FA Magazine July/August 2021 | Page 35

person who clicked on it . In other cases , the links could lead to a spoofed web page or website , which tries to trick unwary users into entering credit card or banking information .
Spear-Phishing
“ Spear-phishing ” is more targeted . In this sort of cyberattack , a threat actor sends a specific , fake email , often with sophisticated masking or spoofing that makes it appear to be from a person and email address the victim knows . Sometimes the actors have infiltrated the email systems of a target long before they launch the attack and have read and studied the language and diction of the person they are trying to imitate . These attackers will then take personal details about their victim gleaned from earlier communications and discuss imminent transactions in order to supply fake wiring or routing instructions .
Criminals using this approach have successfully stolen hundreds of millions of dollars in recent years . It is easy to see how family offices and high-net-worth individuals in particular would be attractive targets for sophisticated spearphishing attacks , since their operations often follow fewer bureaucratic procedures and less often internally verify their communications than people do in the corporate world .
What ’ s At Stake It ’ s obvious what ’ s at stake from such attacks . If you ’ re the victim of ransomware and choose not to pay ( and sometimes even if you do ), your computer systems may not function for days . The data that was encrypted may be damaged or destroyed even if it is restored . Ransoms can run into the millions of dollars , depending on the size of the attack and the value of the target ( you ’ ll likely need to secure some bitcoin ).
Also , remember that it ’ s an international problem : Ransomware is almost always a cross-border crime . The computer programs that enable the attacks are bought and sold by criminals on the black market online , and the perpetrators themselves are often located in unfriendly jurisdictions . The FBI and Europol ( in the EU ) are following the problem and can resolve some attacks , but the ability of any law enforcement agency to reach these threat actors in person is limited not just by the fact that the crimes happened on the internet , but also by the difficulty of asserting jurisdiction in many of the countries where the threat actors choose to locate .
That same issue makes payment of ransoms tricky as well . In the United States , many threat actors and developers of ransomware have been “ designated ” by the Treasury Department ’ s Office of Foreign Assets Control ( OFAC ). U . S .
Whether the victim is a Fortune 100 corporation or a family office , there is a common element in most cyberattacks : human error .
citizens and businesses are barred from transactions with these actors — including ransomware payments . The office has specifically warned against paying ransoms without making sure the money is not going to a designated group or person , and it is almost impossible to tell where the proceeds of a cryptocurrency transaction are actually headed . Spear-phishing payments may similarly entangle family offices in complicated cross-border problems . Not only does the crime add to jurisdictional problems for law enforcement , but once the money has been transferred by wire , it can be extremely difficult to prove it was unintentional or caused by malicious action , which means it ’ s hard to retrieve the money after the transfer has been made . The bank accounts used by threat actors in spear-phishing attacks are almost always outside of the victim ’ s home country and , unsurprisingly , the money is usually moved out of the initial account immediately . Even if the money can be traced , it can be a dauting pros- pect for victims to work with international regulators to prove the nature of the transfer and reverse it .
Ways To Protect Yourself
Whether the victim is a Fortune 100 corporation or a family office , there is a common element in most cyberattacks : human error . The easiest way to get into a castle , after all , is not to break down the walls but to trick someone on the inside into opening the gate for you . A perpetrator can introduce ransomware into a computer network by “ hacking ,” but often the software comes via phishing emails containing malicious links . Those require a person to mistakenly click on a link .
It ’ s crucial for all organizations to add network and device security , but it ’ s even more crucial for family offices and wealthy families to train all the users of their computer networks to identify and avoid cyberattacks like phishing . That means everyone who has access to the family ’ s or family office ’ s computers or network needs to be aware of the threat of cyberattack and understand how to minimize the risk of one happening .
Training tools are widely available and , thankfully , the training is far less expensive than the kinds of security software and hardware used by large corporations .
It ’ s also crucial to regularly update software , especially operating systems like Windows , and to control and update the list of people who have access to devices and networks . And it ’ s important to continuously monitor and improve the physical security and data security of a family office . One of the biggest dangers for any organization is the tendency to treat data security as a “ one-and-done ” problem , and to assume that a solution someone found at one point in time will solve related problems indefinitely .
Data security threats evolve constantly , and family offices and wealthy individuals must be vigilant , informed and adaptable as well .
DAniel Berick is the Americas chair of the global corporate Practice of squire Patton Boggs . J . D . BriDgeS is an associate in the corporate Practice of squire Patton Boggs .
July / August 2021 | finAnciAl Advisor mAgAzine | 31