A company in Hong Kong lost $25 million on a single video call. The face of the CFO looked right. The voice sounded right. The wire transfer request followed normal company procedures. The CFO was a deepfake. Not a blurry, unconvincing imitation. A convincing, AI-generated impersonation that cleared every human checkpoint the organization had in place. And here is the part that is easy to miss: the people involved were not careless. They were not cutting corners. They did exactly what they were supposed to do, and the money still disappeared.
Susan Lindeque has spent more than 25 years working at the intersection of high-stakes finance and complex family structures. As the Founder and Managing Member of Avestix Multi Family Office, a Chartered Accountant, and a former Global CFO who has structured over a billion dollars in transactions across real estate, venture capital, and private equity, she has seen what happens when wealth is built carefully over generations and then lost in a single breach. She has been studying Bitcoin and blockchain since 2012, and today she works directly with family offices and ultra-high-net-worth individuals to protect what they have spent their lives building. She is not speaking theoretically. She is speaking from the front lines of a threat that most families have not yet fully registered.
Why Wealth Makes You a Bigger Target, Not a Safer One
The assumption that financial success comes with built-in security is one of the most dangerous things a family can believe. Susan Lindeque pushes back on it directly. Large banks and corporate institutions have enterprise-grade cybersecurity systems, firewalls, alarm systems, and detailed internal procedures. Family offices, even those managing hundreds of millions of dollars, often operate with a staff of six people: an accountant, a bookkeeper, and a lawyer they bring in from the outside. That is the entirety of the infrastructure protecting the wealth.
“It’s no longer wealth used to be the security,” Lindeque says. “But these days, to be wealthy, you become a very big target, and that is causing a lot of vulnerabilities.” The imbalance between the value of what families hold and the systems they use to protect it is precisely what makes them attractive. Attackers do not need to break through enterprise-level defenses. They need to find one unsecured Gmail account, one vendor with weak protocols, one moment when the right person answers the wrong call. The front door, as Lindeque puts it, is wide open.
The Culture of Silence That Makes Everything Worse
The statistics on family office cyberattacks are alarming on their face. Forty-three percent of family offices worldwide have experienced a cyberattack in the last 12 to 24 months. One in four has experienced three or more attacks. Approximately half acknowledge being underprepared. But Lindeque believes the real numbers are far higher.
Most families do not report attacks. The reasons are layered. There is embarrassment. There is the fear that going public will invite more attacks. There is the reality that breaches often trigger conflict within families, with members pointing fingers and relitigating decisions that seemed right at the time. “I think that number is even probably 50 percent underrated,” Lindeque says. “I think the number is probably closer to about 70 to 80 percent of cyberattacks that are happening directly onto family offices, family businesses, ultra-high-net-worth individuals.” Because families stay quiet, nobody learns from their losses, security practices do not improve across the industry, and the same vulnerabilities are exploited again and again.
How AI Turned a Sophisticated Crime Into an Affordable One
The mechanics of a deepfake attack used to require an operation: a studio, specialized recording equipment, a team of technically skilled people, and significant funding. That barrier no longer exists. “A couple of years ago, you needed an army of people to do it,” Lindeque explains. “Now with AI, you don’t need to be a coder anymore. You literally can be a one or two-person operation.” A voice can be cloned from a single podcast episode. A video likeness can be generated from LinkedIn photos. The technology is improving so rapidly that the gap between what was possible a month ago and what is possible today is already significant.
What this means practically is that deepfake capability has become a service — something bad actors can access and deploy without specialized knowledge. The objective, as Lindeque describes it, is simply to target people with wealth, extract as much money as possible, and move on. By 2026, 30 percent of enterprises are expected to stop trusting face biometrics for identity verification because the fakes have become too convincing. Only 60 percent of family offices report confidence that their staff could even detect an AI-driven phishing attack. The arms race between security and exploitation is moving faster than most families realize.
“We always used to say we trust the people, we trust the systems, we trust the controls. But you can’t do that anymore. You have to take ownership and start making sure that wherever you trust, you can truly trust at the end of the day.”
Susan Lindeque, Founder and Managing Member, Avestix Multi Family Office
The Four Places Your Security Is Already Failing
Lindeque identifies four specific failure points that appear consistently across family offices and high-net-worth households: email, wire transfers, vendor access, and personal devices. Each one is a door that is likely already open.
Email is the lowest form of security most families are running on, and it is the entry point for almost everything else. A personal Gmail account can be compromised through a simple password reset. Once an attacker has access to your inbox, they can send emails impersonating you, replicate the exact look of communications from your bank, and initiate requests that appear entirely legitimate. Lindeque notes that attackers can also use VPN technology to appear to be operating from any location in the world, making geographic red flags essentially useless.
Wire transfers are uniquely dangerous because in the United States, once a wire is sent, it is gone. The standard verification method most families rely on, a phone call, has itself become an attack vector. Calls can be intercepted. Voices can be cloned. The person on the other end of the phone confirming the transfer may not be who they appear to be. Lindeque’s recommendation is to move sensitive financial data off hyperscale cloud platforms like Amazon and Google, and onto private, dedicated servers with dedicated firewalls so that even if a device is compromised, the underlying financial infrastructure remains protected.
Vendors are the vulnerability most families never think to examine. Your attorney, your CPA, your wealth manager — these are the people you trust most, and they hold everything. But as Lindeque points out, “you are at the risk of their security.” She describes working with a consolidated system for a client and asking the system provider directly about their security. The provider allowed login through a standard Gmail account. In a multi-family office context, a single breach of that vendor’s system could expose the trust accounts, corporate structures, bank accounts, and distributions of every family they serve.
Personal devices close the loop. Your Gmail account lives on your phone. If an attacker gains access to your phone, they can trigger a password reset, receive the two-factor authentication code that arrives as a text, and gain full access to your financial accounts. “It’s that simple, to be quite honest with you,” Lindeque says. The fix is not to stop using a phone. It is to ensure the underlying data lives on a secure, firewalled private server so that device access does not equal financial access.
What a Breach Actually Costs a Family
The average cost of a data breach in financial services exceeded $6 million in 2025. That number is significant, but Lindeque argues it is not the full picture. A breach does not end with the initial loss. Once attackers have access to a family’s information, they can use it to stage multiple attacks over time, manipulating investments, targeting individual family members, or holding information for ransom. What began as a financial crime becomes something that touches health records, legal disputes, location data, and private communications that were never meant to be seen.
The damage extends into the family itself. “It can cause a lot of disputes within the family,” Lindeque says. “There can be a lot of fighting because people can start pointing fingers at other family members.” The wealth that was supposed to protect a family and bind it together becomes the source of its fracturing. Lindeque compares the decision to take action to any health habit: “It’s like everything. If you want to go to the gym, want to lose weight, it’s that first day when you decide, this is it. I’m going to take action and I’m going to start to protect my family first of all.” The cost of not acting is not abstract. It is the legacy itself.
Cybersecurity as Succession Planning
The $86 trillion transfer of wealth currently underway between generations is happening inside a threat landscape that did not exist when most of those assets were built. Lindeque frames cybersecurity not as a technical issue but as a core element of succession planning. The founders built the wealth. In many families, the financial management was handled by one person, often the patriarch, and the rest of the family was not at the table. When wealth transfers to a surviving spouse or to children, it frequently transfers to people who have no prior exposure to the decisions being made on their behalf.
“A lot of those women are in their 60s, 70s, and 80s when the wealth gets transferred,” Lindeque says. “They don’t have the insight, they don’t have the financial education, they don’t have the technology education. They just don’t have the skill set to cope with all of that.” Meanwhile, the next generation may be comfortable with technology but no more prepared for the specific nature of AI-driven financial threats. The generation gap in understanding the risk is, in Lindeque’s view, one of the most urgent problems in wealth management today. Succession planning that does not include a cybersecurity component is planning for a world that no longer exists.
The Audit Is Where It Starts
Susan Lindeque’s single most urgent recommendation is this: before doing anything else, take stock of where your data actually lives. Not where you think it lives. Where it actually is. Which email accounts hold financial communications. Which vendors have access to what. Whether any credit card information is saved on a phone or desktop. Who your service providers are and what security protocols they operate under.
The second step is to ask the questions that most people never think to ask before signing an engagement letter. Does your attorney have a chief security officer? How often is their system updated? Where is your data stored, and is it sitting on the open web or the dark web? “You’ve got the right to ask those hard questions,” Lindeque says. She now incorporates specific security protocols into every vendor engagement letter. If a vendor cannot meet those standards, she finds another vendor. The cost of securing your website and mobile devices can be less than $100 a month. The cost of not doing it can be everything you have built.
As Lindeque puts it, the question is not whether you will be targeted. It is whether your defenses will be ready when it happens. For anyone whose security posture was built for 2016 threats, the gap between what they have and what they need is already costing them. Susan Lindeque’s work is built on closing that gap before a single video call does what it did in Hong Kong.
