The investment had the right ingredients.
A prominent family office. Senior officials with recognisable names. Access to Airbnb before its public offering. A professional website that appeared to confirm the relationship. Email addresses close enough to the real ones that few people would stop to count the letters.
An institutional client wired approximately US$9 million into escrow.
The family office had never offered the investment. Its senior people had never sent the emails. The website was fake. The shares did not exist.
Shamoon Rafiq had built the transaction out of somebody else's credibility. He created a false family-office website, which automatically routed visitors to the genuine website, and email addresses that closely resembled those of two real senior officials. Then he offered investors pre-IPO stock he did not own.
In May 2024, Rafiq was sentenced to 57 months in prison after pleading guilty to conspiracy to commit securities fraud and wire fraud.
The fraud matters for a reason that extends far beyond one criminal and one fictitious investment. Rafiq did not need to breach the family office. He did not need its passwords, servers, bank accounts, or permission.
He needed its name.
Source: U.S. Attorney's Office, Southern District of New York
The Asset Sitting in Public
Private banks and family offices spend heavily to protect the assets inside the institution. They secure accounts, devices, documents, payment systems, communications, and buildings.
Their reputation sits outside the perimeter.
Names, faces, job titles, email conventions, logos, office addresses, biographies, conference appearances, social profiles, and client relationships are visible. Much of that information has to be visible. A wealth institution cannot operate if nobody can establish who it is, who works there, or why they should be trusted.
That public trust has become criminal infrastructure.
An impersonator can copy the visible institution without touching the real one. A nearby domain creates the email. A cloned website supplies legitimacy. A copied profile provides history. Public video supplies a face and voice. The genuine institution has already spent decades making the imitation persuasive.
The criminal gets the benefit. The institution inherits the incident.
When a Familiar Message Costs S$13.7 Million
In December 2021, customers of OCBC received phishing messages impersonating the bank. The messages appeared inside SMS threads customers associated with genuine OCBC communications. They led to fake banking pages, captured credentials, and enabled account takeovers.
The number is brutal: 790 victims lost S$13.7 million. About 80% disappeared between 23 and 30 December.
OCBC completed full goodwill payouts to the victims. During the critical period, calls to the bank's contact centre surged by more than 40%.
The bank paid because the fraud had travelled through a channel carrying the bank's identity. Customers did not experience the attack as a random message from a stranger. They experienced something that looked like OCBC, arrived where OCBC messages had arrived before, and asked them to behave like OCBC customers.
That is the power of impersonation. It turns the institution's history with the client into pressure against the client.
The Fraud Is Only the First Bill
HSBC Australia shows what happens when the damage keeps compounding after money leaves the account.
Scammers masqueraded as HSBC representatives and obtained access to customer accounts. Reports of unauthorised transactions surged by approximately 380% in 2023 and 2024, largely driven by impersonation scams.
By June 2026, HSBC had admitted failures in its controls and customer response. Between January 2020 and August 2024, the bank received more than 1,000 reports of unauthorised transactions with a total value of A$34.6 million.
Then came the second bill.
HSBC had paid around A$21.5 million in compensation and recovered another A$6.5 million for customers. HSBC and the Australian Securities and Investments Commission jointly proposed an A$35 million penalty, subject to Federal Court approval.
Then came the time.
Customer investigations took an average of 144 days to finish. People who had already reported fraud were left waiting months for answers. Some accounts remained inaccessible while the institution worked through the damage.
The original crime belonged to the impersonators. The compensation, remediation, investigation delays, regulatory proceedings, legal exposure, client anger, and loss of confidence belonged to the bank.
Source: Australian Securities and Investments Commission, 18 June 2026
You Can Be Innocent and Still Have an Incident
Direct theft is the easiest consequence to measure. It is not the only one.
In 2025, fraudsters created social-media pages and profiles impersonating IG Wealth Management, its chief investment strategist, and financial professionals. They used the firm's name, logo, marketing material, and employee identities to promote fraudulent trading services across Facebook, LinkedIn, WhatsApp, and Telegram.
IG said it had no evidence that its clients had been targeted or affected. The institution still had work to do. It reported fraudulent accounts to platforms and regulators, alerted advisers and clients, updated its fraud guidance, and published warnings. The Canadian Investment Regulatory Organization issued an investor alert naming the impersonation campaign.
No confirmed client loss did not mean no incident. It meant the cost appeared in investigation, takedown, communications, compliance, and trust.
Source: Canadian Investment Regulatory Organization, 15 July 2025
In November 2025, the UK Financial Conduct Authority identified an unauthorised operation contacting people while pretending to be Deutsche Bank Wealth Management. The clone mixed false contact details with the identity of genuine Deutsche Bank entities.
The FCA disclosed no victim count or confirmed loss. It did disclose the trap. Anybody dealing with the clone would have no Financial Ombudsman Service access, no Financial Services Compensation Scheme protection, and little chance of recovering money if the operation failed.
The real bank had no connection to the scheme. Its identity was still the trust layer that made the approach work.
Source: Financial Conduct Authority, 24 November 2025
Then there is the person whose face becomes the fraud.
In 2025, economist David Rosenberg discovered that an AI-generated likeness of him was being used to promote fake investment opportunities on social media. The criminal did not need access to Rosenberg Research. Public video and a recognisable reputation supplied the raw material.
The better known the adviser, principal, or investment professional becomes, the more convincing material exists to build the imitation.
Source: Rosenberg Research, 15 July 2025
Private Wealth Is Built for This Attack
Private wealth operates through conditions most criminals would design for themselves.
Bespoke transactions. Confidential introductions. Small groups with exceptional authority. Principals who travel. Advisers who handle sensitive requests. Assistants who can move a decision forward. External lawyers, bankers, accountants, and investment professionals who may join a transaction briefly but carry enormous credibility.
The work is intentionally private, highly relational, and often urgent.
An unusual request can be normal. A new counterparty can be legitimate. A principal may communicate through an adviser. A family member may expect immediate help. An opportunity may be confidential enough that asking too many people feels like breaking trust.
The criminal uses those conditions as camouflage.
AI makes the imitation faster and cheaper, but technology is not the core weakness. The core weakness is that wealth moves through trusted relationships, and the institution often has no reliable way for the recipient to distinguish the relationship from a convincing copy.
Treat Identity Like Payment Infrastructure
The response does not begin with another awareness presentation. It begins by accepting that institutional identity can move money.
First, give clients and counterparties a verified route to confirm unusual instructions, investment opportunities, changes to payment details, and urgent requests. A reply inside the same email or message thread is not verification. The confirmation must travel through a channel the sender did not supply.
Second, monitor the identities that carry money-moving trust. That means lookalike domains, executive names, adviser profiles, social accounts, paid advertisements, messaging groups, and copied websites. The institution needs to know which principal, relationship manager, chief investment officer, lawyer, or assistant a criminal would impersonate first.
Third, prepare the response before the fake account appears. Evidence preservation, platform takedowns, client warnings, regulatory notification, payment intervention, and public communications should have named owners and rehearsed decisions. The first hours are too expensive for an internal debate about who is responsible.
Fourth, make independent confirmation culturally normal. A client, employee, or counterparty who pauses a confidential transaction to verify authority has protected the relationship. They have not insulted it.
These controls are unglamorous. That is the point. Impersonation fraud succeeds in the small gap between something that looks familiar and something that has been independently proved.
Private banks and family offices already understand that a payment instruction deserves control. They need to recognise the asset sitting one step before it.
If your name can move money, your name is part of the payment system.
