Can You Afford to Ignore the Risk of Cyber-Fraud in Your Family Office?

This blog post was originally published on August 24, 2018. It was updated October 14, 2021.

Many think a smaller office with fewer employees makes it easier to monitor and control fraud. However, the fewer employees, the more difficult controls can become.

According to the Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations, small businesses are twice as likely to experience billing fraud and payroll fraud, and four times more likely to suffer fraud loss related to check and payment tampering. Moreover, businesses with fewer than 100 employees had the highest median loss from fraud incidents at $150,000.

Family offices are no different.  Like other small operations, they tend to lack policies and procedures for preventing fraud.

Taking steps to implement internal controls and minimize the opportunity for fraud through segregation of duties can help limit the chance that your family wealth will be stolen by a trusted employee. Reebok founder Paul Fireman learned that lesson the hard way when he discovered that his long-time, trusted employee and money manager, Arnold Mullen, had embezzled $25 million systematically over almost 20 years.

But even if you put controls in place and segregate duties, your family wealth is still at risk.

The risk of loss from the outside, through cyber-fraud, is growing at a dramatic pace.

Cybercrime is one of the fastest growing types of criminal activity in the U.S. Cybercriminals are targeting the financial accounts of owners and employees of small and medium-sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Your family office may represent a lucrative target for these fraudsters. Often these funds may not be recovered.

How it’s done

To obtain access to financial accounts, cybercriminals target employees – often senior executives or accounting personnel – and the targeted individuals unknowingly spread malicious software (“virus” or “malware”), which steals their personal information and log-in credentials. Once an online bank account is compromised, the attacker can then initiate funds transfers by ACH or wire transfer to the bank accounts of associates within the U.S. or directly overseas with wires.

To access the legitimate banking credentials from businesses, cybercriminals use many different methods. They might mimic an institution’s website, or use malware and viruses to compromise the business’ system. Your family office’s systems may be compromised by an infected document attached to an email, employees visiting legitimate websites – especially social networking sites – and clicking on infected documents, videos, or photos posted there, or an employee using a flash drive that was infected by another computer.

One popular method sends a fake email that connects to an infected website. For example, a fake email from UPS might say “There has been a problem with your shipment.” A fake email from the Better Business Bureau could say “A complaint has been filed against you.” A fake email from a court system could say “You have been served a subpoena.”

How to protect yourself

There are several important steps to take, if you want to protect your family’s holdings.

First, you should enhance the security of your computer and networks.  Consider these steps:

1. Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software. Use these tools regularly to scan your computer. Allow for automatic updates and scheduled scans.
2. Install routers and firewalls to prevent unauthorized access to your computer or network.
3. Perform IT security evaluations periodically.

Second, you should enhance the security of your corporate banking processes and protocols.  Discuss the options offered by your financial institution to help detect or prevent unauthorized payments or changes to your accounts. At a minimum, consider these changes in your own operation:

• Dedicate one highly secured computer exclusively to online banking and cash management activity.
• Avoid performing online banking and cash management activities in Wi-Fi hotspots, including airports or internet cafes.
• Require dual control to initiate wire and ACH transfers – for example, file creation by one employee and file approval and release by another employee on a different computer with a different user ID.
• Review accounts regularly to quickly detect unauthorized activity. This allows you and the financial institution to take action to prevent or minimize losses.

Consider external solutions

Many high-net-worth families hire trusted employees to take care of the day-to-day details. In a small office, family members may have to get more involved in implementing and assessing controls. Alternatively, a family could hire an independent accounting firm with expertise in family office management. Selecting a qualified firm to perform a control analysis, take on specific administration and management duties, and perform surprise internal control reviews can help guard against internal fraud and provide significant peace of mind.

But with the growing risk of fraud from the outside – cyber-fraud – external assistance becomes even more essential. The processes and tools that cybersecurity professionals can employ to protect you are complex and always evolving.  For example, we often recommend starting with PhishNet by Kaufman Rossin®, a proven way to test and train employees on recognizing cyber risks. By enhancing your defense against phishing and other social engineering attacks, you’ll be better positioned to protect your organization.

We recognize that your family office isn’t an ordinary small business.  In fact, it’s a very tempting target for a very sophisticated type of criminal.  Can you afford to ignore the growing risk?