Trusted Person Impersonation: Social Engineering Risks for Ultra-High-Net-Worth Individuals and Family Offices

Impersonation attacks arrive through different channels and exploit different relationships, but each is designed to move faster than the people targeted can respond. The most common forms affecting UHNW households and family offices are outlined below. 

When threat actors impersonate trusted advisors — attorneys, wealth managers, CFOs, family office executives — the objective is almost always the same: redirect funds or alter payment instructions before anyone verifies the request. Law enforcement agencies track this category of attack under the umbrella of Business Email Compromise (BEC), and the volume and scale of documented losses reflect how consistently it succeeds.¹ For UHNW households, the volume and complexity of financial activity create particular exposure: transactions move frequently, involve multiple parties, and are often time-sensitive, and these conditions make a well-timed, well-crafted request difficult to question.

• Scenario: A spoofed email arrives from what appears to be the family’s estate attorney, sent on a Tuesday afternoon and referencing a property closing by its correct address. The counterparty is one the family has dealt with before. The message explains that the firm recently changed banking institutions and provides updated wiring instructions for the final disbursement, asking that the change be kept confidential until the matter closes. However, one character in the sending domain is transposed, an additional hyphen that is easy to miss on a phone screen. The wire is processed before anyone thinks to call. Only partial financial recovery was eventually possible through the bank.  

What is at Stake: Wire transfers are rarely recalled in time, and the financial loss — often irrecoverable — may ultimately be secondary to what the attacker now understands about how the family moves money: who approves it, who communicates it, and what the process looks like from the inside. That intelligence does not expire when the transaction closes, and the reputational strain with financial institutions can outlast the incident itself. 

Messaging platforms and collaboration tools present a different kind of exposure than email and one that most households and offices have not fully accounted for. The informal cadence of these environments works against scrutiny; response speed is assumed, and any request to slow down and confirm reads as friction. Attackers work within platforms the household or office already uses, building enough familiarity through informal exchanges to normalize a request for credentials, an approval, a QR code scan, or access to a document portal.²

• Scenario: A household staff member receives a message on a collaboration platform from what appears to be a family member — with the correct display name, a tone consistent with previous exchanges, and a passing reference to a property transaction already underway. The conversation is unhurried, moving across several days before it shifts toward a request to review documents through an external portal. The staff member logs in. The account is silently compromised for three weeks before the breach is surfaced during a routine IT review.  

What is at Stake: A silently compromised account may yield nothing immediately visible, such as a transaction, yet gives an attacker weeks of passive access to internal communications. That access builds an operational picture of the household: when the principal travels, who handles finances, which vendors are trusted, and what approval processes look like. Each piece of that picture lowers the effort required for whatever comes next, whether a more targeted BEC attempt, a fraudulent vendor substitution, or something that exploits knowledge of physical movements and security arrangements. 

Family emergency scams exploit the fear that a loved one is in danger. The underlying scheme has run for decades, but AI voice synthesis has transformed its credibility. A few seconds of publicly available audio are now enough to produce a convincing approximation of a family member’s voice, and under conditions of stress and urgency, that approximation is rarely questioned.³  Deepfake video has extended the same capability into the visual domain, enabling distress scenarios assembled entirely from publicly available footage.⁴ 

• Scenario: A family office manager receives a call one afternoon from a number saved under a family member’s name. The voice is immediately recognizable, including the cadence and the accent. The family member claims to be calling from overseas, and reports there has been an incident. He needs legal help arranged by end of business, and he would prefer his parents not be told yet. The manager begins pulling up wire transfer instructions before she sets the phone down and calls him back through the family’s internal directory. The family member picks up from his home office. The voice used in the call had been cloned from a panel recording posted publicly on a conference organizer’s website months earlier. 

What is at Stake: Financial losses, where they occur, are sometimes recoverable. The erosion of intra-family trust that follows — the lasting wariness, the hesitation before answering a call from a familiar number — is harder to put a figure on and tends to far outlast the incident that caused it.

Virtual kidnapping requires no access to systems and no prior relationship with the target. It operates entirely on fear, time pressure, and the difficulty of independently verifying a loved one’s safety in the moment a call arrives. What AI has added is synthetic proof-of-life, including photographs and video digitally altered to simulate distress, which makes demands harder to dismiss and buys the attacker time before the family can establish contact through other means. The FBI has documented cases where manipulated content sustained ransom demands long enough to extract payment.⁵

• Scenario: A principal receives a call on a Friday evening claiming her adult son has been taken. Within seconds, a video clip arrives showing a young man in apparent distress in an unfamiliar location. The caller warns her that contacting police or other family members will put her son at immediate risk, and demands a cryptocurrency transfer within two hours. Her son’s mobile goes to voicemail twice. She is forty minutes from initiating payment when a second family member reaches him through a work contact. He is at his apartment and has been unreachable because his phone died. The video had been constructed from photographs and short clips taken from his public social media and digitally altered to simulate the scenario.

What is at Stake: Families who do not pay still absorb real psychological harm. Those who do will almost certainly not recover the funds — cryptocurrency transactions, for example, do not reverse — and the incident can escalate into broader physical security concerns that require protective action well after the immediate threat has passed. 

SIM swap fraud targets something most security controls leave exposed: the phone number that sits beneath them all. Once an attacker controls that number, access to email, banking, and financial platforms follows in sequence, with each account reset using authentication codes the attacker now receives. The FCC has issued formal guidance on SIM swap and port-out fraud given how persistent the problem has become.^{6 7}

• Scenario: A principal is attending a conference, which is listed publicly on a foundation website, including dates and location. While she is traveling, an attacker calls her mobile carrier, works through the identity verification process using personal details gathered from publicly available sources, and completes a number transfer in under fifteen minutes. By that evening, her incoming SMS authentication codes are arriving on a device she has never seen. The attacker resets her primary email account, gains access to a financial platform linked to it, and sends a transfer request to the family office from her own number. The request is consistent with how she communicates when traveling. Nobody inside the organization flags it. The compromise is identified by the bank’s fraud team, who contact a compliance officer.  

What is at Stake: A successful SIM swap compromises personal and professional accounts simultaneously, and remediation requires coordinated action across multiple institutions that can take weeks to complete. The reputational damage that accumulates in the interim, while the principal’s identity is being used to approach advisors and counterparties, takes considerably longer to repair. 

Impersonation-based attacks on UHNW households and family offices are increasing in frequency and sophistication, but the damage they cause is not inevitable. Those best-positioned to limit their impact have established the right habits, protocols, and controls well before they are needed. Key recommendations include:

1. Establish Formal Verification Protocols

Mandatory out-of-band verification is the most effective control against impersonation-based financial fraud. Any transaction or payment instruction change above a defined threshold warrants a callback to a number from the family’s own records — never one provided in the request. A household passphrase agreed upon in person gives principals and their staff something AI voice cloning cannot reproduce and provides a reliable check for emergency scenarios. Dual authorization on high-value transfers should hold regardless of how urgent a request sounds.

• Implement mandatory out-of-band verification for financial transactions.
• Use pre-agreed family passphrases for emergency scenarios.
• Require dual authorization for high-value transfers.⁸

2. Strengthen Identity and Authentication Controls

Verification protocols and authentication controls work on different parts of the same problem, and neither fully substitutes for the other. SMS-based authentication is the precise mechanism SIM swap attacks are built around, and it remains the default for many accounts; transitioning to phishing-resistant MFA or passkeys closes that gap. Carrier-level number lock and port-out PIN protections address the underlying vulnerability before an attacker ever reaches an account.

• Transition from SMS-based authentication to phishing-resistant MFA or passkeys where possible.
• Enable carrier-level number lock and port-out PIN protections.⁹

3. Reduce Public Exposure

Much of what fuels these attacks originates with the principals and their households: voice samples pulled from podcasts and public appearances, virtual kidnapping scenarios assembled from posted photographs and real-time location data, or travel patterns disclosed through posts made mid-trip. Reducing the public footprint across principals, family members, and staff limits the material available to any motivated threat actor. Periodic open-source exposure assessments identify what is currently accessible and create an opportunity to address that exposure before it is exploited.

• Limit real-time sharing of travel details and family media.
• Conduct periodic open-source exposure assessments.¹⁰

4. Train and Exercise

Controls and reduced exposure matter, but neither prepares staff to act correctly when a situation is already in motion. Tabletop exercises covering BEC, voice cloning, and virtual kidnapping scenarios build the instincts that written procedures cannot produce on their own. A one-page response checklist provides household and office staff with a clear framework to follow during incidents where pressure is high and the sequence of actions matters.

• Conduct tabletop exercises for impersonation scenarios with household staff and family office personnel.
• Develop and distribute a concise impersonation response checklist.
• Establish and test rapid contact protocols with banks, mobile carriers, and security teams.¹¹

*Scenarios throughout this document are hypothetical, composite illustrations based on documented attack patterns and are not accounts of specific incidents. 

Ultra-high-net-worth families face growing cyber risks. Crisis24 Private Strategic Group CISO On-Demand service offers discreet, 24/7 protection tailored to your family’s lifestyle and risk profile.  

Learn More

¹ Federal Bureau of Investigation (FBI). Business email compromise (BEC)—Common frauds and scams. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
² Checkpoint Research. Microsoft Teams impersonation and spoofing vulnerabilities exposed. https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/
³ Federal Trade Commission (FTC). Scammers use AI to enhance their family emergency schemes. https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes
⁴ Federal Communications Commission (FCC). Deepfake audio and video: How AI makes robocalls and scam texts harder to spot. https://www.fcc.gov/consumers/guides/deep-fake-audio-and-video-links-make-robocalls-and-scam-texts-harder-spot
^{5 8 10}Federal Bureau of Investigation (FBI). Criminals using altered “proof-of-life” media to extort victims in virtual kidnapping scams. https://www.fbi.gov/investigate/cyber/alerts/2025/criminals-using-altered-proof-of-life-media-to-extort-victims-in-virtual-kidnapping-for-ransom-scams
^{6 9} Federal Communications Commission (FCC). Cell phone fraud. https://www.fcc.gov/cell-phone-fraud
⁷ Federal Communications Commission (FCC). Protecting consumers from SIM swap and port-out fraud. 
¹¹  JPMorgan Chase & Co. Defending against business email compromise. https://www.jpmorgan.com/content/dam/jpm/commercial-banking/insights/cybersecurity/defending-against-business-email-compromise.pdf