15 April 2025
The Growing Threat of Cyber Fraud for Private Equity Firms: Protecting Against Messaging App Scams
Cybercriminals are leveraging messaging platforms and generative AI to scam unsuspecting employees.
Here’s how to protect your company.
Cybersecurity threats come in many shapes and sizes. At the brute force end of the spectrum are denial-of-service attacks, which bombard websites with so many user requests that network bandwidth is overwhelmed, and services slow down or collapse entirely. Cybercriminals also use more precise tactics, gaining access to and control over a network by targeting chinks in their armour, such as weak passwords.
At a more personal level, businesses may be targeted by phishing or impersonation fraud, also called social engineering attacks or fake presidents’ fraud. These involve criminals using digital communications channels to pose as senior officials within the firm to manipulate employees to transfer funds to them or click on links to ransomware.
These types of attacks are now far more sophisticated than phishing emails in years gone by, where fictitious foreign princes would promise future riches in return for a brief loan. The advent of WhatsApp and other messaging platforms has given bad actors far more options to hoodwink unwitting employees.
The convincing nature of deepfake attacks
The increasing sophistication of generative AI also gives criminals the ability to conduct plausible, live conversations with targets within specific businesses at little cost in time or effort. According to one survey, over 10% of firms have been victims of a deepfake fraud attack. This type of targeting typically involves multiple communication channels in an effort to convince the target it is genuine.
“We are likely to witness video impersonations and voicemail impersonations becoming more commonplace,” says John Farley, Managing Director of Gallagher’s US Cyber Liability practice. “Imagine receiving a voicemail from a CEO instructing you to transfer a million dollars for a pressing deal. If that message sounds like your CEO’s voice, someone who is familiar with it might take notice. The average person in an accounting role might not question the legitimacy of that request.”
Some real-life examples of impersonation fraud come straight from the pages of science fiction. “These sorts of threats are among the most significant facing private equity firms,” says Thomas Falcon, Technical Director of Financial Institutions at Gallagher.
“Private equity firms handle substantial amounts of money across various transactions, often transferring funds to clients, putting them at risk of impersonation fraud. This can be addressed with crime insurance, which offers private equity firms the ability to cover costs related to data breaches, including legal fees, damages and expenses for rectifying affected computer systems.” A 2024 IBM report found that social engineering attacks specifically took an average of 257 days to resolve. The report also found that more than half of breached businesses suffered from critical shortages in cybersecurity skills among their workforce.
Greater investment in staff skills and security systems. Each employee must be aware of their role as a potential vector for attack and their responsibility to keep the organisation safe. Private equity firms can mitigate financial risks related to these threats by investing in cyber insurance. This type of coverage can reduce exposure to legal costs, breach-related expenses, and financial losses caused by ransomware attacks or fraudulent transactions.
“It is critical that all employees are trained on how hackers are utilising AI to execute their attacks,” says John Farley. “This training should encompass recognising phishing emails and AI-generated voicemails and videos.”
Using AI in cybersecurity: fighting fire with fire
Companies can protect their staff and networks by fighting fire with fire, meeting criminals’ ever more sophisticated use of AI with AI defences of their own. These tools can scan emails and other digital messages, screening out those that are obviously bogus and raising red flags for others that may have ill intent.
Cyber insurance policies can also provide comprehensive support for firms dealing with AI-driven threats, offering coverage for data recovery, business interruption, and third-party liabilities resulting from a breach.
Above all, firms must treat cybersecurity as a constant task — recruiting the right people to equip the organisation with the best possible knowledge and skillsets, building and updating first-class governance structures for responding to specific risks, and getting buy-in at every level.
Some organisations introduce specific policies about corporate device monitoring as a part of their security auditing process. Employees are advised to limit their use of corporate devices for business purposes. If any personal devices are used for business communications, a compliance framework should prescribe data-sharing limitations.
Many firms will have to run fast to get up to scratch. A recent report from Microsoft found that only 13% of UK organisations qualify as ‘resilient’ against cyber threats, but that better defences could save the national economy more than £50 billion per year.
“It’s an arms race between AI-driven attacks and defences,” says Farley. “Thankfully, we now have AI tools to help us detect attacks, which is a significant advantage. Endpoint Detection and Response and Managed Detection and Response solutions can alert us if an unauthorised individual has accessed the system, enabling us to take action. However, effectively addressing these threats will require AI technology, as manual processes will not suffice for real-time detection.”
Cyber threats are evolving at an unprecedented pace, with generative AI and social engineering attacks posing significant risks to private equity firms and businesses of all sizes. While robust cybersecurity systems and AI-driven defences are critical, insurance solutions such as cyber and crime insurance provide an essential safety net to address the financial and legal repercussions of a breach. By combining cutting-edge technology, proactive employee training, and appropriate insurance coverage, firms can better protect themselves and stay ahead in this ever-intensifying arms race.
Firms must treat cybersecurity as a constant task — recruiting the right people to equip the organisation with the best possible knowledge and skillsets
Let's talk
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.