
There has been a recent uptick in AI-enabled fraud targeting Private Equity firms, asset managers, and their portfolios as criminals make use of ever cheaper, and more sophisticated, AI tools to update traditional CEO impersonation fraud with some firms suffering seven figure losses as a result.
Strong financial controls are the best protection against adverse consequences from this activity. All new, or changed payee details, and large value payments, must follow due process.
What is the problem?
It is now possible to accurately clone video and voice footage with very little source footage, often gathered from open source such as podcasts or conference footage.
We have seen a range of examples across the industry of the C-suite of portfolio companies being targeted, especially in the months following acquisition or increased investment. The core tenants of the fraud typically include:
- A call or text from the Managing Partner or director of the investment firm to PortCo leadership from a new number, purporting to be their personal number and requesting that new ‘secure’ communications be setup to help support a confidential deal
- A set of authentic looking supporting documents (such as authority to pay on behalf of the firm) and third party advisors, such as law firms or corporate financiers, may be used to add legitimacy to the request
- A request for secrecy and an urgent time limit for the PortCo to be able to transfer money on behalf of the PE firm to support the deal
Traditional red flags within the communications are getting harder to spot as the fraudsters use AI language models to improve the written word, and AI speech and video is harder to spot.
However the principal layer of defence against this fraud remains unchanged, ensuring that your management, finance and payment teams stick to your processes and know that they will have management’s support in these and never using out-of-band communications channels.
What is the risk?
The FBI attributed losses of over $894 million to AI-enabled crime in their 2025 internet crime report and it is an increasing proportion of the $20.9 billion of losses reported to them last year.
The objective of this exercise is simple from the attackers point of view, it is simply to defraud the victim into transferring money. Historically undertaking these frauds used to take significant manual effort, from reconnaissance and targeting through to crafting the fake messages and realistic looking documents.
However the amount of effort required to conduct these attempts is decreasing on almost a monthly basis with the attackers using AI tools to automatically mine the internet for open source information on new acquisitions and upcoming deals and the ability to gather information on key individuals in relevant companies. Impersonating key stakeholders is also now a trivial exercise using commercially available tools at negligible cost.
Attacker ROI calculations have been updated to use factors such as the size and length of investment, assessed strength of financial controls in the portfolio companies (previously family owned businesses are seen as weaker) and whether there are language barriers that can be exploited to make any hiccups in communications easier to explain/ignore.
Attackers range from traditional cyber criminals through to nation states looking for easier access to hard currency to circumvent sanctions. For example North Korea is estimated to generate at least $2-3 billion in revenue from cybercrime annually.
Wherever the source of the attack the objectives remain the same.
- Source: Cyber Criminals
- Event: Social Engineering
- Consequences: Theft of Money
How may it evolve?
We expect the velocity and accuracy of these attacks to continue with deepfakes becoming increasingly hard to identify and advice around techniques to test realism (e.g. asking people to wave their hand over their face) becoming outdated rapidly as AI models improve.
Similar techniques are also being used as a vector for other traditional cyber attacks, such as introducing malware or gaining access to systems using deepfake to impersonate IT departments or line managers.
What action is required?
Carry out these three actions as a priority (and contact us for more help) to build awareness and resilience:
- Remind all finance and executive staff they will never get in trouble for sticking to approved payment processes only and insisting on approvals via formal communications channels. If in doubt they should contact via an alternative, established method.
- Confirm that financial controls include, at a minimum: call backs to public telephone numbers for all new, or updated payee account details, and two-person authorisation on all large payments.
- Consider expanding your phishing training to cover vishing (voice impersonation) / smishing (messaging) and deepfake impersonation, and walkthroughs of relevant case studies to bring the subject to life for at least key staff in your C-suite and payments team.
Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.
Photo by Braydon Anderson on Unsplash