“If you put your hacker hat on, it makes more sense to go after a couple of wealthy individuals and hit a jackpot than to go after millions of customer records and ferret out which ones you want,” says Wes Stillman, CEO of Overland Park, Kan.-based RightSize Solutions, a cloud-based security and compliance solutions provider to registered investment advisors, private banks and trust companies.
For cyber-crooks, an attack on a family office promises a big payoff with minimal effort and little chance of detection or prosecution. With one breach, hackers can obtain access to families’ bank statements, brokerage accounts, tax returns and personal information, as well as information about employees, business partners and vendors. Cybercrime against family offices has the potential to reward crooks with funds that are substantial, anonymous and easily transferrable.
“The return on their investment in time to hack is really good. Family offices are prime targets,” Stillman says.
To hit the mother lode, criminal hackers may start by launching small, simple attacks on family offices to probe their computer defenses and evade detection.
“I have seen an unprecedented level of wire transfer fraud,” says Dave Dalva, vice president of Security Science at Stroz Friedberg, a New York-based cybersecurity, digital forensics and risk management company. “A year ago, I didn’t see this much. It’s relatively straightforward for an adversary to e-mail an unsuspecting user to get a foothold into an organization, and from there move around an organization’s systems to find out how wire transfers are done in order to initiate a fraudulent wire transfer request.”
In one case, a cyber-thief tricked a billionaire’s family office into sending $25,000 to an account in Mexico, he says, adding that wire amounts below $50,000, depending on the size of the family office, may not set off any alarms.
“Their goal is to get away with as much as they can without raising too much suspicion,” Dalva says.
Most wire fraud starts with a “phishing” e-mail, security experts say. Phishing is an attempt to acquire confidential information, such as user names and passwords, by fooling the recipient of the communication into thinking that the request to provide the information comes from a trusted source.
Hackers can send an e-mail to someone inside a family office using the address of another individual inside or outside the family office. They can also add a carefully crafted and easily overlooked typo to a trusted sender’s e-mail address, which is actually an address that the hacker controls.
“Hackers don’t really have to be very technical to do this. People are falling for these tricks left and right,” says Austin Berglas, head of cyber-investigations and incident response at K2 Intelligence, a New York-based investigative, compliance and cyber-defense services firm.
Both methods of tricking recipients into providing log-in credentials can allow cyber-crooks to gain access to a family office’s network and initiate phony wire transfer requests, but the use of a recognized e-mail address poses a far greater threat. “The compromise of a legitimate e-mail address provides hackers with much better recognizance,” says Berglas, a former FBI agent who led the criminal investigation into the computer network attack against JPMorgan.
Berglas says that hackers who gain access to computer systems through valid e-mail addresses can lie in wait while they observe the wire transfer policies of family offices and learn to imitate the communication style of those authorized to initiate transfers, such as CFOs.
Berglas says he routinely sees wire transfer losses in the hundreds of thousands of dollars. In a case his firm handled in December, a high-net-worth CEO had authorized wire transfer requests coming into his personal e-mail to be sent directly to his secretary, who would then forward the requests to financial institutions to execute the transfers. The secretary received a fraudulent request for $700,000, allegedly to purchase art for the CEO. Assuming the request was legitimate, she forwarded it to the CEO’s bank, which sent the money to an overseas bank, where it disappeared. Six hours later, the cyber-bandits sent a request for $2.1 million that the secretary again forwarded. This time, the bank flagged the communication and declined to execute the transfer.
“Once criminals are successful in getting a wire transfer sent, they’ll try it again immediately,” says Berglas.
To protect themselves, Berglas says family offices first need to be aware that these e-mail scams exist. Second, he advises all family office personnel to scrutinize the source of e-mails and not open those from unidentified individuals or entities. Finally, he recommends setting a dollar amount for wire transfers, above which a second layer of authentication is required, such as a phone call to verify the authenticity of an e-mail request to send money.
In addition to phishing and other remote attacks, criminals have directly stolen computers from the wealthy. “Family office personnel travel with their computers. Less than 5% have an appropriate level of security on their laptops,” says Viollis.
In one recent incident, Viollis recalls talking at a conference with the CEO of a $4 billion single-family office in the Midwest who couldn’t convince the family she worked for that they needed stronger cybersecurity. A month after their conversation, Viollis says he got a panicked call from the CEO seeking his advice—after crooks broke into a storage closet and stole the family office’s network server. The family had their bank and brokerage account information, as well as all their medical records, compromised.
That’s not the only case of server theft Viollis has handled. A few years ago, thieves used sledgehammers to break through a building wall at a single-family office in the Pacific Northwest, making off with that family’s server and confidential information.
Remote Risks
Criminals may also target family offices through intermediaries, such as the banks and financial firms that serve the ultra-wealthy.
Dalva says he’s seen multiple attempts by cyber-thieves to strike at family offices via their private banks, sometimes by posing as family members. Cyber-crooks can obtain information about a family from social media and use it to open unauthorized accounts.
In a case Dalva knows of, a criminal phoned a billionaire’s private bank asking to have a credit card account opened in a foreign country for his “nephew.” The crook provided the victim’s date of birth and other identity-verifying information that was asked for by the bank—all of it information that could have been gleaned from social media. The plot might have been foiled early on had the bank made a verification call to the real billionaire at a pre-defined phone number before opening the account.
“If banks and family offices don’t have appropriate controls in place, then banks—because they’re trying to have great customer service, especially for billionaires—are going to do what they’re asked,” he says.
Private banks are not the only entities being targeted. RIAs are also at risk.