Anatomy of a family-office wire fraud
It rarely starts with malware. It starts with an email — and ends with a wire that can't be recalled.
Business-email compromise (BEC) is the single most expensive cyber threat to family offices, and it doesn't require sophisticated tooling. According to Deloitte, phishing was the entry point in 93% of family-office breaches. Here's how a typical one unfolds — and where it could have been stopped.
The attack, step by step
1. The foothold
A bookkeeper receives a convincing email — a fake Microsoft 365 login prompt, or a shared-document notice. They enter their password. If multi-factor authentication isn't enforced, the attacker now has the inbox.
2. The patient watch
The attacker doesn't act. For days or weeks they read mail, learning how the office talks about money: who approves wires, which counsel and which bank, how a real capital call or closing reads. They set quiet inbox rules to hide their own messages.
3. The insertion
A genuine transaction appears on the horizon — a property closing, a capital call, a vendor payment. The attacker strikes mid-thread, from the real inbox, with new wire instructions and a plausible reason ("our usual account is being audited; use this one for today"). The email is real. The account is theirs.
4. The wire
Staff, seeing a familiar sender and a real deal, send the funds. By the time anyone notices, the money has been moved through several accounts and is effectively gone. Domestic recalls have a narrow window; international wires rarely come back.
The email was legitimate. The relationship was legitimate. The only thing that was fake was the account number — and that's all it takes.
Why family offices specifically
Three things make them ideal targets: large, movable sums that travel by wire as a matter of routine; small teams without segregated finance controls or a second set of eyes; and a culture of trust and discretion that treats a partner's emailed instruction as good enough.
The one control that stops it
If you do one thing, do this: out-of-band callback verification on every payment instruction and every change to one. Before any wire goes out — or any account detail changes — someone calls the counterparty on a known, pre-verified phone number (never a number from the email) and confirms the details by voice. It is low-tech, mildly annoying, and it defeats the entire attack, because the attacker controls the inbox but not the phone line.
The supporting controls
- MFA everywhere, especially on email — it closes the door the attack walks through.
- Dual authorization for wires above a threshold, so no single person can move large funds.
- A standing rule that urgency is a red flag, not a reason to skip the callback.
- A rehearsed response for the moment a wire is suspected fraudulent — bank, FBI/IC3, counsel — where minutes matter.
No tool catches every BEC, because the email is real. The defense is a process — verification that happens outside the channel the attacker controls — reinforced by a drill so staff actually follow it under pressure.
Run the drill before the attacker does
Securidigm facilitates wire-fraud tabletop exercises with your team and builds the wire-authorization controls into your written program.
Request a confidential conversation →Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.