The principal is the obvious target, and usually the best-defended one. A protected executive has monitored devices, a reduced public footprint, advisers who screen unusual requests, and the habit of treating an out-of-band instruction with suspicion. An attacker studying that person sees a locked front door.
So they look for a side door. The people around a principal — a spouse, an elderly parent, an adult child — share the name, the wealth, and often the access, but rarely the protection. The household is where the defended individual becomes reachable again.
Executive protection usually stops at the principal
Most protection programmes are scoped to one person. The principal's phone is managed; their partner's is not. The principal has been told how a wire-fraud attempt sounds; their mother, who holds power of attorney, has not. The principal knows not to trust a video call asking for an urgent transfer; their son, away at university, has never been warned such a thing exists.
That gap is not an oversight so much as a boundary nobody drew. Security is bought for the named individual, and the family is assumed to be covered by proximity. Attackers do not share that assumption. They treat everyone connected to the principal as a potential route to them, and they start with whoever is least prepared.
Who in the family is the most susceptible
There is direct evidence about who that tends to be. A field experiment by researchers at the University of Florida, published in 2019, sent simulated phishing to 158 people over 21 days and recorded who clicked. Older adults were the most susceptible group, with older women the most susceptible of all. Younger participants grew warier as the weeks passed; older participants did not improve at all. And older users showed the lowest awareness of their own risk — the people most likely to click were the least likely to believe they would. The full picture of who falls for phishing and why is its own subject; what matters here is the shape of it.
The kind of manipulation that worked also shifted with age. Older users were markedly more susceptible to lures built on reciprocation and liking — a sense of obligation, or warmth from someone who seems friendly — while younger users fell hardest for urgency and authority. The relationship-based register is exactly the one that family-targeting fraud uses: the befriending approach, the favour owed, the trusted-sounding voice that has called a few times before.
That study looked at the general population, not at wealthy families, so the figures describe a structure rather than a specific household. The structure is what matters here. An elderly parent who co-signs accounts, a partner with full financial authority, a relative who knows the principal's movements — when one of them fits the profile the data flags, the most exposed point in a well-defended estate is a person, and it is rarely the principal.
The principal is usually assessed in isolation. An attacker assesses the whole family. A Family Member Exposure Check maps what is findable about each person connected to you, so the soft entry point is known before it is used.
Talk to an AnalystHow reaching a family member reaches the principal
A family member is not only a victim in their own right; they are a path. The people closest to a principal hold things an attacker wants and a stranger cannot easily get. Shared devices and home networks. Financial authority, where a spouse sits on the same accounts or a parent can authorise a transaction. Calendars and travel plans. And, more than anything, knowledge — where the principal is this week, who they trust, what deal or event is in motion.
Compromise a family member's email or phone and the attacker can impersonate a trusted relative directly to the principal, from inside the circle of people the principal does not screen. The discipline that makes an executive hard to fool is built for messages from outside. It is not built for a request that appears to come from a daughter or a spouse. The defended individual's own caution does not extend to the family, and the family is precisely where the attacker now sits.
What a family member's digital footprint gives away
Family members rarely keep the principal's footprint discipline, and they are not usually asked to. A teenager's public account geotags the family home and signals when the house is empty. A partner's professional profile names the employer, the routine, the network of colleagues. Public records tie the household together into a single, searchable map — the same exposure that makes executive doxing possible, extended to everyone in the household.
All of it is reconnaissance — about the family member, and about the principal through them. The information that lets an attacker time a request, name the right people, and sound authentic is gathered here, in the parts of a family's life that no one thought to protect. This is the opening stage of the wider social-engineering process, and the moment when an executive's careful privacy is undone by a relative who was never brought inside it.
Mapping the household as one target
The practical correction is to change the unit of defence from the individual to the household. A principal who is well-protected while the people around them are exposed has not closed the path; they have moved it one step away from themselves.
That starts with knowing what is findable. A Family Member Exposure Check assesses each person connected to the principal at €750 per person — what an attacker can assemble about them, where their footprint exposes the household, and which of them fits the susceptibility profile that warrants the most attention. For a family office managing this across a whole family and its staff, the Family Office Privacy Pack scopes the household as a single surface rather than a collection of individuals.
The aim is not to turn every relative into a security expert. The susceptibility evidence is clear that this does not hold, particularly for the family members most at risk. The aim is to reduce what an attacker can find and use against the household, so that reaching the principal through the people around them stops being the easy option it usually is.
If you are protected but the people around you are not, the path to you is still open. The Shield extends protection to the family as a unit, starting with a Family Member Exposure Check that maps what an attacker can find about each of them.
Talk to an AnalystSources
- Lin, T., Capecci, D.E., Ellis, D.M., Rocha, H.A., Dommaraju, S., Oliveira, D.S., Ebner, N.C. “Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content.” ACM Transactions on Computer-Human Interaction, 26(5), 2019. DOI 10.1145/3336141.