Print this article
What Family Offices Must Do Differently in the Age of AI Fraud
Aruna Rawat
7 July 2026
The following article is based on the afternoon keynote speech delivered at this news service's recent family office cybersecurity forum in New York The speaker - and author of this article - is Aruna Rawat, who is chief information security officer at Pure Insurance. Someone close to me is an attorney. She reads contracts for a living, the kind of person who catches a misplaced comma and asks what it is hiding. A few months ago, she downloaded an app onto her iPhone, and it turned out to be a convincing counterfeit of something she had every reason to trust. By the time she realized, it had already done its work. What stayed with me was not that she was fooled. It was how little her caution mattered. She is trained, deliberate, and professionally skeptical, and none of it helped, because the fake did not look like a fake. It looked exactly like the thing she expected to see. This is what AI has changed. For most of my career, security meant protecting systems: firewalls, monitoring, and keeping the wrong people off the network. But the tools that can clone a voice or place a familiar face on a video call are now cheap and everywhere, and they have moved the target. Attackers are no longer after your systems so much as your trust. The people around the family office, attorneys, accountants, advisors, and assistants, are competent and careful, which is precisely what these attacks are built to slip past. And when the same trick is aimed at moving real money rather than fooling one phone, the cost stops being personal and turns catastrophic. The democratization of deception Then he joined a video call. The CFO was there. So were several colleagues he recognized. They looked and sounded exactly like the people he knew, and they walked him through the urgency of the transfers. Reassured, he made 15 transactions totaling roughly $25 million. Every face on that call was a deepfake, built from video and audio of Arup executives that anyone could find online. He discovered the fraud only after following up with headquarters, at which point the money was gone. What is striking about that case is not the technology. It is that a cautious employee with good instincts was overridden the moment familiar faces appeared on a screen. His skepticism survived the email. It did not survive the video call. The signals we have relied on for decades are becoming unreliable. A familiar voice is no longer proof of identity. A recognizable face is no longer proof of authenticity. An email from a trusted contact is no longer a sufficient reason to act. Why family offices face a different challenge Attackers understand this. They know an urgent request that appears to come from a trusted individual can bypass the very scrutiny that would otherwise stop it. In many cases, the target is not a system at all. It is a decision. Privacy has become a security control Every social media post, public appearance, family photograph, and professional profile adds to a digital footprint. Individually harmless, these details collectively give attackers the raw material to build convincing impersonations, the voice samples, the relationships, and the context that makes a fraudulent request feel real. This challenge spans generations. Younger family members often share online. Older generations may place greater trust in phone calls and personal relationships. Advisors and household staff hold information that creates additional exposure. The family office ecosystem is interconnected, and attackers know how to work those connections. Privacy here is not about secrecy. It is about reducing unnecessary exposure. And because the most believable attacks arrive through everyday channels, email, text, video calls, awareness must reach beyond employees to principals, family members, household staff, and trusted advisors alike. Awareness creates understanding, but it is not enough on its own. The Arup employee was aware enough to doubt the email. It was the absence of a verification step, not the absence of awareness, that cost his company twenty-five million dollars. Verification is the new discipline For years, verification was treated as a sign of caution, even suspicion. Today, it is a sign of professionalism. The most resilient family offices are building cultures where verification is simply expected. Sensitive requests are confirmed through independent channels. Changes to payment instructions are validated in accordance with established procedures. Unusual requests are paused and reviewed, even when they appear to come from a trusted source. The question is no longer "Do I trust this person?" It is "Have I verified this request?" In practice, this reduces to one rule worth adopting this week: any request to move or change the destination of money is confirmed by a callback to a known, pre-established number, never a number supplied in the request itself, and regardless of who appears to be asking. Had that one step been in place at Arup, a deepfake on a video screen would have run straight into a phone call with the real CFO. The fraud would have ended there. Resilience Is the new competitive advantage No family office can assume it will stop every attack or see through every deception. The ones that thrive prepare for the reality that something will eventually get through. Resilience means recognizing a problem quickly, responding effectively, recovering with confidence, and continuing to operate under pressure. It means clear verification processes, an incident response plan, trusted advisors, and well-informed people, the follow-up call that exposed the Arup fraud, made before the money moves rather than after. Most importantly, it means understanding that cybersecurity is no longer solely a technology issue. It is a leadership issue. Family offices have always been stewards of wealth, relationships, and legacy. In the age of AI, they must also become stewards of trust. The challenge is no longer determining whether something looks, sounds, or feels real. It is building the discipline to verify before acting, and the resilience to recover when something slips through. Trust remains essential. But trust without verification has become one of the greatest risks of all.
Consider what happened to the engineering firm Arup in early 2024, as reported by CNN and the Financial Times . A finance employee at the company's Hong Kong office received a message, supposedly from the company's UK-based CFO, requesting a confidential transaction. To his credit, he was suspicious that the email had the hallmarks of a phishing attempt and nearly dismissed it.
What makes a family office effective is often what makes it vulnerable. You run on trust, discretion, and the ability to move quickly. Decisions are made through personal relationships rather than formal corporate processes, often without the layers of approval a large company would impose.
The Arup deepfakes were built from publicly available footage. That detail points to a shift many people have not yet absorbed: privacy is no longer just a personal preference. It is a security requirement.
The most important lesson of this era is that trust and verification are no longer in tension.
For years, security strategies were built around prevention: block the threat, keep the adversary out. Prevention still matters, but resilience matters just as much now.
________________________________________
The Arup case was reported by Hong Kong police in 2024 and covered by CNN and the Financial Times*.*