Top of main content
Shadow of a person walking.

Family offices need to stay cyber-vigilant in this fast-changing world

Family office

Family offices need to stay cyber-vigilant in this fast-changing world

Jul 28, 2020

In order to protect data, identities and wealth, cybersecurity should always be a top priority for family offices and the families they represent. Because the need for vigilance is heightened in these unusual times, we have broken down the tried and tested ways to combat scams and attacks, from technology fixes to awareness and education.

Wealthy individuals' high visibility and public profile can make them a prime target for cyber criminals – with easy access to their personal details making fraudsters' social engineering efforts both easier to carry out and more convincing.

Potential pay-outs for scammers can be achieved by obtaining sensitive data about investments, or through ransomware attacks, where cyber criminals hold sensitive information and attempt to blackmail individuals or family offices. With valuable reputations often at stake, family office cybersecurity practices need special care.

New cyber risks

Primary dangers for family offices include employees who are now working from home, using potentially insecure wi-fi networks or devices with weak passwords. Additionally, organisations may be using new programmes and online systems to file-share or video conference, without the knowledge of how to keep data safe, or reduce vulnerability to attacks.

Much cyber fraud depends on an individual clicking a malicious link that allows the criminals access to information or systems. As such, fraudsters are taking advantage of legitimate fears around health and finances to help sell their scams and encourage people to click links or enter personal details. Other have posed as business partners updating clients on new banking processes due to the pandemic.

Hacks and scams

There are two main lines of attack for cyber criminals: hacks and scams. A hack tries to gain access to a protected system in order to control or manipulate it or steal sensitive data. These are the more technologically advanced cyber-attacks.

High profile cases, such as the recent ransomware attack on Grubman Shire Meiselas and Sacks, a New York law firm with a roster of A-list clients, shows the vulnerability of data. A USD21 million ransom demand quickly doubled in value as the criminals threatened to leak sensitive data about the firm's celebrity clients.1

Scams tend to use information to try to trick data or cash out of people and companies. Social engineering, meanwhile, gathers data on individuals or firms to set convincing traps and deceive individuals or companies into handing over information or even paying money into their accounts.

The right tools for the job

A robust cybersecurity system has to employ tried, tested and verified processes and software, and then teach all employees how to use them effectively. In response to a growing level of cyber-criminal activity, the FBI has created guidance on how to prepare, protect and respond to threats, including ransomware.2

Whether at home or in the office, there are key tools and procedures that can help:

  • Keep all computer software and devices updated.
  • Use secure connections to transmit all information.
  • Communicate important financial information such as sort codes and account numbers by phone.
  • Consider using an encrypted email system or a password manager. Use two-step verification whenever it's available.
  • Make sure any smart devices are password protected and also have two-step verification enabled.
Awareness and vigilance

There are a number of tactics that family offices and their clients can introduce to support the security systems in place to protect them. The first step is to be prepared:
  • Staff should have ongoing training on new and existing threats as well as how to prevent and detect them.
  • Passwords should be strong and backed up by multifactor authentication. Firms should also employ administrator rights to ensure that data is only available to people who need to access it.
  • All family offices should test their IT environment for weaknesses and use in-house or outsourced monitoring to detect any unusual behaviour. A security specialist can be an extremely useful advisor.
  • Back-up to a secure, independent network. In the event that data is held to ransom with the threat of deletion or corruption or denial of service, your data can be restored and used to maintain operations.
Setting up strong protocols
Antivirus and firewalls will offer a degree of protection, but not against all malicious intentions. To combat fraud and particularly sophisticated social engineering, there has to be a security process in place.
  • Thoroughly scrutinise investment opportunities, offers of tax rebates, and official-looking emails that talk about government relief programmes. Where possible, try not to follow links in emails.
  • Family offices should be sure that they have up-to-date contact information for all clients. Consider using a password for future checks or updates to verify authenticity.
  • Always independently verify bank account details. For example, directly call the client to verify an emailed change, using the number on file, not the number in the email. If in doubt, ask to transfer or be transferred a nominal amount – less than a dollar – to ensure it reaches the right account.
For more information on how we can help protect you, your family or your business, contact your Relationship Manager.



The information on this site refers to services or products which are not available in certain locations, or which, in any relevant location, may have components, methods, structures and terms different from the ones described, as well as restrictions on client eligibility. Please contact a Relationship Manager for details of services and products that may be available to you.

The use of the label ‘HSBC Private Banking’, ‘HSBC Private Bank’, ‘we’, or ‘us’ refers to HSBC’s worldwide private banking business, and is not indicative of any legal entity or relationship.

This information is entirely qualified by reference to the terms and conditions of the specific service, if any, provided by the relevant HSBC company.

Nothing here is to be deemed an offer, solicitation, endorsement, or recommendation to buy or sell any general or specific product, service or security and should not be considered to constitute investment advice.

Please note that HSBC Private Banking does not provide Legal and Tax Advice.

Before proceeding, please refer to the full Disclaimer and the Terms and Conditions.
Listening to what you have to say about services matters to us. It's easy to share your ideas, stay informed and join the conversation.