Playbook 9
Targeted phishing & social engineering
Spear-phishing and pretexting aimed squarely at the office: fake DocuSign, spoofed custodian portals, “IT support” calls, and QR-code lures crafted from public information about the family.
The hard truth
Generic spam gets filtered; the message written specifically for your CFO, referencing a real deal, is the one that lands.
The first hour
- 1
Contain: if anyone entered credentials, reset them and revoke sessions immediately.
- 2
Preserve the message and headers — don't delete the evidence.
- 3
Check whether the same lure hit other inboxes in the office.
- 4
Scan for follow-on activity: new mailbox rules, logins, or wire requests.
- 5
Warn the team and any spoofed counterparty about the active campaign.
Stop the next one
- MFA everywhere so a stolen password alone isn't enough.
- Realistic, role-specific phishing awareness for the finance team.
- A verification decision tree for portals, e-signatures, and support calls.
- Email authentication (SPF/DKIM/DMARC) to blunt domain spoofing.