Why the Family is the New Attack Surface

Executives do not live inside your network diagrams. They live in smart homes full of connected devices, with spouses and partners who share online by default and children whose digital lives spill across social platforms. That blended ecosystem has effectively become the perimeter of executive risk.

The Invisible Target

The Old Security Model No Longer Applies

For many boards and C-suites, executive protection still means some combination of physical security, travel protocols, and stronger authentication on a handful of sensitive accounts. That model made sense when most executive risk was concentrated inside offices and corporate networks. It no longer reflects how executives actually live or how modern attackers operate.

What Attackers Actually See

When a threat actor looks at a Fortune 500 CEO today, they do not see a hardened corporate perimeter and give up. They see:

• A spouse's personal email that has not had a password change in years
• A teenager's TikTok feed that reliably tags the same coffee shop every Tuesday afternoon
• LinkedIn posts that casually reveal family vacations, complete with check-ins that map out travel patterns

Each detail appears benign in isolation, but together they form an exploitable pattern: who lives where, who is home when, which accounts are likely poorly protected, and which routines can be predicted.

The Doxxing Economy

Public reporting over the last several years has shown how quickly that type of visibility can be misused. Doxxing campaigns against executives and public officials routinely blend data broker records, corporate disclosures, social media content, and breach data to compile comprehensive profiles that include home addresses, phone numbers, family names, and daily routines. In some cases, websites have hosted collections of executive data before being taken down or pushed into harder-to-reach corners of the internet, where the material still circulates among motivated adversaries.

When Digital Threats Become Physical

Swatting: A Growing Threat to Corporate Leaders

Once family information is exposed, the transition from online threat to physical risk is faster than most organizations expect. Law enforcement agencies and journalists have documented a rise in "swatting" incidents, where hoax emergency calls send armed responders to a victim's home. These incidents have targeted executives, technology leaders, and other public figures, and they rely on accurate addresses, household information, and sometimes floor-plan-level detail.

CSO Online reported a coordinated surge of swatting attacks specifically targeting C-suite executives and board members across Fortune 1000 companies, with criminals using information harvested from data broker sites, corporate websites, and property records. These attacks are "highly targeted and purposeful," with healthcare, biopharma, and financial services industries seeing particularly heavy targeting.

Case Study: The Nancy Guthrie Abduction

The threat to executive families escalated dramatically in early February 2026 with the abduction of Nancy Guthrie, the 84-year-old mother of NBC "Today" show co-anchor Savannah Guthrie, from her Tucson, Arizona home. Authorities believe Mrs. Guthrie was taken from her residence against her will in the middle of the night on February 1, with blood drops found leading from the entryway to the driveway. Her pacemaker disconnected from its monitoring app in the early morning hours, and she was reported missing when she failed to appear at church the following day.

Within days, ransom notes containing specific details about the home and what Mrs. Guthrie was wearing that night were sent to multiple media outlets. Pima County Sheriff Chris Nanos described the home as a crime scene and noted that Mrs. Guthrie requires daily medication that could be fatal if not taken. In an emotional video plea, Savannah Guthrie and her siblings addressed their mother's abductors directly: "We need to know without a doubt that she is alive and that you have her. We want to hear from you and we are ready to listen." The case, which remains active with FBI involvement and federal resources committed by the White House, illustrates how quickly the family members of high-profile media figures and executives can become targets for exploitation—and how information about routines, residences, and family circumstances can enable physical attacks that bypass every corporate security control.

From Digital Harassment to Physical Stalking

Supermodel Cindy Crawford's ongoing legal battle against a stalker who progressed from online harassment to repeatedly showing up at her California residence and her daughter's theater performance demonstrates how digital channels create entry points for people with dangerous fixations.

Targeting Children to Reach Executives

Financially motivated groups are adapting too. Security researchers speaking at the 2024 RSA Conference revealed that ransomware crews have begun targeting executives via their children's phones and accounts, including using SIM-swapping to seize control of numbers and messaging apps. In these attacks, threat actors hijack a child's phone number and then place calls to executives from that number. The result is a psychological nightmare: a parent answers, expecting their child and hears a stranger's voice instead.

The FBI's 2024 Internet Crime Complaint Center report documented $26 million in losses from SIM-swapping attacks, with security experts warning that these tactics have moved from primarily targeting cryptocurrency holders to focusing on corporate executives and their families.

The Home Office Problem Nobody Wants to Discuss

Where Enterprise Security Meets Consumer Tech

The executive home office is where enterprise-grade security assumptions collide with consumer-grade technology. The 2024 Deloitte Family Office Cybersecurity Report found that 43% of family offices globally had experienced a cyberattack in the preceding two years, with phishing affecting 93% of victims, followed by malware (35%) and social engineering (23%). Yet nearly one-third (31%) of family offices have no cyber incident response plan, and only 26% describe their cybersecurity posture as "robust."

The Risky Mix of Work and Home

These spaces often mix corporate laptops and privileged access with home routers, gaming consoles, smart TVs, security cameras, and other connected devices that rarely receive professional hardening or regular patching. In many households, executives work on the same flat Wi-Fi network where teenagers are gaming with strangers, and IoT devices still run default configurations.

Accidental Intelligence Leaks

Seemingly harmless content adds to the risk:

• A spouse's post showcasing a "remote work" setup can capture monitor layouts, printed documents on a desk, badges or keys, and the placement of security hardware
• Children's gaming streams or spontaneous video calls can inadvertently reveal floor plans, entrances, or camera blind spots
• None of these exposures will trigger a traditional corporate alert, but they help an attacker build a detailed picture of how to approach a target physically or socially

Business Email Compromise Remains a Major Threat

Meanwhile, business email compromise remains one of the most costly categories of cybercrime. The FBI's Internet Crime Complaint Center reported BEC losses of $2.77 billion in 2024 alone, with total reported cyber losses reaching a record $16.6 billion. That represents a 33% increase from the prior year. Adversaries monitor public and semi-public signals about executives and families: when people travel, when homes are empty, when predictable weekly routines create windows of distraction.

The Wake-Up Call: Post-Thompson Security Spending

After the December 2024 killing of UnitedHealthcare CEO Brian Thompson, many large enterprises significantly increased their security budgets to include protection for executive families and residences. UnitedHealth Group disclosed $1.7 million in executive security spending in 2024, and the company is expected to increase spending further in 2025. According to ISS-Corporate research, personal and home security perquisites among S&P 500 companies rose from 13.2% in 2018 to 17.9% in 2024. This trend accelerated dramatically after Thompson's death.

Why Family Risk Is a Core Business Issue

Not a Perk—A Business Continuity Problem

It is tempting to frame family protection as an executive perk or a personal preference. In reality, it is a business-continuity problem and a governance issue. Extortion messages that say "We know your child's school route" or "We watched your spouse's morning run" do not leave traces in your SIEM, but they absolutely influence how executives think and act under pressure.

The Rise of Deepfakes

The psychological component is deliberate. Threat actors monitor social media sentiment around executives, looking for moments of public controversy or backlash that create cover for attacks or indicate when hostility is escalating toward actionable threats. Organizations that lack similar visibility into online discourse and social media trends around their leadership are effectively ceding the information advantage to adversaries.

Attackers also leverage deepfake and voice-cloning technologies trained on public audio and video from family events, interviews, or social feeds. In February 2024, a finance worker at engineering firm Arup was tricked into wiring $25 million after a sophisticated deepfake video conference call featuring AI-generated likenesses of the company's CFO and other senior executives. The entire multi-person meeting was fabricated.

Key Statistics on Deepfake Threats:

• More than one in four executives reported their organizations had experienced one or more deepfake incidents
• 50% expect deepfake attacks to increase
• Voice cloning now requires just three to five seconds of sample audio to create a convincing fake
• This enables voice-phishing calls that sound indistinguishable from a child, partner, or parent in distress

Long-Term Talent and Reputation Consequences

There are long-term talent and reputation consequences as well. Executives who face persistent, credible threats against their families are less likely to take bold public positions and more likely to consider early exits or to avoid particularly visible roles. The 2025 Family Office Security & Risk Report from Simple indicates that concerns about cyber and physical threats to families now rank alongside tax and investment issues for many ultra-high-net-worth clients. Media stories about "CEO's family doxxed over policy decision" or "protesters target executive's neighborhood" become part of the brand narrative for both the company and its leadership.

Why Traditional Approaches Keep Failing

The Fragmentation Problem

• Traditional models of executive protection are fragmented:
• Physical security teams manage bodyguards, facilities, and event logistics
• Cybersecurity teams focus on endpoints, identity systems, and enterprise networks
• Communications and legal teams handle public crises, media, and litigation
• Families and home environments sit awkwardly at the intersection of these functions and too often receive only partial coverage

Critical Gaps in Coverage

The silos create dangerous blind spots:

• Physical security seldom tracks dark-web discussions, breach dumps, or data-broker inventories where personal data is bought, sold, and enriched
• Cyber teams frequently treat home networks and personal accounts as out of scope for policy and monitoring
• Communications and legal rarely engage until there is a public incident, which by definition means attackers have already moved past reconnaissance and into action

The Continuous Signal Leak

Meanwhile, routine family behavior keeps creating new signals. Teenagers post short videos that show camera placement and interior layouts. Spouses check in at favorite locations near schools, workplaces, and homes. Mobile apps share location data with third parties that resell it into advertising and broker ecosystems. Each individual exposure appears minor, but together they create an attacker's eye view of daily life that is rarely visible to corporate security teams.

Executive Exposure by the Numbers:

• 75% of executives have experienced credential exposure
• More than half of CEOs have received a physical threat within the last year
• Executive-level employees are consistently 25 to 30% more exposed online than the general workforce
• This differential poses a measurable risk to both individual safety and organizational integrity

How the Market Has Started To Respond

Whole-Household Security Models

The pressure of the last several years has forced significant adaptation from both vendors and risk owners. Firms that focus on protecting high-net-worth individuals and family offices have introduced offerings that treat the entire household as an interconnected risk environment, including adult children and grandchildren.

The 2025 North America Family Office Report by RBC and Campden Wealth found that nearly three-quarters of family offices in North America experienced a cyberattack in the past year. Risk-advisory providers and industry groups have published guidance on the convergence between digital threats and physical harm and have encouraged organizations to unify monitoring and response across these domains.

Corporate Security Investment Trends

Following Thompson's death, an HR Policy Association survey of CHROs from large public companies found that 73% now have specific security arrangements for executives or senior leaders. Of those:

• 68% extend protection to all C-suite executives
• 51% to board members
• 12% to other senior leaders

Moving into 2025, companies reported prioritizing:

• Travel security (54%)
• Physical security (53%)
• Cybersecurity measures (39%)
• Residential security (38%)

What Mature Protection Programs Look Like

Mature programs that treat the family as part of the attack surface tend to share several characteristics:

• Continuous external mapping and monitoring for executive and family PII on social platforms, data brokers, paste sites, and underground forums, rather than one-off exposure reports
• Cross-channel threat monitoring that extends into spaces where grooming, harassment, or pretext development often begins, such as gaming communities, messaging platforms, and youth-oriented networks
• Social media sentiment analysis that detects shifts in public discourse around executives—identifying when routine criticism escalates into coordinated harassment, doxxing attempts, or language that signals physical threat potential
• Systematic, repeatable PII-takedown processes that treat a newly exposed address or school name as an incident requiring immediate action and follow-up
• Technical hardening of home and travel environments, including network segmentation, password managers, hardware security keys, and disciplined location and posting practices for trips and major events
• Family-empowerment programs that frame participation as protection rather than surveillance and that provide simple ways for spouses and children to report concerning contacts or content

What Boards and Security Leaders Should Do Next

Board-Level Actions

Boards should start by explicitly recognizing family exposure as an enterprise risk in their governance frameworks and risk registers. Ownership should be shared across cybersecurity, physical security, human resources, privacy, and, where appropriate, legal.

Reporting to the board should include family-related threat trends and metrics at a high level, such as:

• The number of executive or family doxxing attempts per quarter
• The volume of PII records removed from data brokers
• Changes in harassment or protest activity tied to executives' home addresses

Immediate Actions for Security Leaders

Security leaders can act immediately on several practical fronts:

• Establish cross-functional forums between cyber, physical, and threat-intelligence teams to review executive and family threats on a regular cadence
• Integrate external-risk monitoring capabilities into security operations so that alerts about executive or family exposure enter the same triage and response pipelines as traditional cyber incidents
• Include family digital-footprint assessment in onboarding for new executives before public announcements, identifying existing exposures and educating family members on how to reduce them
• Update escalation playbooks to treat family reports and monitoring alerts as time-sensitive, with response expectations measured in minutes rather than days

A New Definition of the Perimeter

The core lesson from recent incidents is that executives and their families function as enterprise assets in ways that are directly connected to business continuity, strategy, and shareholder value. Attackers increasingly see families as the path of least resistance into those assets, and current security models have largely validated that perception.

Organizations that adapt by extending protection beyond the walls of headquarters and the confines of corporate networks will not only reduce risk, they will gain an advantage in attracting and retaining top leadership talent. Those that cling to outdated boundaries between "corporate" and "personal" security will face harder questions when executives step away after a doxxing campaign, when a CFO is compromised through a child's phone, or when a preventable incident that began on social media ends in real-world harm.

The family is now the new attack surface. The only open question is how quickly boards and security leaders can draw their defenses around that reality before the next incident forces the issue.

Protect Your Executives and Their Families

ZeroFox Executive Protection delivers comprehensive security for your leadership team. The platform combines real-time threat intelligence, continuous PII monitoring, dark web surveillance, social media sentiment analysis, and rapid takedown capabilities into a unified solution. By tracking shifts in online discourse and social media trends around executives, ZeroFox identifies when criticism escalates into coordinated harassment or language that signals potential physical threats. From detecting impersonation attempts and credential exposures to neutralizing threats before they escalate, ZeroFox helps organizations extend their security perimeter to where executives actually live and work.

Our new Executive Protection ecosystem brings all of these capabilities together in one powerful, integrated experience, giving you complete visibility and control over your leadership's digital and physical security.