How Family Office Leaders Can Protect Their Company & Their Clients From Business Email Compromise
Family Office leaders like you are responsible for the wealth and financial well-being of multi-generational families with little time and a lot to lose. To ensure your job is performed with the utmost efficiency, you capture a lot of proprietary data and confidential information. You also rely on a stack of modern technology to automate and streamline important work processes.
While you are quite adept at your job, you’re unfortunately not an IT or cybersecurity specialist. Until recently, people in your position simply didn’t need to double as privacy and infosec specialists.
Unfortunately, cybercriminals and identity thieves have become aware that most private wealth organizations cannot prevent targeted cyberattacks. It’s a primary reason why savvy adversaries have begun to more frequently target Family Offices and clients like yours.
In fact, according to a recent study from Boston Private:
“Just over a quarter (26%) of family offices have suffered a cyberattack in the past and nearly a fifth (17%) say this has happened within the last 12 months. These results show that cyberattacks are a very real threat for family offices. Over 25% of family offices have been hacked.”
This data only represents what’s actually been reported. In all likelihood, these percentages are even higher.
Email, email, email..It all starts with email (phishing)
As has been the case for most of the past decade, roughly 90% of all cybersecurity incidents begin with an email phishing attack. However, as email security has improved, the email phishing attacks of yesteryear – the malicious ‘Nigerian Prince’ scams that relied on an unsuspecting recipient downloading an attachment or clicking on a link to trigger an exploit – have evolved. Now, phishing emails have morphed into social engineering campaigns. These attacks use psychology to persuade people to take a different type of action, such as paying a fraudulent invoice or sharing sensitive login credentials.
Social engineering scams are particularly effective because they are built to bypass most legacy anti-phishing and email security technology, including the protection inherent to Gmail and Microsoft Office 365 that so many Family Offices and clients rely on. While these defenses provide some security, they must be set up perfectly and constantly updated.
Currently, the biggest threat to Family Offices is a type of social engineering known as business email compromise (BEC). According to the FBI’s definition, BEC occurs when “criminals send an email message that appears to come from a known source making a legitimate request.”
In other words, BEC attacks build or reinforce trust. They are a precursor to persuading someone into taking an action with potentially severe consequences. BEC losses totaled more than $1.8 billion in 2021, also per the FBI.
How BEC impacts Family Offices
For Family Offices, BEC attacks can manifest in one of two ways: employee to employee or employee to client.
One common employee to employee example would be if your CEO sent you a legitimate-looking email. The message would ask you to immediately pay an invoice or share credentials that were supposedly misplaced. Your cybersecurity alarm does not go off. The email looks and feels “right.” You’ve only been trained to doubt the integrity of a message when it includes a link or download. With BEC, this is often absent.
An example of an employee to client BEC attack would be if a hacker compromises your email account and sends a message impersonating you to a client. Such a message would commonly include an urgent call-to-action or request, such as authorizing a payment or changing a bank account number for a transfer. Your client, who is probably not cybersecurity trained, is likely to be inclined to engage because they trust you.
3 tips to reduce risk of BEC attacks
There are three primary ways any Family Office can reduce risk of BEC attacks. This includes:
- Implement Two-Factor Authentication – The use of two-factor authentication greatly reduces the risk of business email compromise. The presence of a secondary security control to verify one’s identity, in addition to using a strong password, makes it infinitely more difficult for adversaries to gain unauthorized access to a person’s email account and formulate legitimate-looking BEC attacks to send to colleagues or clients.
- Trust But Verify – Former President Ronald Reagan is widely recognized for having brought the phrase “trust but verify” into the mainstream lexicon. This remains sage advice for Family Office personnel amidst the complexities of today’s email threat landscape. Moving forward, any email that is 1) unexpected or unusual; 2) casts an uncanny sense of urgency, 3) calls for a change in accounts or procedures out of the blue, or 4) just feels ‘wrong’, should not be engaged with until its legitimacy is verified via phone, video, or in-person.
- Conduct Yearly Email Security Audits – Hackers and cybercriminals never stop working on new ways of infiltrating your private accounts. Likewise, you should never be lax in ensuring you always maintain a secure IT environment, especially email. This includes making sure all systems and hardware are updated. Checking the security of your email setup and configuration, to scanning the deep/dark web for leaked passwords are also important. A yearly audit can help you stay on top of your email infrastructure and reduce the risk of BEC attacks.
Protect your Family Office, protect your clients
In today’s threat landscape, Family Offices must take a more proactive role in protecting privacy and cybersecurity. This includes reducing the risk of business email compromise.
While the steps above are a great start, know that you don’t have to embark on this journey alone. BlackCloak partners with leading Family Offices and wealth management firms to educate financial advisors and your clients on modern-day privacy and cybersecurity risks, adding significant value to any wealth management offering.
Visit our Partners Page for more information or message me to chat more.