This section is by PBY Capital

Is that really a client calling? Fraudsters step up game against family offices

Many firms rely on basic IT providers, but lax internal practices among staff can result in AI-generated attacks

Story continues below

Imagine you get a call from your office assistant. She’s confirming that she just transferred $500,000 to a member of your client’s family, as per your request. The only problem is you never phoned her, and you made no such request.

Instead, an AI-generated version of your voice was used to contact your assistant, and now your firm is in financial peril.

It’s a scenario that’s no longer far-fetched. In fact, Anwar Visram, co-founder and chief resilience officer at HardTarget, a cyber-preparedness firm for high-net-worth clients with offices in Canada and the United States, sees it play out quite frequently.

Visram says he’s seen hackers intercept emails that families send to an advisor, then store them – allowing the criminals to read them – and then send them on their way. This allows hackers to manipulate payments and communication between the two parties. “And neither party might be the wiser,” Visram says.

In one recent case, a family who had been working with a family office was unknowingly compromised and attacked when family members went on a safari for several weeks.

“That’s when the criminals stepped in, impersonated a family member and told the family office that there was a change of wiring instructions,” says Visram. The advisor then used those new “instructions” to send money — to the criminals.

Family offices are becoming more public, establishing higher profiles as they attend conferences and industry events or participate in philanthropic endeavours. This has left them and their family businesses more vulnerable than ever to cybersecurity threats. Yet, many rely on fairly basic security steps – antivirus programs and firewalls – to safeguard their businesses. They don’t have the internal practices and approaches that could ward off an AI-generated attack.

Story continues below
“They don’t generally have anyone in-house to help them, so they rely on the external IT service provider,” Visram says of his clients.

Awareness of the sophistication of attacks is also low. “Most clients say, ‘This will never happen to me,’” Visram says.

Criminals improve their game

Gone are the days when a suspicious email would arrive laden with typographical errors. These days, criminals are adept at following a company’s communication style, language, speech and, in some cases, image.

Recently a client of Visram’s had their systems compromised when a receptionist clicked a link that was emailed to her, allowing a hacker to access her password and username. “They then found an exposed system on the internet for that particular family office, and then they got into the internal system and started stealing data,” he says.

In cases like this, hackers can lurk within a company’s system for long periods of time, learning the practices and approaches of the firm. They can then utilize this information to strike at a time when the family office is vulnerable, such as the exit of a high-profile staffer, a new business partnership or during multiple employee vacations, for example.

Cybersecurity criminals are specialists, says Visram. “There’s a team that specializes in the communication, a team that specializes in financial transactions. They wait for a time of upheaval or change and they seize that moment to initiate an attack.”

Safeguards are needed

Historically, family offices were “off everyone’s radar,” says Bill Roth, co-founder and CEO of HardTarget. But in the past five years, many have become more public-facing, potentially exposing them to cyber-threats.

As stewards of wealth, family office advisors need to safeguard data. They need official policies regarding use of social media, interactions with clients, client information and financial transactions.

Here are ways they can best protect their data.

Story continues below
Draw up rules for social media. Restricting social media use among staffers can go a long way in preventing an attack, says Mike Krygier, founder and CEO of Toronto-based Deep Cove Cybersecurity, which serves ultra-high-net-worth and family office clients, among others. That’s because the personal information that employees post on Instagram, TikTok and Facebook can reveal a lot about a company’s location, employees and clients. He suggests establishing rules regarding what can be posted and then policing those policies on Instagram or Facebook.

Use code words. Another option is to use safe words and codes among staff to ensure that when a person’s identity is in question, a safe word can validate their identify, says Tobias Jaeger, founder and CEO of Falcone International, a global risk management, corporate investigations and business intelligence firm based in Washington and London. “You’re verifying that you’re speaking with the person you’re speaking with – there might be code phrases or some sort of riddles that they need to answer in order to authenticate themselves,” he suggests.

Make staff aware of red flags. Visram says family offices should educate their staff about possible red flags. Among them might be a great sense of urgency regarding a request to transfer information or money. Or an unusual request, one coming from someone who doesn’t usually make those kinds of requests, or a strangely worded email or call.

List steps for handling a suspicious call, email or request. Establishing a procedure about what to do in the event of a suspicious transaction or communication is essential, says Jaeger. He suggests using a script that asks key questions to prove someone’s identity and possibly unmask a criminal. “That’s what it’s all about – to build this security onion, if you will, where you have layer upon layer,” he says.

Identify areas of weakness. A cybersecurity firm can identify vulnerabilities in an advisor’s business. Visram says he often starts by digging up all the public information that exists about a given firm; this often yields a surprising level of detail that could imperil its operation.

Story continues below
Establish a protocol for vendors. Validating third-party vendors, to help determine whether advisors are dealing with the person they expect, is critical, says Krygier. He suggests that when transactions hit certain dollar amounts, an in-person meeting should occur with the other party to ascertain “if the party you’re dealing with is actually real.” Krygier also suggests family offices routinely send out a questionnaire to vendors to determine what kind of security controls and policies they have in place.

Encourage clients to safeguard their data. Many cyberattacks aren’t driven by the family business owners themselves; families are often compromised instead by unsuspecting family members, such as kids or teens. Social media posts are one avenue where hackers can capture a person’s voice and image and use it, says Krygier. Social media can also reveal critical information about the whereabouts of family members, identifying them as on business, on vacation, etc.

As a result, families should be urged to come up with policies regarding public appearances, online presence and social media. “If there’s a family member who’s not online, not posting on social media, doesn’t have presentations on YouTube or from other conferences somewhere online, it’s much harder [for cyber-criminals] because the voice samples are not easily accessible,” Krygier says.

Making a commitment to a cybersecurity program is key, Jaeger says. “The family needs to be fully on board with it – only then will it be an effective program.”

Please visit here to see information about our standards of journalistic excellence.