Ask a cybersecurity expert about the chance of falling victim to a cyberattack and they’ll tell you there are two types of people out there: those who know they’ve been hacked and those who don’t know they’ve been hacked.
That’s becoming increasingly true for ultra-high-net-worth families, with one U.S. report saying 28% of people in this group have experienced a cyberattack. As attackers get more sophisticated, wealthy individuals become an even bigger target, says Larry Zelvin, Executive Vice President and Head of the Financial Crimes Unit at BMO Financial Group. People should stay informed on potential threats and invest in a well-resourced security team with the right technology.
While some attacks try to embarrass or harass people, or steal money from them, others may disrupt businesses and family offices because they have devices connected to the internet with security vulnerabilities that have now been compromised, says Zelvin. Criminal groups and hacktivists also target ultra-high-net-worth families because they have issues with a cause that an individual or the corporation they’re tied to supports.
Few have Zelvin’s credentials in this space. The former U.S Naval Officer and Aviator once held several positions in the U.S. Government including Director of the National Cybersecurity and Communications Integration Center for the U.S. Department of Homeland Security, Senior Director for Response for the National Security Council, The White House and Director, Homeland Defense Integration, Office of the Secretary of Defense, The Pentagon. He sat down for a wide-ranging conversation about the many online risks ultra-high-net-worth families face and how to defend against them.
Are high-net-worth individuals more likely to be targeted by ransomware?
Simply put, ultra-high-net-worth (UHNW) individuals have money that bad actors think they can steal using well tested and proven techniques. For example, UHNW individuals may be more susceptible to intimidation; many don’t want to have the publicity and/or the public/private embarrassment of being taken over by a cyber actor. In some cases, the bad actors will use physical extortion in combination with their cyber threats. They will send flowers and candy to homes just to let them know they know where you live and perhaps send a message to the home that they’ve had a cyber attack. Unfortunately, in may instances, individuals or families may not report attacks to authorities in a way that they should have to avoid scrutiny or publicity.
Since many attacks go underreported, in your experience, how many high-net-worth individuals or family offices have been victimized by a ransomware attack?
It’s impossible to tell for sure. However, I’ve had the privilege of talking to ultra-high-net-worth clients around the globe. Every time I’ve talked to them, almost everyone has a story and want to share the cyber attacks they’ve experienced. That doesn’t happen with other groups I speak to.
And what would you say to someone who’s concerned about being targeted by a ransomware attack?
The first thing is to understand the importance of the data and keeping it safe. If you have something that’s important to you, like financial information or family photographs, keep them protected by using things like cloud or external storage which isn’t as susceptible to ransomware attacks. If you are keeping something on your devices that would be embarrassing to you in any way, wipe the data and make sure it is truly deleted as too often ransomware groups will leverage these types of information to push you even harder to pay them.
Reputable law firms remain a good source of advice on how to defend and respond to ransomware attacks, as they deal with these sorts of issues for their clients all the time. That said, make sure you do your research on who’s advising you on security issues as the industry has more than a few organizations that aren’t quite up to the task, particularly when it comes to advising high net worth and ultra high net worth individuals and families.
These are not ethical actors. If you are targeted by a ransomware attack, are you going to get your information back if you pay the ransom?
One, there’s no guarantee you’re getting it back. Second, in many cases, the price goes up once they know you can pay and you could also be targeted again as you’re seen as someone that pays. One of the considerations you have to watch for, particularly in the U.S. and in other countries, is if you pay ransom to a country or an individual that is sanctioned by the U.S. government, and the government finds out, you could face criminal prosecution. Consulting an experienced attorney before or immediately after an attack is always a wise move.
What are some things you can do to protect yourself from a ransomware attack?
The biggest thing I tell folks is to slow down. The number one way people are getting ransomware attacks is by clicking on links and opening attachments without really thinking about the risks. You also have to update your software on not only your devices but also on the applications you’re running as unpatched vulnerabilities are often exploited. Also be very weary of anyone who is asking for your username, password, or One Time Password/Passcode (OTP). You should never give those out to anyone.
You’ve got to watch your presence on social media, because that’s how they are targeting you as an individual. How do you look publicly on social media? You’ve got to be careful but also be aware of unintended exposure. High-net-worth individuals and families need to Google themselves every now and again, maybe once a month. For example, you may be a board director of a non-profit or for-profit someone has a grievance with. They could be targeting you as a leader of that organization. Philanthropy announcements can be also be problematic in that they highlight you as someone with wealth and perhaps a passion, which could be used to better entice you into a fraud scheme.
Most people know about the risk of opening an infected attachment in an email. What are some of the other ways computers get infected?
There are a number of gaming sites that kids use that have malware; same goes for adult content sites. Applications for unreputable sites are often laden with malicious software, or “malware”. To defend against these vulnerabilities, some high net and ultra high net worth people will have one device (laptop or tablet) that they strictly use for managing their finances. They don’t use this device for anything else – checking email, browsing the web, or checking sports scores, for example. This technique will give you the least probability of clicking on a link or a website or opening and email with an attachment that could infect your computer.
Criminals have been using robots and automation to sniff out vulnerabilities for years, but that was before artificial intelligence (AI) became more accessible. Is AI going to open up another battlefront for cybercrime?
It absolutely is. The thing about AI, in particular, is it’s going to make it easier for people who are not necessarily very technical, who don’t have a lot of skills in doing malicious attacks, to do so with ease, at extraordinary speed, and with great competence.
AI can mimic your voice and image. How long before we start to see those types of attacks?
We’re already there – the cyber industry term is called “Deep Fake.” If you have a video on the internet or if you have your voice on the internet, it takes a team who has never done this before about four or five hours to make a very credible video or voice representation of you that can fool even your closest family member.
Is there anything to guard against that?
As “Deep Fakes” become more prevalent, we’re going to have to come up both technical and non-technical security solutions which don’t exists today. At the moment, the best defense is personal code words that are only shared with trusted bankers and family members that can’t be found on the internet. These code words would be a final check to validate that your image and/or voice is actually you while conducting person-to-person financial transactions. I’ve talked to some high-net-worth individuals and they are already using trusted code words who say that this approach gives them a much greater sense of security.
What can else can BMO do to help private wealth clients against cyber and other security threats?
BMO has a section on our website that highlights the latest techniques and methodologies attackers are using with industry best practice recommendations to help individuals and organizations think through how they can stay best protected against security threats.
While all this is a bit scary and concerning, at the end of the day, you’ve got to go live and enjoy your life. You’ve just got to be careful and think about what you’re doing and how you’re doing it as there are, and always will be, people who will want to take advantage of you and your money.
