Playbook 9

Targeted phishing & social engineering

Spear-phishing and pretexting aimed squarely at the office: fake DocuSign, spoofed custodian portals, “IT support” calls, and QR-code lures crafted from public information about the family.

The hard truth

Generic spam gets filtered; the message written specifically for your CFO, referencing a real deal, is the one that lands.

The first hour

  1. 1

    Contain: if anyone entered credentials, reset them and revoke sessions immediately.

  2. 2

    Preserve the message and headers — don't delete the evidence.

  3. 3

    Check whether the same lure hit other inboxes in the office.

  4. 4

    Scan for follow-on activity: new mailbox rules, logins, or wire requests.

  5. 5

    Warn the team and any spoofed counterparty about the active campaign.

Stop the next one

  • MFA everywhere so a stolen password alone isn't enough.
  • Realistic, role-specific phishing awareness for the finance team.
  • A verification decision tree for portals, e-signatures, and support calls.
  • Email authentication (SPF/DKIM/DMARC) to blunt domain spoofing.

Questions we hear