It’s been more than a decade since Experian released its eye-opening research called The Affluent Suburbans, the first ever report to explore if and how affluent Americans are more vulnerable to identity theft and fraud.
The study was simple but clever. Analyze tens of thousands of fraud and identity theft reports, and cross-reference those reports with the background and lifestyles of the victims. Experian concluded that being more affluent in America not only significantly increases your chances of being a victim, but also how much the crime will cost you.
That was about the same time that as head of the Identity Theft Council I began to see a spike in reports of affluent and HNW consumers being directly targeted by hackers and identity thieves. Many of the reports came from legal advisors and law enforcement, and the amount of background intel being gathered on these victims was pretty stunning.
“Like a kid in a Candy Store”
A few years ago I was lucky enough to get permission to do an on-camera interview with a notorious identity thief serving the last few years of a lengthy sentence. Law enforcement described him as the most dangerous identity thief they’d ever come across, and the Secret Service reached out afterwards to ask if I could persuade the professional thief to agree to teach their agents.
You can see the final documentary here. During our interviews, the thief explained the concept of Candy Stores, why people like him use that term to describe more affluent targets, and why so many cyber crooks love to specialize in just this demographic.
So Why Are HNW Consumers, Or Candy Stores, Such Popular Targets?
This is compilation of answers and theories I’ve repeatedly heard from law enforcement, cybercrooks, identity thieves, and wealth managers.
- Sure, they have more money and better credit. But more money also means more vulnerabilities. Like more accounts to protect so security is spread more thinly. Or more people with knowledges of or access to those accounts – advisors, employees, family members.
- They’re often just too busy to give security enough attention. Whether it’s work, travel, leisure, philanthropy, business, or politics, busy people with busy lives often forget the basic routines of security and privacy.
- They tend have bigger social networks, and real networks, not just “Facebook friends.” Bigger networks mean more access points and more people revealing sensitive information they shouldn’t.
- There’s usually more public information available about them because they simply have busier lives. Simply living generates a constant stream of new data that can be exploited. It’s called the Data Exhaust and each of us generates about 2MB of collectible data every second.
- They often have plenty of easy points of access, like employees, assistants, and advisors, that can be exploited with phishing emails and social engineering.
- They can have lots of more interesting secrets, business and personal, that they’d like to keep that way. And pay to get back if they’re compromised.
- They have lots of valuable connections to leapfrog to, especially business, social networks, political, and philanthropic.
- They often have access to valuable business information, IP, private discussions, businesses email and business transactions, contracts, acquisitions, creative tax schemes.
- They rarely report the crime for fear of embarrassment or reputation harm. This is especially attractive for crooks because it virtually eliminates the risk.
- They can sometimes be arrogant or over-confident and presume their lawyers will make the problem just go away.
So Targeting The More Affluent Consumer Is A Near-Perfect Crime:
- It’s easy to find and research targets, and especially if you have some of the more powerful and professional data digging tools available (like TLO or DelvePoint).
- There are plenty of attack vectors, lots of ways to get inside a target’s defenses.
- There are lots of things to steal besides money, and many of those “things” won’t set off any alarms. You’ll know when a back account has been emptied but not when your contact list is copied or all your emails downloaded.
- The payoff is well worth the investment. Many cybercrooks will spent many hours a day, for weeks or months researching specific targets and building up complex dossiers.
With little chance of ever being reported, investigated, caught, or prosecuted, why waste your time on the less affluent?