Hot Topics
Security Bloggers Network 
SBN

How Family Office Leaders Can Protect Their Company & Their Clients From Business Email Compromise

by Chris Pierson on March 13, 2022

Family Office leaders like you are responsible for the wealth and financial well-being of multi-generational families with little time and a lot to lose. To ensure your job is performed with the utmost efficiency, you capture a lot of proprietary data and confidential information, and rely on a stack of modern technology to automate and streamline important work processes.  

While you are quite adept at your job, you’re unfortunately not an IT or cybersecurity specialist. Until recently, people in your position simply didn’t need to double as privacy and infosec specialists. 

Unfortunately, cybercriminals, hackers, and identity thieves have become aware of the reality that most private wealth organizations are not equipped to handle modern and targeted cyberattacks. It’s a primary reason why savvy adversaries have begun to more frequently target Family Offices and clients like yours. 

In fact, according to a recent study from Boston Private:

“Just over a quarter (26%) of family offices have suffered a cyberattack in the past and nearly a fifth (17%) say this has happened within the last 12 months. These results show that cyberattacks are a very real threat for family offices. Over 25% of family offices have been hacked.”

This data only represents what’s actually been reported. In all likelihood, these percentages are even higher. 

Email, email, email..It all starts with email (phishing)

As has been the case for most of the past decade, roughly 90% of all cybersecurity incidents begin with an email phishing attack. However, as email security has improved, the email phishing attacks of yesteryear – the malicious  ‘Nigerian Prince’ scams that relied on an unsuspecting recipient downloading an attachment or clicking on a link to trigger an exploit – have evolved. Now, phishing emails have morphed into social engineering campaigns that use psychology to persuade people to take a different type of action, such as paying a fraudulent invoice or sharing sensitive login credentials. 

Social engineering scams are particularly effective because they are built to bypass most legacy anti-phishing and email security technology, including the protection inherent to Gmail and Microsoft Office 365 that so many Family Offices and clients rely on. While these defenses provide some security, they must be set up perfectly and constantly updated.  

Currently, the biggest threat to Family Offices is a type of social engineering known as business email compromise (BEC). According to the FBI’s definition, BEC occurs whencriminals send an email message that appears to come from a known source making a legitimate request.” 

In other words, BEC attacks build or reinforce trust as a precursor to persuading someone into taking an action with potentially severe consequences.  BEC losses totaled more than $1.8 billion in 2021, also per the FBI. 

How BEC impacts Family Offices

For Family Offices, BEC attacks can manifest in one of two ways: employee to employee or employee to client. 

One common employee to employee example would be if your CEO sent you a legitimate-looking email asking you to immediately pay an invoice or share credentials that were supposedly misplaced. Your cybersecurity alarm does not go off, as the email looks and feels “right” and you’ve only been trained to doubt the integrity of a message when it includes a link or download, which is noticeably absent. 

An example of an employee to client BEC attack would be if a hacker compromises your email account and sends a message impersonating you to a client. Such a message would commonly include an urgent call-to-action or request, such as authorizing a payment or changing a bank account number for a transfer. Your client, who is probably not cybersecurity trained, is likely to be inclined to engage with such an email because they trust you. 

3 tips to reduce risk of BEC attacks

There are three primary ways any Family Office can reduce risk of BEC attacks to the company, to employees, and to clients, including:

  • Implement Two-Factor Authentication – The use of two-factor authentication greatly reduces the risk of business email compromise. The presence of a secondary security control to verify one’s identity, in addition to using a strong password, makes it infinitely more difficult for adversaries to gain unauthorized access to a person’s email account and formulate legitimate-looking BEC attacks to send to colleagues or clients. 
  • Trust But Verify – Former President Ronald Reagan is widely recognized for having brought the phrase “trust but verify” into the mainstream lexicon. This remains sage advice for Family Office personnel amidst the complexities of today’s email threat landscape. Moving forward, any email that is 1) unexpected or unusual; 2) casts an uncanny sense of urgency, 3) calls for a change in accounts or procedures out of the blue, or 4) just feels ‘wrong’, should not be engaged with until its legitimacy is verified via phone, video, or in-person.
  • Conduct Yearly Email Security Audits – Hackers and cybercriminals never stop working on new ways of infiltrating your private accounts. Likewise, you should never be lax in ensuring you always maintain a secure IT environment, especially email. From making sure all systems and hardware are updated to checking the security of your email setup and configuration, to scanning the deep/dark web for leaked passwords, a yearly audit can help you stay on top of your email infrastructure and reduce the risk of BEC and its subsequent impacts. 

Protect your Family Office, protect your clients

In today’s threat landscape, Family Offices like yours must take a more proactive role in protecting privacy and cybersecurity, and reducing risk of  business email compromise. 

While the steps above are a great start, know that you don’t have to embark on this journey alone.  BlackCloak partners with leading Family Offices and wealth management firms to educate financial advisors and your clients on modern-day privacy and cybersecurity risks, adding significant value to any wealth management offering. 

Visit https://blackcloak.io/partners/ for more information or message me to chat more. 

 

The post How Family Office Leaders Can Protect Their Company & Their Clients From Business Email Compromise appeared first on BlackCloak | Protect Your Digital Life™.

*** This is a Security Bloggers Network syndicated blog from BlackCloak | Protect Your Digital Life™ authored by Chris Pierson. Read the original post at: https://blackcloak.io/how-family-office-leaders-can-protect-their-company-their-clients-from-business-email-compromise/

Chris Pierson , ,