The 2025 Citi Global Family Office Report found some worrying statistics around cybersecurity in family offices.

28% of family offices surveyed relied on third-party providers to maintain cybersecurity. But more alarmingly, 32% didn’t perform any cybersecurity measures at all.

This plays into a fallacy that many wealthy families still believe that anonymity remains their best defense against malicious attacks.

That assumption, combined with the sector’s growing visibility and multi-trillion-dollar scale, has put family offices squarely on cybercriminals’ radar.

“Many family offices underestimate their attractiveness as targets,” says Stephan Gerwert, Head of Family Office Services at PwC Germany. 

“There's a misconception that their relatively low public profile equates to lower risk. In reality, their wealth concentration and often limited internal IT infrastructure make them prime targets.” 

And since many still haven’t suffered (or have failed to detect) harmful cyber attacks, they grossly underestimate the risks they face. 

The anonymity illusion has contributed to an institutional overconfidence.

Founder and CEO of risk management and advisory firm Presage Global, Edward Marshall, says that while family offices excel at providing convenience for families, this can come at a cost.

Their ability to operate efficiently, with lean teams and heavy reliance on relationships, can potentially lead to ‘engineered vulnerabilities’, where operational excellence unintentionally opens an organization for attack. 

“Many family offices knowingly, or unknowingly, trade security for convenience, creating a dangerous situation: enterprise-scale wealth with amateur-level risk management. Convenience is seductive but can make you a risk magnet.” 

So what should family offices be concerned about?

There’s obviously the concern of bad actors obtaining direct access to financial accounts and siphoning off funds, but there are other ways they can exploit finances, operations and team members. 

Obtaining sensitive information and using this for extortion has become increasingly common, as criminals realize how they can leverage reputation concerns.

Acquiring personal contact information and using this to target relatives and connections through phishing is another popular approach. 

And of course, social media abuse, through stalking or direct extortion, has become common.

An area where family offices might overlook are the risks created by their small teams that have access to highly sensitive information. When it comes to human resources, background checks are essential, but continuous screening is frequently overlooked.

“You can have the best AI and security technology available,” says Marshall, “But if your staff aren't properly trained or don't practice crisis or incident response, all that technology won't save you.” 

AI is widely used to prevent cyber attacks, but it’s also incredibly effective when employed by bad actors.

Deep fakes present their new set of challenges, but public AI tools help criminals quickly gather intelligence for more effective phishing outreach and build lists of targets.

“AI enables threat actors to target families at scale with unprecedented ease,” says Marshall. “For instance, in NYC, while there's a large pool of wealthy families with varying public profiles, building targeted lists has become trivially easy with AI.”

He also notes how beyond financial fraud, sophisticated AI systems can create and spread disinformation campaigns tailored to damage family reputations, manipulate investment decisions, or destabilize family relationships.

Presage Global is also seeing increasing exploitation at the estate management level, an area that is often overlooked within cybersecurity protocols, and where they are currently gathering information from family offices to improve this. 

Cybersecurity is already highlighted as a leading concern in global family office reports, and PwC’s Gerwert expects this to increase even further as both financial and operational systems become more digital-focused.

“Cybersecurity is increasingly recognized as a core pillar of risk management, but it still competes with more traditional concerns like succession planning, tax, and investment risk. I expect cybersecurity to play a bigger role, especially as digital assets and remote operations grow.” 

Like most things, prevention is better than cure, so what should families do now?

Marshall suggests families should focus on obtaining a comprehensive risk assessment before jumping into cybersecurity implementation.

He stresses that most families still lack basic cyber hygiene, training, policies, audits, and monitoring capabilities. Improving ‘risk literacy’ across the family can be a major force multiplier to proactively improve your cyber and other defenses.

Above all though, cybersecurity is just one area that fits within a broader risk management framework.

“True risk management for families isn't a checklist – it's part archaeology, psychology, and anthropology, among other disciplines,” says Marshall. “Families should work with professionals who can help them expect the unexpected across all the risk domains.” 

Gone Phishing

A wealthy family member was browsing Safari when she received an alert that claimed the computer was hacked and her sensitive information was at risk, providing her with a support number to call. 

She called the number, unknowingly getting in touch with bad actors that she then enabled remote control of her computer under the guise of stopping the hack. The security alert was a convincing social engineering scam designed to solicit personal information, swindle money, and spread malware. 

As the bad actors “repaired” her computer, she left it unattended for several hours, enabling the hackers to conduct malicious acts on the home network and even penetrate the corporate network. 

When BlackCloak were brought in to resolve the issue they discovered three malicious browser extensions were downloaded. The hijacking software could monitor users’ browsing activity, eavesdrop on web activity, redirect users to malicious websites, and gather personal information.

Fake Data Room Invitations

A trusted boutique advisory firm suffered a mailbox compromise, which was then used to launch a targeted phishing attack. 

The email, crafted to resemble a legitimate data room invitation, using Adobe Document Cloud to share a PDF with a download link, making it appear entirely credible.

Despite dual-layer phishing protection (Microsoft Defender Plan 2 and CheckPoint Harmony Email), the message bypassed filters due to its sophistication and trusted origin. 

A broader Hext Point security architecture in place proved effective, and while no accounts were compromised, the incident highlights the risks of password reuse and the value of proactive communication.

Social Media Stalker

Last month, a HNWI received a friendly message from a stranger online. Within days, it escalated to 20-30 tweets a day. The messages grew increasingly dark and unhinged, eventually escalating to threats. 

The sender knew alarming amounts of personal information about the client's family—much of it publicly available due to the client’s professional visibility. The individual even created a new Instagram account and began posting baby photos of the client's young son. 

Biscayne were brought in to uncover the perpetrator and bring them to justice, but the situation highlights how online detractors can exploit leaky mobile apps, social media platforms, and personal info from data aggregator sites to piece together a picture of the private lives of HNW families.

Social Media Slander  

What began as a few hostile comments had evolved into a coordinated campaign of defamation. Multiple social media accounts, each appearing unrelated on the surface, were spreading false and damaging claims, manipulating images, and amplifying each other’s posts to create the illusion of widespread outrage.

Unlike many cases that involve physical stalking or direct threats, this situation was entirely digital. At least six anonymous accounts operated across four major social media platforms, each with its own fabricated persona and posting style. Some accounts posed as disgruntled customers, others as supposed “insiders,” while others masqueraded as members of the public. Together, they posted and reposted content designed to erode the client’s credibility and reputation.

Biscayne was brought in to resolve this malicious campaign, which was deliberate and persistent. Entirely online, it was driven by someone who knew the client’s digital footprint in unsettling detail.

Portfolio Companies Risk

To gain transparency about the cyber risks within a family office portfolio, PwC Germany were brought in to conduct a deep and dark web scan on 28 portfolio companies, conducted from a hacker’s perspective.

Their review identified a total of 64 threats, including vulnerabilities related to critical applications that, if exploited, could have led to business interruptions, the loss of intellectual property and data breaches. 

These in turn could have resulted in business disruption and leakage of personal identifiable information. The threats were all addressed and enhanced cybersecurity protocols introduced, along with security training and an awareness campaign for staff.

Managing cybersecurity is now a defining test of how professionally a family office is run. The days of relying on privacy and discretion as protection are gone; resilience now demands structure, training, and constant vigilance.

Special thanks to Stephan Gerwert of PwC Germany and Edward Marshall of Presage Global for their insights and contributions to this piece.

-