August 17, 2023 By Jonathan Reed 4 min read

It’s no surprise that cyber criminals target high-profile individuals or those with access privilege. Malicious actors often use social engineering and whale phishing attacks against these people to breach systems. But households and family members of company executives may also be the target of cyberattacks. In some cases, such as sextortion attempts, criminals demand monetary payment.

There’s also a new trend where family members are being targeted, but the actors aren’t asking for money. Instead, attackers seek network access, passwords and requests to download files — all in an attempt to reach bigger targets and carry out wider attacks.

In short, modern company security should also include household security.

No perimeter to secure

If anything, the pandemic eliminated any notion of perimeter-based security. How many companies these days have employees connecting from a distance? How many businesses have hundreds, if not thousands, of devices connecting to their network? While the security risks are clear, 24/7 availability from any place on any device enables brands to stay competitive. And this means security must extend to all endpoints, human and machine, to secure a company’s network.

While we obsess over online security, threat actors might not stay limited to digital-only tactics. For example, cyber pro Reuven Aronashvili reported a case that involved the teenage son of an executive. The actors threatened to reveal that the teen was gay — something he had not shared with his family at the time — unless he installed some files on his home Wi-Fi network. Once the files were installed, the attacker could then target his mother, the executive.

The FBI has also released a warning about the rise of “sextortion” attacks. As per the FBI, “Sextortion occurs when someone threatens to distribute your private and sensitive material if their demands are not met.”

Sextortion and social engineering

Sextortion may be considered a type of social engineering attack. Most victims report that the aggressor makes initial contact through dating websites or apps. After gaining confidence, the fraudster lures the target to continue the conversation on a private messaging platform.

The actor then encourages the victim to exchange sexually explicit material. They might invite them to video chats or ask for explicit photos. Once the victim complies, the criminal begins to demand money to prevent the release of the photos or videos on social media. The attacker may also gain access to the victim’s social media or contact information and threaten to send the images to the victim’s family and friends.

As per Aronashvili, a new type of sextortion attack — to demand file download or network access — is growing rapidly. He said these attacks were unheard of as recently as 2021 when most sextortion attempts demanded a straightforward payout.

“Now, by asking for access and file downloads, attackers are seeking to use sextortion as the first step in reaching potentially larger targets, with potentially larger profits,” he said. Attackers may initially target family members to eventually attack the company, its suppliers or its customers, according to Aronashvili.

Family cyber awareness is company cyber awareness

The reality is that nefarious actors frequently target young people. For example, recent reports suggest that online grooming crimes are rising. This alone makes it essential to teach family and household members about cyber risks. Now, criminals are also grooming family members hoping to gain access to company networks. So when security teams think about cyber awareness, they should be talking to teams about security at home as well.

These intrusions get too close for comfort in some cases. For example, Mandiant Consulting CTO Charles Carmakal shared a story about a client who was being extorted. Carmakal said the client received flowers from the threat actor with a very polite but intimidating message.

“It’s a very different story if you’re an executive of the company, and your daughter is being harassed by a threat actor. Your desire to pay or your willingness to pay shoots up tenfold when you’re dealing with personal attacks,” Carmakal said.

Beware of gamer fraud

Cyberattacks against gamers have seen rapid growth recently. And Kaspersky Lab reported that cyberattacks on young gamers shot up 57 percent in 2022. As per the report, cyber criminals launched more than 7 million attacks on children, exploiting popular game titles in 2022.

Phishing pages target young players by mimicking global titles, such as Roblox, Minecraft, Fortnite and Apex Legends games. The report points out that to reach parents’ devices, cyber criminals lure children to fake game sites and phishing pages to download malicious files.

It was also reported that a common social engineering method involves offers to download popular cheats and mods for games. On some phishing sites, kids can access a manual on how to properly install a cheat. The manual may even include specific instructions about how to disable the antivirus before installing a file. Some young players may fall for this, so any malware they download can avoid detection on the infected device. And the longer the user keeps their antivirus, the more information the malware can collect from the victim’s computer.

The report also noted that children’s games attacked even included games for the youngest players, such as Poppy Playtime and Toca Life World. These games are designed for 3 to 8-year-old players.

Bring cyber awareness home

Internet access makes every person in a household a potential victim. Crimes like kidnapping or sexual abuse can occur due to social engineering grooming. Plus, company breaches can occur due to sloppy cyber hygiene at home.

The Kaspersky report offers the following advice (adapted for this article):

  • Show interest in your kids’ online activity. Sit down with them to watch their favorite series or listen to music tracks together.
  • Consider using parental control apps, especially for the younger people at home. Don’t forget to explain how the apps work and why they’re important for safety.
  • Teach kids that sensitive information should only be shared via messengers and only with people they know in real life. Be a role model and exhibit examples of good online behavior.
  • Spend time talking to your kids about online safety measures. Encourage them to ask before downloading anything. Pay attention to your own habits.
  • Make talks about cybersecurity more enjoyable and interesting by discussing them with your child through games and more engaging formats.

Cyber risk is more pervasive than ever — at work and at home. Educate yourself, your teams and your family. And stay secure.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today