Cyberhackers: The growing threat to family offices

Introduction: Cyberhackers target family offices

Under the cover of online darkness, cyberhackers target their victims. They use a combination of social and illegal means to gain unauthorised access to digital devices, computer systems or networks. Once inside, they seek financial gain. Hackers extract data, such as log-in details, credit card and bank account numbers. This data is then used to gain access to personal accounts and steal money or is sold on to other dark actors in the cyberhacking economy for vast profit.  

Historically, banks, major corporations, government offices and public services, such as hospitals and schools, have been popular targets. Last year, $1.1 billion was paid out to hackers by their victims. But in 2024, hackers have a new target: family offices. Seventy-nine percent of North American family offices surveyed by global law firm, Dentons, said the risk of an attack had “risen significantly over the past few years”, while 25% said they were the victims of an attack in 2023. Half said they knew a family that had been attacked.

‍

Why family offices are vulnerable

Family offices are lucrative targets. They possess large volumes of sensitive information, notably financial and personal data about clients, that provide hackers with potential access to the riches of wealthy families. Unlike banks, which use sophisticated security software and processes to defend against attacks, offices often lack the same robust defences. This offers hackers the opportunity to indirectly attack families, which can cause not only financial losses but also reputational damage and an erosion of trust between family members.

‍

Offices under attack: Phishing & social engineering

The most common form of attack employed by hackers against family offices is a technique called phishing. This is when attackers send scam emails or text messages that contain links to malicious websites. The websites may contain malware (such as ransomware) which can sabotage systems and organisations. Social engineering is another tool of deception. This involves hackers building highly plausible relationships with employees or contractors working for offices over the phone or email and tricking them into handing over sensitive information. Experienced hackers will often spend weeks and months building trust with their targets before extracting vital information.

‍

How offices can defend against hackers

To guard against these threats, offices must be proactive rather than reactive. Here, we’ve detailed a series of simple measures offices can put in place to bolster their defences:

Educate your team

Family members, office staff and contractors must be educated about the basics of cybersecurity and hacking threats, so they are wise to phishing or social engineering attacks if they occur. Education should be carried out routinely and updated to detail new threats.  

Use a password manager

This is possibly the simplest and most important step an office should take. It’s imperative that people don’t use the same passwords for numerous log-ins. If an employee’s passwords are exposed during a hack, even if it’s unrelated to the office, hackers could easily log into computer systems and yield sensitive data that compromises family wealth.

Add multi-factor authentication

Adding a second layer of authentication beyond a password, such as generating a code on a third party app installed on your phone, is a great way to protect against password breaches.  

Using a Yubikey is an even more powerful form of protection. The device plugs into your computer or laptop and enables two-factor authentication by clicking a button on your Yubikey, rather than generating a code that is sent to your smartphone.  

Google has used Yubikeys since 2009 to defend against cyber attacks and prevent account takeovers. Since then, the company has successfully reduced incidents on account takeovers by 92 percent.    

Install a VPN

Virtual private networks (VPNs) protect people by hiding their browsing activity, identity, location and IP address when using the internet. This stops hackers from intercepting your personal data online, and is especially useful if you’re accessing unsecured Wi-Fi in public places, such as cafes or co-working spaces.

Use virus scanning software

It’s not just computers and laptops that are at risk from viruses. Smartphones, tablets, Macs and any other digital devices with access to the internet are also potential targets of hackers. Use anti-virus software or a virus scanner to protect all office devices.

Implement penetration testing

This involves using ethical hackers to deliberately try and hack an office’s computer systems to evaluate its security and expose any vulnerabilities ahead of time. This can also include physical exercises, such as testing the security of access to office buildings to ensure only a limited number of people have access to locations housing sensitive systems or networks.  

Ban emailing documents

Staff that email Excel files and other sensitive documents back and forth provide hackers with a simple opportunity to intercept them and access valuable data. Use a link to a shared drive with managed access instead.

‍

How Othis protects families and individuals

On the first day we began building our software, we made security part of our DNA by implementing the basic procedures and processes outlined above. Since then, we’ve built an enhanced security system and strategy to ensure we offer gold-standard protection.

Database: Minimum access

We use a granular level of authorisation to understand the minimum access each user needs to interact with our system. This ensures that staff only have access to a specific subset of data within Othis. Even our CEO doesn’t have access to our client database!

EU data storage

We run our platform on Amazon Web Services, meaning our data is stored within AWS cloud servers in Frankfurt and isn’t transported anywhere else. All of our data has to stay within the EU to comply with GDPR rules and is fully encrypted at rest and in transit.

24 hour monitoring & kill switch

We have a 24-hour monitoring system to see when people are attempting to log into our system and alert us to unusual activity. In the event of an attack we even have a kill switch that allows our engineers to immediately shut our system down and block external access.

Emergency back-up

In the event of a major physical incident impacting one of Amazon’s servers, we’re able to migrate our entire systems to another EU server at speed, meaning our software is still accessible and your data remains safe even in the event of a disaster.

Training and education

Every two weeks we undergo training and development to stay up to date with the latest threats and to update our own procedures. This also includes disaster response training, so we can simulate potential scenarios and rehearse our response.  

‍

Future threats for family offices

The war between cyberhackers and family offices is likely to become even more sophisticated. AI is giving hackers the tools to quickly access a treasure trove of publicly available information about individuals and build realistic social media profiles of persons of authority.  

This technology can then be used to carry out social engineering attacks at scale. Deepfake technology is already capable of imitating voices and video footage of real people, meaning offices must be vigilant to increasingly life-like phishing and social engineering tactics.  

‍

Conclusion: How to protect your family office today

The threats to family offices are clear, but you can take simple steps today to enhance your protection and keep your clients’ data safe.  

Click the links below to see whether you and your team could spot a phishing attempt, find out if your email addresses have already been exposed by hackers and evaluate your existing security by taking the national security test.

Phishing quiz: https://phishingquiz.withgoogle.com/

Email data breach: https://haveibeenpwned.com/

National privacy test: https://nationalprivacytest.org/test