Lockton has recently seen multiple clients targeted by highly sophisticated social engineering fraud linked directly to live merger and acquisition activity. These incidents are real and recent, and the techniques used suggest that private equity firms and their portfolio companies are likely targets.
Real, recent and relevant to private equity - what we are seeing
Even large organisations with strong internal controls have fallen victim to impersonation theft involving the following features:
C‑suite directors were contacted by fraudsters posing as individuals connected to their investors, requesting support on a confidential M&A transaction involving multi‑jurisdictional deals.
Well‑known law firms were impersonated, including the creation of WhatsApp “project groups” and had our insureds sign NDAs to reinforce credibility for the “deal”.
Fake portals were established in the name of a major law firm to exchange documents.
Mobile numbers were set up across multiple jurisdictions, making calls and messages appear genuine and coming from different countries.
Multiple payments were made to fraudulent bank accounts over a 2–3 week period, rather than a single transaction.
These cases spanned the US, Europe and Asia, adding complexity and reducing the opportunity to detect the fraud early.
Once funds were transferred, recovery proved almost impossible, leaving our clients with tens of millions of dollars in losses.
This has driven some of our existing clients to question whether they are purchasing enough social engineering coverage.
How we can help
We have developed a Crime Insurance solution that provides full policy limits for social engineering coverage which works on a broader ‘all risk’ basis.
If you are active in M&A, or preparing a transaction, we recommend reviewing your exposure now. Please contact a member of our team if you would like to discuss this risk or your existing cover.