Insights from California Trust and Legacy
Why Cybercrime Is on the Rise
And why the families we work with are now in its path.
By Bryan Kemler · California Trust and Legacy
For most of the twenty-first century, cybercrime targeting individual families has been a numbers game. An attacker would write a generic phishing email — clumsy, full of misspellings, addressed to “Dear Customer” — and send it to ten million inboxes. A small fraction of recipients would click. A smaller fraction would enter a password on a fake website. A smaller fraction still would enter a password that happened to belong to an account worth stealing. The economics worked because the cost of sending the email was approximately zero and the cost of writing it was approximately zero.
That model produced a certain kind of victim, and it produced a certain kind of advice from the cybersecurity industry. The victim was usually someone with limited technical literacy and modest assets, attacked through a low-effort lure. The advice was: don’t click suspicious links, use a real password, run an antivirus program. That advice is still correct. But it was sized for a threat model that has now changed.
The change is generative AI, and the change is structural. The work an attacker used to do by hand — the work that limited which targets were worth attacking — is now done by software at fractions of a cent per attempt. Three pieces of that work are worth describing in concrete terms.
The first is the email. Until recently, a phishing email convincing enough to fool a successful, alert person required a skilled writer who studied the target, learned the target’s relationships, mimicked the voice of someone the target trusted, and constructed a request that fit naturally into an existing conversation. That work took hours per target. It was not economic against a household with five million dollars in assets, because the attacker could spend the same hours writing five hundred generic emails to a million households and get a higher return on the cheaper effort. Now the same study, the same mimicry, and the same custom construction is done by a language model in seconds. The attacker no longer chooses between effort and reach. They get both. The economic threshold of “worth attacking” has moved down into the tier our families occupy.
The second is the voice. A telephone call from someone who sounds exactly like your daughter, in the exact emotional register your daughter would use in an emergency, costs an attacker the price of a publicly available voice clone trained on thirty seconds of audio from a TikTok or a wedding toast. The same is true for the voice of your wealth manager, your CPA, your attorney. There are two consequences. First, the conventional security advice — “if it sounds urgent, slow down and verify” — is harder to follow when the urgency is delivered in the voice of a person you love. Second, the specific verification procedure most families have implicitly relied on for thirty years (call the person back, hear their voice, confirm) no longer works without an added step. Voices are no longer self-authenticating.
The third is the chain. A modern attack on a family of means is rarely a single email or a single call. It is a coordinated sequence: an email from a vendor establishes a context, a follow-up email from “your assistant” confirms the context, a phone call from “your wealth manager” requests action consistent with the established context, and a wire transfer leaves the country. Each step on its own would be questioned. The sequence as a whole creates a manufactured reality in which each step seems to fit. Until two years ago, designing and executing that sequence required a small team of skilled human operators. Today the sequence can be designed by a language model and executed semi-autonomously. The labor cost has collapsed. The complexity ceiling has risen. The targeting has become precise enough to be personal.
The cohort we serve at California Trust and Legacy — affluent families in the East Bay with self-managed financial complexity, active advisor relationships, mixed digital literacy across generations, and security configured the way it was five years ago — sits squarely in the new “worth attacking” zone. Family-office tier above ours has dedicated, full-time security teams. Sole proprietors below ours are not yet attractive targets. The middle tier — where there is significant wealth, real velocity in financial relationships, and no dedicated security operation — is the tier the attackers are repricing first. We are watching this happen in real time, in stories that our peers are sharing privately and that occasionally surface as cautionary news items.
The defense is not panic, and it is not a subscription to a monitoring service. The defense is also not, in our view, something the average affluent family can be expected to do for themselves. The reason is the same reason most families do not draft their own trusts: it is not that the work is impossible to learn, it is that the work requires sustained attention to a domain that is not the domain you spent your career in. Configuring a household-grade password manager, training every member of your family on it, hardening your email against impersonation, setting up a verification protocol with your three or four most important outside advisors, and documenting how your heirs will find any of this when you are gone — that is a six-week project for someone who knows what they are doing, and an unbounded project for someone who doesn’t.
LegacyGuard is the way California Trust and Legacy has chosen to respond to this shift. We built it for our own clients first because the people who hire us to plan their estates are precisely the people whose estates are now being targeted before they are inherited. We deliver it now as a service to anyone in our region who wants the protection in place before they read about another family who didn’t.
The threshold has moved. The attackers know it. Our work is to make sure our families know it too, and to give them a structured way to respond — calmly, carefully, without theater, on a timeline that fits how families actually run.
If you’d like to do something about this
LegacyGuard is the structured response we built for our own clients. A fifteen-minute call is the simplest way to find out whether it fits your family.
This essay is general analysis, not legal advice or a guarantee of cybersecurity outcomes. Bryan Kemler is not a certified cybersecurity practitioner. LegacyGuard is a service of California Trust and Legacy. Legal services are provided by Kelly Balamuth, Esq. — California State Bar No. 172522 — Walnut Creek, CA. Attorney advertising under California rules.