Cybercriminals are impersonating family offices and private investment groups, approaching businesses in the professional services, technology, and financial sectors with offers of strategic partnerships, investment funding, or even full company acquisition.
At first glance, these emails appear legitimate. They reference credible-sounding investment entities, use polished commercial language, and include a clear call to action: book a meeting.
However, the real objective is credential harvesting.
Credential harvesting is a type of phishing attack designed to trick individuals into entering their login details, typically usernames and passwords into a fake website that mimics a trusted service. The bad actor can then use these credentials to gain unauthorised access to business systems.
How the Scam Works
The scam begins with an unsolicited message from someone claiming to represent a family office, investment firm, or wealth management group. The email typically praises your business or recent achievements, expresses interest in a partnership or acquisition, invites you to schedule a meeting via a link, uses a professional signature and branding. The goal is to build credibility and spark curiosity.
The email typically includes a button or link such as “Schedule a Call,” “Book a Meeting,” or “View Our Proposal.”
Clicking this link takes you to a calendar booking page that appears to be part of a legitimate scheduling process. Before you can confirm the meeting, the site prompts you to sign in with your Microsoft credentials.
This is the heart of the scam.
The page is designed to look identical to the genuine Microsoft 365 login screen. In reality, it is a phishing site created to capture your login details. Once you enter your email and password, bad actors intercept and save your password the credentials are intercepted and saved by the bad actors and are passed directly to the legitimate Microsoft portal. Microsoft then prompts for an MFA code from your authenticator app, you enter this onscreen and Microsoft then sends an access token back which demonstrates successful authentication. However, the bad actor seizes this token and saves it on their computer so that they can access the Microsoft portal and access your data without needing another MFA code. Once into your account the bad actor can add their own phone to the list of MFA devices to ensure they can access your account in the future.
With access to your Microsoft account, criminals can read and monitor your emails, reset passwords for other connected services, impersonate you in communications, send phishing emails to your contacts, attempt invoice fraud or other financial scams. They may also connect AI tools to read your emails and documents to understand any upcoming transactions or transfers and then change documents to reflect their own bank details.
Why This Scam Is Effective
Cybercriminals know that business owners and executives are more likely to engage with messages about investment, partnerships, or acquisition opportunities. These topics naturally trigger interest and urgency.
The scam also leverages professional-looking branding, realistic business language, and a sense of opportunity. It’s a clever blend of social engineering and technical deception.
How to Protect Yourself
1. Be cautious with unsolicited investment or acquisition offers. If you weren’t expecting it, treat it with suspicion.
2. Hover over the link and confirm the destination domain is legitimate and expected. Treat links with unusual domains, misspellings, or URL shorteners as suspicious.
3. If your licence supports it, ask your IT team to enable device based Conditional Access. This ensures access to your account is limited to company owned devices.
4. Report suspicious emails immediately. Forward them to your IT or security team for analysis.
5. Trust your instincts. If something feels “off,” it probably is.
What to Do If You Think You’ve Been Phished
If you’ve clicked a suspicious link, entered your credentials on an unfamiliar page, or believe you may have shared information with an attacker, acting quickly is essential. Phishing incidents can escalate fast, but taking the right steps immediately can significantly reduce the impact.
If Tivarri is your IT service provider, contact us immediately. We will assess whether your account has been compromised and take swift action to secure it and limit any potential damage.
Early reporting is critical to containing the issue and preventing further spread.
Cyber Awareness Is Critical
The scale of recent UK cyber incidents has made one thing clear: even a brief lapse in awareness can lead to debilitating operational and financial damage. With social engineering on the rise, training staff to recognise and respond to threats is now critical.
In 2025, several high-profile attacks demonstrated just how severe the impact of a cyber incident can be. Jaguar Land Rover’s cyberattack forced a five-week shutdown of UK factories, caused widespread disruption, and resulted in over £190 million in direct costs, with analysts estimating the total economic impact at around £1.9 billion once lost output and supply chain effects are included. Retailers were hit hard too: M&S faced an estimated £300 million in lost revenue after its April attack, while Coop reported losses of £206 million following its own incident.
These incidents highlight how even short periods of downtime can translate into substantial commercial losses.
Get in Touch
Tivarri’s Cyber Awareness Training is designed to address this risk directly. We equip staff and leadership teams to recognise phishing attempts, credential harvesting scams, verify unexpected requests, and respond appropriately when something appears suspicious.
Our training is grounded in real-world scenarios and practical guidance, helping organisations strengthen resilience before an incident occurs.
If you would like support improving your security posture or preparing your team to recognise modern threats, contact us at [email protected] or call 0207 837 8031 to arrange a no-obligation consultation.