Strategy and Transformation Practice
72% of U.S. Senior Executives were targeted by cyberattacks between February 2023 and August 2024, according to a 2024 report by GetApp. While the success and impact of these attacks vary, one thing is clear: businesses are becoming harder targets. Through stronger employee awareness, governance, and tooling, attackers are being forced to evolve. As a result, they’re turning to executives’ personal lives, and families, as potential entry points. This includes leveraging personal data about spouses and children from data brokers and social media sites. Cybercriminals are launching SIM-swaps, phishing campaigns, and emotional extortion tactics designed to bypass corporate security through personal channels. In this new threat landscape, protecting executive leadership means protecting their households. Cybersecurity at the top must now extend from the boardroom into the home.
In a troubling example of this, attackers turned to an executive’s child to gain access they could not get directly.
- In 2023, Attackers exfiltrated over 120 GB of sensitive data, including personal info of minors, and demanded ransom from a U.S. medical trial solutions firm.
- To accomplish this, the attackers obtained the phone number of an executive’s child from a data broker site. They used this to “SIM-Swap” and took over that child’s phone number.
- The phone number was then used to call or message the Executive. This may be done to pressure the executive to comply with demands or hand over Multi Factor Authentication codes.
While this threat is pervasive amongst the general population, it’s particularly salient amongst high profile individuals and their families.
“Doxing”, as it’s commonly referred, is the malicious act of publicly revealing someone’s private information without their consent. This often involves the disclosure and sale of personally identifiable information (PII) on the dark web, where criminals buy and use it for identity theft, fraud, and targeted attacks.
Where is this information found?
Unfortunately, it can be found easily in a number of places. It could include public sources like LinkedIn, company bios, press releases, social media, etc. It can be found on Data broker sites that aggregate public personal information, including home address. Potentially found in “breach dumps” that include Email/password leaks and Dark web markets or public breach repositories.
The information can be used in a number of attacks. One such attack is “SIM-swapping”, where they hijack a child’s phone number and impersonate them in emotionally charged calls to pressure the executive into approving actions like Multi-Factor Authentication (MFA) bypass. In some cases, attackers extort an executive’s child—threatening to expose personal information—to coerce them into installing malware, compromising the family’s home network. Additionally, threat actors use brokered family data to impersonate trusted loved ones via email or phone, executing pretexting attacks designed to trick executives into disclosing credentials or installing malware.
How can you protect yourself, your family, and your business?
- Secure Phones & Accounts of Family Members
SIM-swapping, spoofing, and phishing attacks often start with a child or spouse’s compromised phone or email.
- Enable carrier PINs and port-out protection for every family member.
- Use authenticator apps (e.g., Google Authenticator, Duo) instead of SMS-based MFA.
- Secure email and social media accounts with strong passwords and 2FA.
- Segment Executive & Family Networks
Malware installed on a family member’s device can pivot into executive work networks or data.
- Use separate Wi‑Fi networks at home: one for executive/work devices, another for family/personal devices.
- Keep sensitive work devices off networks shared with children’s gaming consoles, smart TVs, etc.
- Train Family in Basic Cyber Hygiene
Family members are often the weakest link in security, especially children.
- Teach them to:
- Never click unknown links or attachments.
- Be cautious about oversharing on social media (e.g., school name, travel plans).
- Verify strange messages—even if they appear from a parent, sibling, or friend.
- Remove Family Data from Data Brokers
Attackers often buy executive and family details from data brokers to impersonate or threaten.
- Use services to remove info from broker sites.
- Manually opt out from major brokers
As attackers increasingly target executives through their families, the protection of personal and household security is critical to reducing risks for the entire business. Securing family data, strengthening account protections, and improving cyber hygiene help close vulnerable entry points that could compromise corporate systems. AccessIT Group offers Digital Executive Protection, providing thorough OSINT reviews to identify exposed personal information and tailored digital security training for executives. These training courses include take-home materials for families, empowering them to maintain strong defenses and safeguard both personal and business assets.