Cybersecurity Best Practices for High Net Worth Individuals
Cybercrime threats, including email compromises, confidence schemes, ransomware, and identity theft are on the rise as cybercriminals continue to target individuals – particularly high net worth individuals – and their assets. Therefore, it is important to consider steps that can reduce the likelihood of falling victim to these types of crimes. And because no cybersecurity measures are foolproof, there are a few best practices to keep in mind when responding to incidents that can’t be prevented.
In this episode of the Choate Family Office Podcast Series, Choate Wealth Management Group co-chairs Kristin Abati and Brian Monnich are joined by Adam Bookbinder, a partner in Choate's Government Enforcement & Compliance Group and former Assistant U.S. Attorney for the District of Massachusetts and chief of its Cybercrime Unit, to discuss best practices for managing cybersecurity risks.
Download Choate's whitepaper 10 Cybersecurity Tips to Help Protect Your Data →
Welcome to the Choate Family Office Podcast Series. On this show, we explore important topics related to wealth management, investing, and managing risk across generations.
Brian Monnich: Welcome everybody. Thanks for turning in. I am Brian Monnich, one of the practice group leaders at Choate’s Wealth Management Group. I am here with my co-practice group leader, Kristin Abati, and we are also here with our partner, Adam Bookbinder. So, we’re talking today about cybersecurity and in particular, ways to protect yourself from identity theft and similar crimes. Kristin, do you mind introducing Adam in a little more detail.
Kristin Abati: Yeah, I would be honored to. Adam is a member of our Government Enforcement Group and advises clients on cybersecurity, data privacy and fraud protection. Before joining Choate, Adam spent nearly 20 years in the U.S. Attorney’s Office working in Massachusetts and at the national level, investigating and prosecuting cybercrimes.
BM: So, thanks for joining this podcast, Adam. I really appreciate it. Can you just tell us a little bit about what you’re seeing in this phase as it relates to our high net worth clients?
Adam Bookbinder: Absolutely Brian. So what I think we’ll talk about are some of the kinds of crimes that are targeting high net worth individuals, give some examples of those and then talk a little bit about what someone can do if they are victimized from one of these. And the final thing we will spend a little time on are identity and cybersecurity measures that everyone should be considering to try to prevent these kinds of things from happening in the first place.
KA: Can you give us some examples of the types of crime our clients, our high net worth clients in particular, you are seeing that they are being the victims of maybe more frequently?
AB: The first thing that comes to mind, and I have seen this with wealth management clients, is email compromise fraud. What that means is someone’s email account gets taken over by a bad guy. It could be the individual’s account or it could be a vendor of theirs -- maybe someone they do business with, an accountant, a realtor or someone like that and the bad guys will be in the email account, they will be looking at what emails are going back and forth, they will see that there is some kind of a financial event coming up, some kind of a wire transfer, maybe a deal or transaction happening. Then they will take that legitimate email string and they will highjack it essentially. They will jump onto it. They will send an email purporting to be from either, it could be the individual, or again, their vendor who they are dealing with, and what they often do is they will ask for the instructions for an upcoming wire transfer to be changed. So, instead of using the bank account, the legitimate bank account that the money is supposed to go to, they will say hey, you know we’ve had a change. We are using a new bank now. Please send your wire to this account. They will pretend to be the person who is supposed to be the recipient, and it looks legitimate, it’s in a regular email string and those are very successful. Money gets wired to a fraud account at a legitimate U.S. bank but almost immediately it is moved out of that account to a foreign bank and before anybody realizes that the money didn’t go where it was supposed to, it’s gone and out of the country.
So, that’s one thing we have seen a lot of targeting this particular population. The other thing is something that affects all groups but this one as well is ransomware. That can affect obviously huge businesses but also individuals and small offices, for example, like family offices. If ransomware ends up on your system, it can lock up all of the data, make it totally inaccessible so if you are an individual, you can lose your personal records, you can lose photos. If you are a family office, it can completely cripple the operation and paying the ransom to try to get your data back can be (1) expensive and (2) very uncertain as to whether it is going to work and whether you are ultimately going to get back what you lost. And then the final area that I will focus on particularly for this group of individuals is identity theft. People who are high net worth are particular targets. They have good credit. They have access to all kinds of financial facilities and so people will take their identity information, use it to open credit accounts, to file tax returns that are false, to file unemployment claims, all kinds of things like that.
BM: Adam, that is really helpful and I think Kristin would agree we have seen both in our personal lives and from our clients -- examples of all of those types of crimes. So, they are frustrating, concerning, and annoying to deal with. In one case we actually had a client who was a victim of someone taking over their email account to falsify a Choate invoice. We were able to solve that but the taking over of the email account isn’t limited to just changing wire instructions. So, we have seen that take on different manifestations in different ways through our clients’ experiences.
KA: I had my identity stolen to the extent where all my mail was changed to a different address and subsequently I had other clients report to me that the same thing happened to them. So, it can, you know, it can be quite disruptive if you are not on top of things and maybe this is the right time to ask Adam how does one protect yourself from these things? What does one do if it happens to you?
AB: The first thing I would say is if you’ve got counsel, you have a lawyer that you work with, call them. They could be helpful in not necessarily solving all your problems but having you think about it the right way and pointing you to the right experts you are going to need. In particular, you are probably going to need technical experts. It depends on the kind of crime, but if you are hit with ransomware, you are definitely going to need someone who can help you with that on the technical side. The same thing on these email accounts. If someone is in your email account, whether you are an individual or whether you are say a family office or some other kind of business, you need someone to come in to figure out what these bad guys have gotten access to, what they have done and how to get them out and keep them out. So, you are going to need some help there but who you get, what the right expert is, is going to vary depending on your situation and depending on what’s happened to you. So again, your counsel should be able to help you and direct you in the right place there. The other thing to keep in mind is that law enforcement sometimes can be helpful. Particularly in the email compromise fraud. If it does involve, for example, wire transfer that’s happened and you’ve now transferred you know $50,000, $400,000, whatever the amount is to a fraud account, if you can get to the FBI within a day, two, maybe three, oftentimes those wires can actually be reversed but you need law enforcement help with that. So, it’s worth pursuing that as quickly as possible. They also may be able to identify who it is that did this and potentially prosecute them which is certainly worth doing and also again may help you get your money back.
BM: Well, it’s good to hear that there could be some ways to cover damages that might come out of these cybercrimes but maybe shifting to prevention Adam. Could you just give some tips on how you might take some steps to avoid being subject to these crimes in the first place?
AB: The first place to start there is with passwords. The root of so many cybercrimes and so many identity thefts and things are with people using really slopping password practices. Try to be thoughtful about it. For example, don’t reuse your passwords. Hackers know that. They know people reuse passwords and they are going to try them, and they do try them. This happens all the time in all other kinds of accounts and it is not okay if you use the same root to your password and just put a different number at the end for each of your accounts. That is not being secure. You know, the other thing is things that people can find on social media. So you might think it’s clever to use -- you know if your cat’s name is Fluffy then your password could be Fluffy1, Fluffy2, Fluffy3. Whatever. But if your Facebook page has pictures of your cat and says, oh here’s my cat Fluffy. Again, anyone out there focused on you at all is going to know that and that’s the first password they are going to try to guess. On the other hand, if you are going to use different passwords for each of your accounts and they are going to have some level of complexity to them, then you can’t possibly remember them all so you are going to have to write them down in some fashion. The thing I would say here is you have got to store them securely then. Right. Don’t put them on post-its in your office and leave them sitting around, and don’t store them in a document called passwords right on your desktop of your unencrypted home computer. Right. Store them somewhere that’s secure or there is an alternative which is using what is called the password manager. That is a kind of software that a bunch of different companies offer. You pay for it -- a couple of dollars a month -- and basically what they do is you have one very complex password for your password manager account and it in turn then knows and controls access to all of your other accounts. It can be very helpful. You don’t have to remember a million different passwords. Just one and that can be very complex. That can be a solution for people that is worth considering as well.
BM: Do you have a recommendation as to whether the more old-fashioned method of just writing it on a piece of paper that you keep in your vault or in some secure place in your home is better than the password manager solution?
AB: Well, you know, listen. Sure if you have it, you know, you have it on a piece of paper that is kept somewhere that is secure that no one that you would worry about has access to it, that can be great. Of course, you are not always going to have that with you though is the challenge, right? And if you’ve got, you know, you’ve got a phone, and you’ve got an iPad, you’ve got a work computer, a home computer, all those things and let’s assume we are in a time when we are not all sitting in our homes to work, that’s the problem with having it on a piece of paper. It’s not always where you want it. If you have it on a, you know, if you use a password manager, for example, you can then access it on all your different devices at any time so that would be an advantage to that.
The other thing people really need to do is use multifactor authentication on their email accounts so you’ve got a Gmail account that you use, or Hotmail or whatever, there is a function built in where you can have two-factor authentication and that means that if you try to access or someone else tries to access that account from a new computer, a new IP address, a phone that hasn’t done it before, it will send a text or a message of some kind to your phone. You have to authorize that. These days it’s not intrusive and it’s a really good protection against a lot of these things.
Next step, wire transfers. This is just a classic one. If you are in some kind of business and you get direction to change wire transfer locations, send money to a new place, confirm it with a phone call to not rely on email for wire transfer directions. To protect from ransomware, make sure you’ve got everything you really value on your computer backed up somewhere else. If you are an individual, that’s important. If you are a business -- a small business -- again, you have to have backups that are separate and segmented from your network so you don’t lose all that data if it is locked up. A couple of other tips -- be careful of public WiFi. If you are in the airport, you are on a plane, you need to assume that anything you do can be picked up by someone else. If you are not using a VPN (virtual private network), maybe your business has one, you could set them up individually if you want, then your traffic is encrypted and it can’t be seen. If you are not doing that, anything you do on public WiFi is accessible. Don’t buy things. Don’t do financial transactions.
The last piece is if you really consider if you’ve been the victim of identity theft or if you are concerned about it, for using your credit. It can be done through the three credit agencies -- Experian, Equifax, and Transunion. The Federal Trade Commission (FTC) has a page on it on their website which is a great resource if you go to the FTC website and look up credit freeze. It’s fairly easy to do it, and it means that no one can open a credit account in your name. They can’t get a credit card, they can’t buy a car in your name. Those things happen. If that does happen to you, it is a tremendous mess to unwind. If you freeze your credit, no one can do that. It means that you have to unfreeze it in order to do those things yourself but that’s fairly easy and quick to do and it’s worth considering.
KA: So Adam, on that point about freezing credit, I can just say that I personally have done that and it is really, really a wonderful protection. I also want to say a couple of things that you haven’t mentioned, Adam, but are maybe lower-hanging fruit that actually does happen to our clients quite a lot: phone calls out of the blue from someone claiming to be the IRS -- you owe us $20,000; someone claiming to be from the Social Security Administration -- you are about to lose your benefits; someone calling from a bank that our client may or may not have a credit card with claiming there’s some problem and they need personal information from the client. Those are maybe lower, as I say low-hanging fruit -- maybe things that are obvious you shouldn’t respond to those calls out of the blue but maybe you the expert, Adam, can tell us and all our clients really don’t give out your information if you get inquiries like that?
AB: That’s absolutely right and it is sometimes hard to know these days. Credit card companies are good if they pick up fraud on your account. They will call you or send you an email. So, sometimes that can be legitimate. You have to be thoughtful about it, but absolutely, if you get a -- typically that will come by an electronic message, an email from the credit card company asking you to call them, be very suspicious about any actual phone call you get out of the blue where the person then asks for your information. If someone is actually alerting you to a problem, they are not going to need any information from you. So, if you get a call and someone is asking you to give them information or to pay them money, it is most likely a fraud and those are rampant right now.
BM: Well, this is great Adam. Thanks for all of your time and talking to us today about cybersecurity risks for high net worth individuals. We are lucky that we have you as a resource on these issues.
The information provided in this recording is for informational purposes only. While Choate and Choate Investment Advisors make every attempt to present accurate information, the information on this recording may not be appropriate for your specific circumstances and it may become outdated over time. The views expressed on this podcast should not be construed as advice for your given situation. If you have questions about your specific situation you should consult your attorney for legal advice and you should consult your financial advisor. Moreover, Choate Investment Advisors may decide to select investments on a different basis at any time and without prior notice. Finally, as everyone should know, past performance is not a guarantee of future performance.