Technology
What Family Offices Must Do Differently in the Age of AI Fraud

When AI-enabled fraudsters are on the loose, it further heightens the need for people to be on their guard. An expert from the world of insurance and security recently spelled out what's at stake at FWR's Family Office cybersecurity forum in Manhattan.
The following article is based on the afternoon keynote speech delivered at this news service's recent family office cybersecurity forum in New York (see our US correspondent's report on the event.) The speaker - and author of this article - is Aruna Rawat, who is chief information security officer at Pure Insurance.
Someone close to me is an attorney. She reads contracts for a living, the kind of person who catches a misplaced comma and asks what it is hiding. A few months ago, she downloaded an app onto her iPhone, and it turned out to be a convincing counterfeit of something she had every reason to trust. By the time she realized, it had already done its work.
What stayed with me was not that she was fooled. It was how little her caution mattered. She is trained, deliberate, and professionally skeptical, and none of it helped, because the fake did not look like a fake. It looked exactly like the thing she expected to see.
This is what AI has changed. For most of my career, security meant protecting systems: firewalls, monitoring, and keeping the wrong people off the network. But the tools that can clone a voice or place a familiar face on a video call are now cheap and everywhere, and they have moved the target. Attackers are no longer after your systems so much as your trust. The people around the family office, attorneys, accountants, advisors, and assistants, are competent and careful, which is precisely what these attacks are built to slip past. And when the same trick is aimed at moving real money rather than fooling one phone, the cost stops being personal and turns catastrophic.
The democratization of deception
Consider what happened to the engineering firm Arup in early
2024, as reported by CNN and the Financial
Times (see below this article). A finance employee at the
company's Hong Kong office received a message, supposedly from
the company's UK-based CFO, requesting a confidential
transaction. To his credit, he was suspicious that the email had
the hallmarks of a phishing attempt and nearly dismissed it.
Then he joined a video call. The CFO was there. So were several colleagues he recognized. They looked and sounded exactly like the people he knew, and they walked him through the urgency of the transfers. Reassured, he made 15 transactions totaling roughly $25 million. Every face on that call was a deepfake, built from video and audio of Arup executives that anyone could find online. He discovered the fraud only after following up with headquarters, at which point the money was gone.
What is striking about that case is not the technology. It is that a cautious employee with good instincts was overridden the moment familiar faces appeared on a screen. His skepticism survived the email. It did not survive the video call.
The signals we have relied on for decades are becoming unreliable. A familiar voice is no longer proof of identity. A recognizable face is no longer proof of authenticity. An email from a trusted contact is no longer a sufficient reason to act.
Why family offices face a different
challenge
What makes a family office effective is often what makes it
vulnerable. You run on trust, discretion, and the ability to move
quickly. Decisions are made through personal relationships rather
than formal corporate processes, often without the layers of
approval a large company would impose.
Attackers understand this. They know an urgent request that appears to come from a trusted individual can bypass the very scrutiny that would otherwise stop it. In many cases, the target is not a system at all. It is a decision.
Privacy has become a security control
The Arup deepfakes were built from publicly available footage.
That detail points to a shift many people have not yet absorbed:
privacy is no longer just a personal preference. It is a security
requirement.
Every social media post, public appearance, family photograph, and professional profile adds to a digital footprint. Individually harmless, these details collectively give attackers the raw material to build convincing impersonations, the voice samples, the relationships, and the context that makes a fraudulent request feel real.
This challenge spans generations. Younger family members often share online. Older generations may place greater trust in phone calls and personal relationships. Advisors and household staff hold information that creates additional exposure. The family office ecosystem is interconnected, and attackers know how to work those connections.
Privacy here is not about secrecy. It is about reducing unnecessary exposure. And because the most believable attacks arrive through everyday channels, email, text, video calls, awareness must reach beyond employees to principals, family members, household staff, and trusted advisors alike.
Awareness creates understanding, but it is not enough on its own. The Arup employee was aware enough to doubt the email. It was the absence of a verification step, not the absence of awareness, that cost his company twenty-five million dollars.
Verification is the new discipline
The most important lesson of this era is that trust and
verification are no longer in tension.
For years, verification was treated as a sign of caution, even suspicion. Today, it is a sign of professionalism. The most resilient family offices are building cultures where verification is simply expected. Sensitive requests are confirmed through independent channels. Changes to payment instructions are validated in accordance with established procedures. Unusual requests are paused and reviewed, even when they appear to come from a trusted source.
The question is no longer "Do I trust this person?" It is "Have I verified this request?"
In practice, this reduces to one rule worth adopting this week: any request to move or change the destination of money is confirmed by a callback to a known, pre-established number, never a number supplied in the request itself, and regardless of who appears to be asking. Had that one step been in place at Arup, a deepfake on a video screen would have run straight into a phone call with the real CFO. The fraud would have ended there.
Resilience Is the new competitive advantage
For years, security strategies were built around prevention:
block the threat, keep the adversary out. Prevention still
matters, but resilience matters just as much now.
No family office can assume it will stop every attack or see through every deception. The ones that thrive prepare for the reality that something will eventually get through. Resilience means recognizing a problem quickly, responding effectively, recovering with confidence, and continuing to operate under pressure. It means clear verification processes, an incident response plan, trusted advisors, and well-informed people, the follow-up call that exposed the Arup fraud, made before the money moves rather than after.
Most importantly, it means understanding that cybersecurity is no longer solely a technology issue. It is a leadership issue.
Family offices have always been stewards of wealth, relationships, and legacy. In the age of AI, they must also become stewards of trust. The challenge is no longer determining whether something looks, sounds, or feels real. It is building the discipline to verify before acting, and the resilience to recover when something slips through.
Trust remains essential. But trust without verification has
become one of the greatest risks of all.
________________________________________
The Arup case was reported by Hong Kong police in 2024 and
covered by CNN and the Financial Times*.*