High-net-worth family targeting in 2026 — swatting, doxxing, and physical follow-on

A pattern we are seeing across our HNW-family work in the Valley: the threats that used to live online are now arriving at the front door. A doxx posted to a fringe forum at midnight becomes a SWAT response at 3am. A leaked office address becomes a follow-on at a private school pickup line. A teenager's TikTok geotag becomes a stranger waiting at the side gate. The digital-to-physical handoff is not theoretical anymore. It has a base rate, and that base rate doubled in 2025.

This post is the operator's view of what's actually happening, what the published data shows, and what HNW families and family offices in Arizona should do about it. No fear-mongering. Just the numbers and the controls.

The 2025 numbers

The FBI's National Common Operating Picture for Virtual Community Coordination (NCOP-VCC), the swatting-incident database launched in May 2023, captured more than 550 incidents in its first months alone. Industry tracking puts 2025 swatting totals at roughly 8,900 documented cases, up sharply from prior years. The median police response time to a swatting call has lengthened from 11 to 16 minutes, which increases the window during which a hostile entry response is being executed against an innocent target.

Executive-targeting data tells a similar story. Industry-side analysis published in early 2026 found that direct threats against senior corporate leaders roughly doubled year-over-year, with one widely cited dataset showing CEO-directed threats rising from about 1,560 (June–December 2024) to more than 2,200 in just over a month starting early December 2024. Executive-protection vendors and CISO survey work both report that family members and personal staff are increasingly targeted as extensions of the principal — not as separate threat surfaces, but as easier paths into the same one.

Per-incident cost matters too. The FBI's own materials and law-enforcement-cost reviews estimate a single swatting response costs $15,000 to $25,000 in agency resources alone — not counting damage to the residence, psychological trauma to the family, or the property-value impact of a public swatting becoming a public record. The cost is borne mostly by taxpayers and the family, not the offender.

What "targeting" actually looks like in 2026

Most HNW families we work with picture a stranger crossing a fence. The current attack pattern is more sophisticated, more remote, and more often executed by an offender the principal has never met.

Step 1 — Open-source reconnaissance

The offender starts with public records, social platforms, and data-broker sites that aggregate home addresses, family member names, school enrollments, vehicle registrations, vacation photos, and travel calendars from social media tags. None of this is illegal to collect, and most of it costs less than $50 to assemble.

Step 2 — Doxxing

Personal information is posted publicly — to a forum, social platform, or harassment site — with an explicit invitation to others to "do something." The doxx itself rarely causes physical harm. What it causes is a permission structure for the next person who reads it.

Step 3 — Swatting

A spoofed call from an apparently-local number reports an active hostage situation, an in-progress shooting, or an imminent suicide at the doxxed address. Local PD or SWAT responds at high tempo. The family wakes up to a hostile dynamic entry. This is the event that has the highest probability of physical harm — not from the offender, but from the response.

Step 4 — Physical follow-on

A separate offender — opportunistic, ideologically motivated, or copycat — physically shows up at the doxxed address or at a derived location (school, gym, office, vacation property). This is the rarest but highest-severity step. The Patrick Tomlinson case, which has documented 40+ swatting events and follow-on harassment, is the canonical published example of how long this can run once started.

Why family members are now the primary attack surface

The shift toward targeting family is operationally rational from the offender's perspective. The principal is usually the hardest to access — they have an EP detail, an office building with security, vetted travel logistics. The spouse, the teenage child, the elderly parent, the personal assistant — none of them typically have those controls. They also generate larger public footprints. A high-school athlete posts game schedules. A spouse posts charity events. An assistant posts office check-ins from their personal Instagram.

The CISO surveys back this up. Roughly 42% of CISOs surveyed in 2025 reported that an executive or family member had been targeted by some form of attack — ranging from malware and doxxing to extortion and physical incidents. That number was around 24% three years prior. The trajectory is real.

The corporate response has followed. Median 2024 spending on executive security reached roughly $95,000 per principal, up about 120% over three years. The increase is largely going to digital-physical convergence — threat-intel monitoring, data-broker scrubbing, and family-extension coverage that didn't exist as a line item five years ago.

What HNW families should actually do

The controls that move the numbers are not exotic. They're a sequence of operational disciplines that should be implemented in order — not all at once, not piecemeal.

1. Scrub the data-broker layer

The single highest-leverage intervention. Services exist (Optery, DeleteMe, Kanary, and others) that submit opt-out requests across the major US data-broker network on a recurring basis. Run for the principal, the spouse, every adult family member, and the personal assistant. Expect a 60–90 day window for noticeable reduction, and budget for ongoing maintenance — brokers re-ingest data constantly.

2. Lock down the social-media footprint

Not a "delete everything" exercise. A "make the visible footprint match the threat model" exercise. No geotagged photos of the residence, school, or office. No real-time vacation posts. No school identification visible. No vehicle plates. Family member accounts (spouse, kids, parents, staff) get the same treatment — they are the door, not the wall.

3. Pre-coordinate with local law enforcement

Most Valley jurisdictions will accept a "swatting risk" advisory from a credible source — typically the family's security consultant or attorney — that gets filed against the residence. If a 911 call originates against that address, dispatch is flagged to require additional verification before sending an armored response. This does not prevent the swatting attempt; it materially reduces the severity of the response. Coordinate it before you need it.

4. Harden the physical perimeter, intelligently

Not a fortress aesthetic. A layered residential security posture — perimeter cameras with monitored video, illuminated and discrete approach paths, hardened door and window hardware, a safe room with independent communication. We've written about what residential estate security actually includes in detail; the same architecture applies here, refined for the swatting-specific scenario.

5. Build family-level threat awareness, not paranoia

The spouse, teenagers, and personal staff should know what the patterns look like, what to do if a doxx surfaces, how to report a strange in-person approach, and how to behave during a swatting response (hands visible, voices calm, identify themselves, follow officer commands). A single 90-minute family tabletop run by a competent EP firm is worth more than any single piece of equipment. Our executive protection work includes family-level briefings as a default component for this reason.

6. Plan for the operational events

School pickup. Gym schedules. Charity events. Travel. These are the predictable, recurring moments offenders can plan against. The family doesn't need an armed agent at every drop-off — they need posture variability (changed routes, changed times, changed vehicles) and coverage on the highest-risk events. A good EP planner builds that calendar with you.

What family offices should add to their playbook

If you operate or work with a single-family office in the Valley, three additions belong in the standard playbook by mid-2026:

• A standing executive-protection retainer relationship — not necessarily 24/7 coverage, but a defined firm with knowledge of the principal's pattern of life, available to respond on short notice for high-risk events. We covered EP cost ranges in depth here if you want the pricing context.
• Quarterly digital-footprint reviews — for the principal, the spouse, adult family members, and key staff. Treat data-broker hygiene as a recurring operating expense, not a one-time project.
• An incident-response runbook — written, in the family office's records — that documents who calls whom, in what order, within the first 30 minutes of a credible doxx, swatting, or physical follow-on event. Most families improvise these in the moment. The ones that fare best have written them down in advance.

What this means for you

If you are an HNW principal, a family-office leader, or an attorney advising HNW families in Arizona, the operational reality is that the threat surface has shifted faster than most security postures have updated. The events that used to be theoretical — swatting, doxxing, follow-on at school pickup — have base rates now. Family members are the primary leverage point because they have larger digital footprints and lighter physical defenses. The controls that work are sequential, repeatable, and not particularly expensive — but they require someone who knows what they're doing to actually run them.

A 30-minute confidential conversation with a senior STRAPT team member gives you a real read on where the family's actual exposure sits. Request that conversation, or browse our resources page for owner-level material on related topics — including residential estate security, executive protection cost, and incident cost data.