“Simon! I’m so thrilled we’ve agreed a deal for such an iconic work of art. As I always say, we are not owners; but custodians. New bank details attached, just to be on the safe side. My regards to Amanda — and hope the kids’ colds clear up!”
An email like this nearly cost a wealthy British collector £6m. It had been sent to the family office that managed his finances by criminals impersonating a genuine art dealer, with whom the collector had been negotiating for a year.
“[The] client came screen to screen with hackers during a £6m transaction,” recalls Paul Westall, founder of Agreus, a British company that recruits staff for family offices. “All correspondence was via email — back and forth . . . When they had finally reached a conclusion on price, [the client] received an email to say something along the lines of, I hope the children are recovering from their colds — we have just amended our bank details for security and here they are.”
As it sounded like previous emails, the art-loving client replied. Fortunately, his family office then demonstrated its strength: a structure built on personal accountability. Someone at the office phoned the real dealer to check the transaction before approving a transfer.
It was then discovered that hackers had been monitoring all the email correspondence, learning to impersonate the tone and language used — even gleaning private family news and the names of partners and children.
Cyber security problems have multiplied with the rapid development of digital technology in wealth management. While the internet’s instant global reach has brought rich families many new investment opportunities, it has also increased exposure to cyber crime.
The Covid-19 pandemic, which has forced many rich people and their family office managers to work at home, has further increased the opportunities for fraudsters to exploit communications links.
“As we digitise and start working from home the vectors of attack have increased exponentially,” says Oliver Gregson, managing director of JPMorgan’s Private Bank in London. “There is much more prevalence over the Covid-19 pandemic.”
UK wealth manager Brewin Dolphin, which serves more than 80,000 private clients, charities and pension funds, is equally aware of the heightened risk.
The approaches to individual investors and their advisers is similar to the attacks on family offices. “In the attempts that we have seen, typically the scenario is that a client is contacted by a fraudster pretending to be from the authorities,” says Simon Mair, head of privacy and information security at Brewin Dolphin. “Then they make up a plausible excuse why the client should withdraw their investments from us and move it to another account, which ends up being the fraudsters’. They may set up email addresses very similar to our own and mimic the corporate colours so that their emails and even their own website may seem very convincing.”
Mair adds: “Whilst we haven’t seen an increase in threats or concern about them, the threat is real. Fraudsters are now highly plausible and sophisticated.”
A 2020 online survey of 200 family office executives, carried out by Boston Private, an investment group with $14bn under management, found that 26 per cent had suffered a cyber attack.
As even the biggest family offices lack the security resources of banks or international commercial companies, they are a tempting target. And so are investors of more modest means — and their financial advisers.
Jim Bertles, managing director at wealth manager Tiedemann Advisors, says: “Because they often lack large staff and thorough systems and procedures around cyber security, they can be considered just as, if not more, vulnerable to digital breaches.” He observes: “Family offices’ lack of infrastructure makes it easier for criminals to discover their physical and digital footprints.”
It is certainly easier than hacking into a well-defended bank, points out Gary Hales, senior vice-president at Apex Group, which provides business services to asset managers and family offices. “Corporates and institutions have invested trillions in protecting themselves against cybercriminals,” he says. “Family offices . . . sitting on assets just as sizeable, but without the stringent institutional security measures in place . . . are often perceived as ‘lower hanging fruit’ by hackers.”
Failures to upgrade from basic software such as emails and spreadsheets to more sophisticated and safer formats — or even to vet staff — are widespread.
If staff are not properly checked, fraudsters can operate inside the operation as well as outside. At Atreus, Westall says that one family with a business running ski lodges recently got in touch after being hit by such a crime. “They realised their staff, charged with designing and decorating the chalets, had spent £50,000 on candles, £40,000 of which was forged.”
The Boston Private study found that 28 per cent of family offices had not reviewed the risks posed by their third-party IT systems, while 81 per cent had not conducted periodic background checks on personnel.
Gregson says this leaves family offices open to three types of cyber attack: phishing (criminals sending fake messages requesting financial information); wholesale payment fraud (criminals sending payment instructions to banks); and spoofing (criminals manipulating email accounts to impersonate genuine payees).
But, with coronavirus lockdowns increasing reliance on electronic communications, another form of email-enabled attack has been on the rise. JPMorgan Private Bank reports a “dramatic increase” in the sending of ransomware: hidden malicious software that denies an individual or a company access to their computer systems or data until a ransom is paid.
Why, then, are so many family offices not strengthening their defences? Robert Stover Jr, a family enterprise and family office leader at EY, says having fewer regulatory requirements for security is a factor. “Family offices have a lower bar to meet from a regulation perspective, especially in comparison to registered financial firms.”
Eric Gordon, head of Goldman Sachs’ Ayco Family Office, suggests laxity has become habit forming. “In many cases, single-family offices have limited separation of duties due to lean staffing models, and if that point person with significant control is breached, then the entire family office can be affected.”
The smaller the office, the greater the strain to keep up with digital. The Boston Private survey found only 31 per cent of smaller family offices had implemented cyber security measures, versus 60 per cent of larger operations.
Many struggled to get external help, too: 35 per cent of family offices said finding a good third-party vendor of risk management systems was a major challenge.
Once systems are in place, it is a case of maintaining defences, says JPMorgan Private Bank. It tells clients to stay up to date with the latest software releases, back up data regularly and have a disaster recovery plan for critical business functions. In lockdown, the bank has also been stressing the need to separate personal and business networks and encrypting communications via a virtual private network.
Sometimes, simple common sense is the best defence. Bertles believes in duplication and double checking everything. “Additional measures family offices can implement include two-factor authentication, requiring multiple signatures for sensitive documents, voice confirmation for wire transfers.”
Carly Doshi, head of wealth planning & advisory for the Americas at HSBC Private Banking, agrees. “Employees are a family office’s ‘first line of defence’ in combating security risks.”
And she is not averse to old-fashioned methods in the current pandemic. “A family office attorney I know purchased a theft- and fireproof safe to store confidential client documents at home during the lockdown, to name but one example.”