June 15, 2018
You are about to leave Risk Strategies website and view the content of an external website.
You are leaving risk-strategies.com
By accessing this link, you will be leaving Risk Strategies website and entering a website hosted by another party. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Risk Strategies website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Risk Strategies.
Every day we hear of new cyber risks issues and data breaches. While it might seem like a technology problem, a closer look at the risks faced by high net worth individuals, their families, and their businesses reveals a broader threat landscape, incorporating people and processes, as well.
Investing heavily in technology to protect your family or business won’t prevent problems caused by inadequate due diligence with advisors or poor awareness of behavior that puts your family or business at risk.
Social Engineering is a way for criminals to gain access, steal information, or infect target systems with malware. In a common social engineering attack, a hacker will craft a communication, usually an email, mimicking correspondence that would typically come from someone you would communicate or do business with. Other times, the attack is less personalized; blasting a large number of recipients with generic emails that appear to be coming from widely used applications, e-commerce websites, and financial services firms.
The most dangerous iteration of Social Engineering is Spear Phishing. This is an extremely targeted form of Social Engineering which uses publicly available data points to carefully craft a correspondence that resonates with a particular individual or family. Examples of this would include using information from a target’s bio on a corporate website, information from a LinkedIn profile or other social media platforms to craft a tailored message.
Imagine this, you are the CEO of a publicly traded corporation- Your bio on your company’s website highlights that you are a graduate of a prominent University; your Facebook profile indicates that you are a resident of Fairfield County, Connecticut; and your LinkedIn profile shows that you are on the board of a large well known non-profit focused on the performing arts.
You receive an email appearing to be from your alumni association alerting you to an alumni affinity event in Fairfield County, Connecticut to raise funds for the university’s performing arts programs. The email looks legitimate, the logos, colors and format all as they would in any other note sent from your alma mater. The email contains a link to register for the event that allows you to use your Google credentials to register. Do you put in your credentials?
Hindsight is 20/20, but in the moment the majority of us would click on that link and put in our credentials. Once an enterprising criminal has that level of access the possibilities are endless. They can mine your inbox to find further information to continue to phish, they can redirect inbound correspondence, they can figure out credentials for bank accounts and other applications, and start spear phishing family members, friends, and colleagues from your accounts.
While a scary thought for anyone, for successful individuals and families there is even more at stake. While we enjoy the benefits of the digital economy and social media, we have to understand the risks that come along with these tools. It is also important to understand there is no longer any expectation of privacy in life. Millennials and younger children did not grow up in a world without these technologies aren’t as attuned to its risks.
There are vendors and trusted advisors who can provide assistance and training to augment the technology security your family employs. Increasing awareness around people and process issues can serve to protect your family and your most important assets.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.