This article is part of our special report on digital risk in family offices.
Think of social media as a great big treasure map for criminals. The treasure? Your identity, your data and, ultimately, your money. And every post you make brings them a little bit closer to their payoff.
Everyone is at risk, but high-net-worth folks make very attractive targets. Cybersecurity experts say today’s fraudsters are patient and highly strategic—sometimes spending months following digital breadcrumbs before making their move.
Here are eight ways even the most innocent social media posts can make you and your family easy targets.
Taking what you give
Hackers and criminals want it all, and many people oblige. Your holiday photos, those first-day-of-school posts, and even lifestyle content (“my favourite coffee shop”) paint a picture of your habits, helping criminals spot patterns and opportunities. Their goal? To gather enough information to exploit your trust, your identity or your wealth.
Even the most benign post might share more information than you realize. Sarah Rosen, managing director of private client services at BlackCloak, a U.S. cybersecurity company for executives, recalls a client who was road-testing BlackCloak’s services with a challenge to find the address of a new home he had purchased.
He was certain the private transaction could not be tracked. But Rosen says social media made it easy.
“We didn’t know the city, but we were able to crack the case because his wife had posted a Christmas card on social media,” says Rosen. “It was a ‘Greetings from the Family’-type photo in their living room in front of a Christmas tree. And we were able to cross reference the background details of that photo with real estate postings, having guessed at the neighbourhoods and the price point of the house. We matched real estate listings with the picture from social media, and we got their address.”
Taking the data you don’t see
Criminals also want the data that you can’t see. “With any activity on the Internet, we leave behind a digital footprint,” says Andrew Kirsch, a former CSIS intelligence officer and founder of Kirsch Group, a Toronto-based security and cybersecurity consulting firm.
Social media platforms don’t just collect your name, age and email address, he notes. They log behavioural signals—scrolling patterns, clicks, ad interactions and, where permissions allow, location data. If your account is compromised or malware is installed, that data can be aggregated and resold on the dark web.
Kirsch says every additional app you use increases what he calls your “digital threat surface,” or potential exposure to online harm. Make sure it’s worth it, and remember that you don’t have to hand over all permissions to every app you use.
Scanning for liquidity events and big transactions
Exiting your company? Moving to a great new home? Posting about it online can alert criminals that significant wealth is about to move. Coupled with access to email (which Rosen calls the “holy grail” for criminals) or other accounts, attackers can monitor transactions in real time and subtly intercept communications, enabling schemes such as the diversion of real estate funds or the alteration of payment instructions so money is rerouted without the victim noticing.
“If they know you’re working with a real estate agent and that there’s going to be a transaction, they can jump in the middle and change the routing numbers, so the money isn’t going to the real estate agent, it’s going to them,” says Rosen. “The more information they have about the individual, the more able they are to put themselves into a position to take advantage when cash is being exchanged.”
Spreading malware through your invite apps
Rosen says a growing scam targets digital invitation apps and online calendars.
Attackers can watch your habits and impersonate trusted contacts—or impersonate you—to send what appear to be routine invites to recurring events. These systems mirror predictable social patterns, such as a monthly get-together with old friends, establishing “social trust” and making malicious intent hard to spot.
“Let’s say you have a monthly poker game and you get the invite as usual, so you think it’s from Leo. You’re expecting it, because every month you get an invite from Leo,” says Rosen. “You click on the link, and it leads to malware or other unpleasantness.”
Scanning your posts for clues to your passwords
Password strength still matters, says Rosen, even with multi-factor authentication. (The whole point of two-factor authentication is to have two strong authentication mechanisms that work together to secure your account.) Most people don’t change their passwords often enough. And social media posts can inadvertently give criminals a head start at cracking your code. (When quantum computing arrives, though, all bets might be off.)
By openly sharing information like a pet’s name, schools you’ve attended or your birthdate, you give scammers the information they need to guess your password or answer your security questions.
Rosen tells a story about an exclusive small-town enclave, popular with high-net-worth folks, where the local IT team set up Internet service for many households—and gave them all the same default password. BlackCloak discovered a gaping security hole for their client (and many others, it turned out), who had all kept the same default password.
Using urgency to override your good judgment
“Scammers try to create a false sense of urgency to get you to act fast,” says Kirsch. If you feel pressured to send money, buy gift cards or update your game for free credits quickly, resist.
These messages often come via email but can also arrive in your WhatsApp or Facebook Messenger or even through gaming interfaces. BlackCloak had one high profile client, a professional basketball player, whose personal laptop was hacked after his kids were targeted with infected game updates that loaded malware onto the family network. It’s an increasingly common tactic, Rosen says.
Tempting you with exclusive investment offers
Cybercriminals target wealthy people via Instagram, LinkedIn or X with exclusive investment opportunities in real estate, cryptocurrencies or private equity. Criminals build credibility through curated profiles or by impersonating legitimate advisors. Things often start with social media outreach touting a “mutual connection” and usually escalate into private messaging and then wire or cryptocurrency transfers.
“People often think they’ve gotten a referral from a friend. Or they’ve seen a celebrity endorsement for a crypto or bitcoin investment, and they get sucked in,” says Kirsch. “They spend a bit, and then a little more, and all of a sudden they’re in for hundreds of thousands of dollars with a portfolio that is all fraudulent.”
Convincing you with sophisticated fakes
Underlying hacking technology hasn’t really changed much, says Kirsch. “But what has changed and continues to evolve, especially with AI, is the social engineering that gets us to click that link.”
Today’s phishing attempts are increasingly convincing—well-timed, context-aware and built from fragments of real information harvested across your digital life. The more you share, the more convincing the illusion becomes.
Cindy McGlynn is a Toronto-based writer and editor who frequently writes about business, culture and the arts. In addition to holding communications roles at tech startups and writing for consumer and B2B publications, Cindy has edited two national magazines and served as a long-time columnist for the Toronto Star’s Eye Weekly magazine. She has been contributing to Canadian Family Offices for four years.
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, you can sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.