to contain red flags such as spelling/grammar errors or incorrect logos.
An attacker can often find an advisor’s personal cell phone number through legitimate data brokers as well as through simple web searches. These data brokers, which are perfectly legal, sell valuable personal information about almost anyone unless an individual has specifically requested that their information be removed.
Home networks not ‘smart’
An advisor’s home network is an ideal target for a cybercriminal as they tend to be unprotected, allowing the hacker to gain access to computers, laptops, tablets and routers — all potential goldmines of sensitive information. Once in, the criminal can monitor traffic and steal passwords. In my firm’s onboarding process, we’ve found that 27% of business executives had malware on their home devices without realizing it. By compromising the home network, the attacker may be able to get direct access to the advisor’s data and client accounts. Cybercriminals may even try to hack the home printer. These devices frequently store data from recent print jobs and they are relatively easy to compromise through insecure connections, default passwords and unpatched vulnerabilities.
Getting into a home network isn’t difficult for a seasoned hacker. Most are incredibly insecure, from the unpatched WiFi router to the “smart” home security camera still set with a default password. All they need is the home IP address (40% of legitimate data brokers sell this information) to scan the network for vulnerable devices. “Connected” or “smart” homes are particularly at high risk: We’ve found that 20% of connected homes are accessible over the internet by strangers. After a hacker breaches one of these devices, they can use that foothold to leapfrog to other devices through shared connections such as WiFi and Bluetooth.
Children and spouses vulnerable
The accounts of wealthy family members — especially children — are another easy way for a hacker to gain access to a more valuable target, be they wealth managers or Fortune 1000 executives. Family members are often less well protected, potentially less aware of the risks and don’t usually think of themselves as targets for sophisticated cybercrime groups.
In the most likely scenario, a hacker will compromise a family member’s personal email or social media account to communicate with the advisor in an attempt to trick them into clicking on a malicious link or attachment. One particularly stealthy way to do this is through “conversation hijacking,” in which the hacker slips into an ongoing email exchange between the family member and their target in order to spread malware or solicit sensitive information.
There is also a real risk of extortion, including “sextortion,” with family members. At my company, we have seen multiple sextortion cases involving teenage children and spouses in which the hacker uses their information to blackmail the person of interest. There are any number of ways this can happen, from hacking into their personal accounts to stealing sensitive photos, tricking them through a fake romantic relationship or getting them to share private information through chat or messaging apps. Hackers can also infect webcams with malware to secretly record their victims.
‘Harden’ home software; protect your ‘attack surface’
These attacks pose a real challenge to advisors and their firms because they target people in several cybersecurity blind spots but there are steps advisors can take to reduce their personal “attack surface.”
First, advisors should have their personal information removed from data broker websites. This is not easy, but there are professional services that can help. By removing this information, an advisor will make it harder for a hacker to find their personal cell phone number, home IP address, email accounts and other information that can be used in an attack.
Next, it’s important to improve the security of personal online accounts, particularly any that could be used in phishing attacks on clients or colleagues such as Gmail, Facebook, and LinkedIn. Make sure each account has its own unique password and enable multifactor authentication whenever possible. The average person has over 100 online accounts, so it’s a good idea to use a password manager tool, as these will automatically create and store strong, unique passwords for each account and protect them with encryption. It is also extremely important to make sure passwords are not shared or reused with any accounts. If they are, an otherwise minor breach could result in a much bigger security incident.
“Home network hardening” is also vital, particularly in this day and age when so many people are working remotely. At a minimum, this should include updating all devices in the home to the latest software — including:
- Firmware and security versions with a priority on important devices like routers, modems, firewalls, computers and printers;
- Protecting all online accounts with strong, unique passwords and multi-factor authentication;
- Encrypting all important documents, files or data and backing up all important files, documents and data on an external hard drive that is not connected to the Internet;
- Internet of Things (IoT) devices also require special attention since security can be more of an afterthought in their design. These devices should have strong, unique passwords and be updated regularly. They should also be kept off the main WiFi network and moved to the “guest network.”
- Finally, a low-tech solution: Be sure to place a camera cover or tape over any device inside the home that has an embedded camera.