20 May 2021
8 minute read
Key takeaways:
“You have an encrypted message from Simon, click this link to access your Dropbox account.” During a business transaction, a family office representative received an email from their regular legal contact. Clicking the provided link, they input their email and password details on the standard Dropbox portal to access the message, but the session timed out and asked them to try again later. The email and the portal seemed to be authentic and given these things often happen, the representative didn’t think anything of it.
However, this was the start of a sophisticated fraud where the aggressors gained access to the family office’s email system and were able to ‘divert’ over £1 million in transactions before the hack was uncovered.
This is just one example of cyberattacks targeting high-net-worth individuals (HNWIs). Yet, research suggests that over half of HNWIs and family office members have never undertaken any cyber security1and many wouldn’t know who to turn to in the event of an attack2. And the problem is growing.
A growing cybercrime pandemic
The COVID-19 pandemic triggered a staggering rise in cybercrime, with the FBI reporting a record-breaking 791,790 cybercrime complaints last year3. Social distancing measures, shifted us away from our usual habits and work settings to create an environment where cyber threats were able to thrive and the overwhelming rise in cyber scams amounted to more than US$4.2bn in losses3. If that figure wasn’t daunting enough, the number of complaints made by cyber victims jumped 69%3.
And cybercrime is increasingly being directed at HNWIs and family offices. According to a Campden Research study, more than a quarter of ultra-high-net-worth (UHNW) families, family offices and family businesses, with an average wealth of US$1.1bn, have been targeted by a cyberattack4.
Effie Datson, Global Head of Family Office at Barclays Private Bank, says: “Cybercriminals often see HNWIs and family offices as attractive targets as they have substantial assets but generally don’t have the same level of protection in place as a major corporation.”
Sophisticated attack scenarios
To provide insight on the specialist cybersecurity solutions available to HNWIs, Barclays Private Bank has partnered with XCyber, a specialist intelligence company with state-grade cybersecurity expertise.
XCyber Director, Peter Moreman explains that the above example of cyber fraud is increasingly being used to infiltrate mailboxes. He cautions, “These attacks not only perpetrate fraud on the victim, but also form a platform from which to expand the attack using the victim’s network of contacts. Such attacks generally appear to be authentic and trustworthy by referencing known contacts or business entities and replicate well-known and well-used portals such as Outlook, Gmail and Dropbox, etc.”
The sophistication of these scams highlights the fact that when targeting HNWIs, attackers are prepared to be patient, do their homework and will go to extreme lengths to achieve their fraudulent aims.
So who are the cyber criminals and how do they operate?
Hackers are a surprisingly diverse group ranging from foreign governments seeking classified information to middle-aged mothers making ends meet and people in developing countries seeking to escape poverty. Hacking is their business and the scams they perpetrate can involve a lot of planning and research.
Gone phishing
The family office example is a form of a socially engineered cyberattack known as spear-phishing. This is where the perpetrator will use information gathered about a person to pose as a trusted individual to scam their victim into clicking a link, downloading a file, or even transferring funds.
The hackers seeking such personal information often won’t target their victim directly but focus on the people around them who might not be so aware of security issues – their children, partner, PA, friends or even the friends of their partner and children. You’d be surprised at the level of personal detail that can be obtained from people’s social media accounts.
XCyber’s Moreman emphasises the need for more online caution in everyone around you, saying: “It’s a cliché, but you’re only as strong as the weakest link in your network. Hackers take time to find out more about these contacts, piecing together little bits of information to help uncover more about their victim, and build a narrative so that they can devise an attack strategy.”
Not always about money
Cyber aggressors are also acutely aware that ultra HNWIs often have considerable social standing, meaning victims might be targeted for reasons other than money.
State-focused entities may be less interested in a person individually than in their contacts, affiliations, political connections, and ability to influence others. XCyber Director Chris Stock adds: “Cyberattacks may even be personal. We worked with one HNW client whose neighbour was using cyberattacks in a personal vendetta against him.”
Hackers may also be employed by someone else. People who carry out this kind of activity are easy to find on the dark web – a major online market for criminal activity. For example, a business competitor might commission a cyberattack to sabotage a deal and inflict reputational damage. A tarnished reputation can arguably be more damaging than financial loss.
Some years ago, a respected wealthy philanthropist was targeted with false information about a charitable group working in a war zone, leading him to speak out against the charity workers.
His standing ensured these opinions were shared around the world, with the mistruths he inadvertently spread causing untold damage to an important humanitarian mission and, in many people’s eyes, his own reputation.
Prevention is possible
Despite the growing threat of cybercrime, most people have no cyber security in place and wouldn’t know who to turn to in the event of an attack. But while the online world may seem threatening, expert help is available.
Many people falsely believe improving their cybersecurity is purely a technology issue, or that support would lead to an invasion of privacy, and are put off by this. In reality, many of the necessary changes are behavioural and can have a large impact on risk reduction. XCyber’s Moreman says: “The majority of cyber fraud can be avoided just by being more careful about the information we place about ourselves online and by implementing some basic security measures such as using strong passwords and up-to-date anti-virus software.
“Being vigilant, wary and maintaining communication can help protect against attacks. A good defence strategy against email infiltration, for example, is to always confirm any instructions or the identity of a contact by using other trusted sources – don’t reply to the original email as this is the communication channel most likely to have been compromised.”
Taking measures to safeguard our physical assets is commonplace, but it’s time we do the same for our online protection. Barclays Private Bank’s Datson says: “Cyber fraud can be very difficult to investigate. For this reason, people should look to prevent it rather than hope to cure its often painful consequences. Which is why we’re proud to be able to connect you to specialists like XCyber to help you take control of your online security.”
If you’re worried about online security and would like further support, please speak to your Private Banker who can connect you with specialists at XCyber or contact us. They’ll explain how cybersecurity professionals XCyber can assess your risk exposure and help to protect you from cyberattacks.
Any service provided herein is offered directly by XCyber only. Barclays sole role is to refer you to XCyber and is not providing any recommendation or advice. Barclays receives no payment or fee for this referral. We provide no guarantee to the services herein and that the client should engage their own legal and specialists advisor for documentation, etc.
This communication:
Where information in this communication has been obtained from third party sources, we believe those sources to be reliable but we do not guarantee the information’s accuracy and you should note that it may be incomplete or condensed.
Barclays is not responsible for information stated to be obtained or derived from third party sources or statistical services.
Neither Barclays nor any of its directors, officers, employees, representatives or agents, accepts any liability whatsoever for any direct, indirect or consequential losses (in contract, tort or otherwise) arising from the use of this communication or its contents or reliance on the information contained herein, except to the extent this would be prohibited by law or regulation.
Law or regulation in certain countries may restrict the manner of distribution of this communication and the availability of the products and services, and persons who come into possession of this publication are required to inform themselves of and observe such restrictions.
You have sole responsibility for the management of your tax and legal affairs including making any applicable filings and payments and complying with any applicable laws and regulations. We have not and will not provide you with tax or legal advice and recommend that you obtain independent tax and legal advice tailored to your individual circumstances.