Family Ties: How Hackers Target the Personal Lives of Board Members

Hackers are constantly on the hunt for new corporate victims. However, as companies get better at securing their networks, many threat actors are bypassing these defenses by conducting highly targeted personal attacks on key company personnel — where protections are typically more lax.

Board members are an ideal target for these attacks because they have high levels of access to company information, frequently serve on multiple companies (creating a sort of “human supply chain”) and their authority figure status is a perfect opportunity for downstream phishing attacks on other company executives and employees — known as business email compromise (BEC), which is one of the costliest types of fraud, according to federal crime data.

Since one successful attack on a board member can result in extensive access and opportunity for the cybercriminal — and not just at one company but at multiple organizations — board members cannot afford to be under-protected. This issue becomes even more important with new SEC regulations, which require greater oversight by board members of cybersecurity risks.

3 areas where hackers are most likely to strike

Board members can be targeted by hackers in any number of ways, but what we typically see in these cases are three main types of attacks:

Breached personal accounts

The average person has dozens of online accounts, and board members are no exception. The sheer number of these personal accounts (including email, social media, online shopping, streaming, airline miles, etc.) creates an enormous online attack surface that hackers can exploit much more easily than a business network.

What do hackers want with non-work accounts? Cybercriminals can use personal accounts to harvest many types of sensitive information, leapfrog to other accounts (including work accounts) and stage attacks on the victim’s contacts, including their colleagues.

One of the most valuable personal accounts is email. If a hacker can compromise a board member’s private email, they can use it to impersonate them in order to launch phishing attacks on other employees. Due to the board member’s high status, these attacks can be extremely effective at soliciting sensitive company files and information, tricking employees into wiring funds to accounts controlled by the criminal or persuading the IT team into sharing or resetting the board member’s network passwords, thereby giving the hacker direct access to highly sensitive corporate systems.

Hackers will also use personal email accounts to hunt for any stored files or other sensitive information that may have been shared by the company. That means a hacker can pull off a significant corporate data breach without ever having to break into the actual business network.

Sensitive personal information, files and correspondence can also be used for blackmail and extortion. Document extortion, in particular, is a growing threat, as hackers will hunt for specific types of embarrassing personal information, such as tax documents, pictures and divorce papers, which they can use to demand large payoffs.

Most personal accounts are poorly protected due to weak passwords and the lack of multi-factor authentication. This makes them vulnerable to attack. To make matters worse, there is a huge criminal marketplace for stolen passwords (estimated at 24 billion), which means the hacker can often walk right in through the front door, so to speak. In our own research, we’ve found that 69% of executives have had passwords leaked online.

Home network intrusions

Most home networks are extremely easy to hack, and this is especially true for board members. While it may seem counterintuitive, the more expensive the home, the more likely it is to have significant vulnerabilities just waiting to be exploited.

This is because wealthier individuals tend to incorporate a lot of smart technologies in their homes, including home automation and camera systems. While these systems are top-of-the-line, they are usually not secured correctly by the integrator or patched regularly, which leads to weaknesses and vulnerabilities.

In other instances, Internet of Things devices abound inside homes (e.g., TVs, speakers, thermostats, DIY cameras, etc.). While these devices are called smart, they’re often pretty simplistic when it comes to cybersecurity, and most have advanced controls like dual-factor authentication turned off by default. Most of these devices also have the problem of leaving privacy and security up to the homeowner and having the controls or options require deeper cybersecurity know-how.

Wi-Fi routers are also major risk vectors. If this device has a default password or any unpatched vulnerabilities, a hacker can gain full access to the home network. Once inside the home network, a hacker can “sniff” the Wi-Fi traffic to look for unencrypted information, pivot to other devices in the home like laptops and printers, eavesdrop on sensitive phone calls, spy on the person and their family through connected cameras and even pose physical threats, such as disabling alarm systems and door locks.

Quite often, the only real challenge to hacking a home network is figuring out the right one to target. This is why a board member’s personal IP address is sensitive information that needs to be protected. If a hacker can find this information, they can then run a “port scanning” attack on that IP range to hunt for vulnerable devices that can be exploited. Our research has found that 40% of board members and executives have home IP addresses listed in various data broker websites, where almost anyone can access them.

Targeted family members

Another pathway into the board member’s accounts and, ultimately, the company, is through targeted attacks on family members. These attacks are becoming increasingly common against high-net-worth individuals.

Hackers can find a person’s family members through open-source intelligence research, such as searching through social media posts or public bios, or by simply buying the information directly from a data broker. Last year, we found that 95% of board members and executives (out of the 1,000 we analyzed) had confidential personal and family information for sale on these websites. These same sites also sell the person’s contact information, including phone, email and social media, making it easy for a hacker to target them.

All it takes is one hijacked messaging account from a spouse or child to trick a board member into clicking on a link or sharing information that can lead to a serious breach. Some criminal actors are going even further with these attacks by targeting family members with extortion (including sextortion) and virtual kidnapping in order to extort board members.

Defending against targeted attacks

The best way to prevent targeted personal attacks is to reduce the board member’s personal attack surface. This involves removing sensitive information from the web and hardening devices and online accounts.

Personal information exposure by data brokers is one of the most overlooked problems in executive cybersecurity today. It is absolutely critical for board members to have this information removed. This is not an easy task, since there are hundreds of data brokers out there.

Board members should also take several basic steps to protect their personal devices, home network, IoT devices and online accounts. This includes changing all default passwords to strong, unique passwords and adding dual-factor authentication whenever possible. All devices should also be kept up to date with the latest software, firmware and security patches. It’s also important to have robust anti-malware on all devices and a firewall on the network to protect these devices.

Since IoT devices can be a gateway for hackers, they should be kept off the main Wi-Fi network and moved to a guest network.

Board members should also have contingency planning in place for when — not if — they are attacked. To this end, it’s critical for all sensitive files and information to be kept encrypted and to have data backups in place that are kept off the home network, such as external hard drives or cloud-based backups.

Lastly, board members should conduct regular security assessments of their home network, devices and online accounts to ensure they are properly protected lest the companies they serve on need to disclose a material cybersecurity risk involving their personal lives.