Your client instructed a
€450,000 transfer.
It wasn't your client.
Every day, your trust officers act on client instructions that arrive by email. Most are genuine. One won't be. Preservers intercepts the threat before the instruction lands — not after the wire has cleared.
A realistic scenario — this week
"An attacker registers hartmann-gruppe-advisory.nl. They study your client's email pattern for three weeks. On Tuesday morning, they send your trust officer a wire instruction — same tone, same language, same urgency. Your officer checks: the sender name matches. They proceed."
€3.0M+
Combined fines issued to EU trust offices in 2024–2025
Multiple
EU enforcement actions on trust offices in a 12-month window
<20%
Recovery rate once a fraudulent wire has cleared
18 days
Average time from domain registration to attack email
We know your world
We've heard what trust offices say
about security. We understand why.
These are real objections we hear every week. Every one of them is reasonable. Every one of them has a gap that attackers now actively exploit.
"Our IT provider handles Microsoft 365 and antivirus."
Endpoint security and antivirus protect against malware. They cannot detect that a domain similar to your client's was registered 18 days ago. That's an external intelligence problem — not an internal IT problem.
External surface — outside your IT scope"We do KYC and AML thoroughly — that's our focus."
KYC is a point-in-time check at onboarding. Instruction fraud happens years later, inside an established relationship — long after KYC is complete and no longer doing any verification work.
KYC doesn't cover the ongoing instruction channel"We verify instructions by calling clients back."
A call-back stops simple impersonation. It doesn't stop a compromised client inbox where an attacker is reading the thread and — increasingly — has already coached the client to expect and confirm your call.
Call-backs miss compromised accounts and coached clients"We haven't had a problem so far."
The firms hit with enforcement actions also hadn't had a problem — until they did. Recent regulatory actions across EU trust offices weren't triggered by incidents. They were triggered by examiners reviewing the adequacy of controls. The question isn't whether you've been attacked. It's whether you could demonstrate that you weren't.
Absence of incident ≠ adequacy of controls"Our clients know us personally — they wouldn't be fooled."
The attack doesn't fool your client. It impersonates your client — using their exact language, their history with you, their normal urgency. Your officer receives an email that reads precisely like a genuine instruction.
Impersonation attacks your side — not your client's"A security tool sounds expensive and complicated."
Preservers deploys in under 20 minutes. No IT project. No DNS changes. No procurement committee. No disruption to existing systems. Designed specifically for boutique firms without dedicated security staff.
Protection without the overheadThe attack — exactly how it works
Five steps. Four weeks from start
to irreversible.
This is the documented pattern behind every successful TCSP fraud of the past three years. Your officers face this daily — without any tool currently in the market that detects it at step one.
Weeks 1–2 — preparation
Attacker registers a look-alike domain
They study your public website, client list, and entity structures. Then register a domain with one small change: hartmann-gruppe.nl becomes hartmann-gruppe-advisory.nl. The preparation takes an afternoon. The domain costs €12.
Weeks 2–3 — intelligence gathering
They learn how your client communicates
They read months of correspondence (if the client's inbox is compromised) or study every piece of public information — entity filings, LinkedIn, industry directories. They learn the exact tone, language, and urgency your client uses.
Week 4 — the email
An instruction arrives. It looks completely genuine.
"Following our call last week, please proceed with the transfer of €450,000 from Hartmann Holdings BV to the account below. As always, handle this promptly." Sender name correct. Language correct. Urgency normal. Your officer checks: the name matches. They proceed.
Same day — execution
The wire clears. The trust officer has done their job.
Transfer executed within the hour — because speed of execution is how your firm earns its mandate. Beneficiary account is overseas. Funds move through two further transfers within 24 hours. The trail goes cold.
Weeks later — discovery
Your client calls about the pending distribution.
The real client contacts you asking about the funds they've been expecting. You realise what happened. Recovery rate is under 20%. You now face three simultaneous consequences: your AML regulator asking about your controls, your client seeking restitution, and your PI insurer assessing the claim.
AML / Integrity Risk Warning
"The firms hit with enforcement actions also hadn't had a problem — until they did. Recent regulatory actions across EU trust offices weren't triggered by incidents. They were triggered by examiners reviewing the adequacy of controls."
How Preservers helps
Three things happen —
before your trust officer acts on a bad instruction.
We don't slow your firm down. We give you the one thing nothing else in your stack provides: early warning at the point of decision, with evidence that you acted correctly.
Predictive external surveillance
We continuously monitor the external threat surface around your firm and your client entities. When a look-alike domain is registered or an impersonation attempt is prepared, you are notified at the point of origin — weeks before the first email arrives.
Autonomous threat interception
Routine communication flows untouched. Gates fire only when Preservers detects an anomalous instruction pattern or a high-risk origin. Trust officers receive an immediate context-aware warning at the point of decision.
Regulator-ready evidence packs
Every high-risk verification is logged as tamper-proof evidence. We produce examination packs framed in the language your regulator uses — Wtt 2018 integrity controls, DORA incident reporting, or CSSF/MFSA supervisory evidence.
Regulator-Ready Evidence
Examination Evidence Built-In
Examination evidence packs framed in the language your regulator uses — pre-formatted for direct direct use during examinations.
DNB (Netherlands)
Wtt 2018 Integrity Risk Controls
Evidence packs pre-formatted for DNB integrity examinations, mapping directly to systematic risk analysis (SIRA) requirements for client instruction channels.
DORA (EU-wide)
Digital Operational Resilience Act
Incident detection and reporting evidence structured for DORA compliance, ensuring your firm can meet the four-hour notification window for critical incidents.
CSSF (Luxembourg)
Fiduciary & Trust Circulars
Controls evidence mapping to CSSF circulars on IT risk and outsourced services, ensuring your trust office meets the specific resilience expectations of the Luxembourg regulator.
MFSA (Malta)
Supervisory Cybersecurity Framework
Pre-populated evidence for MFSA's cybersecurity guidelines, providing trust officers with documented proof of controls over client financial instruction integrity.
NIS2 Framework
National Resilience Standards
Evidence produced in national NIS2 formats as they are transposed across EU member states, ensuring cross-border compliance for international TCSP groups.
Global Standards
FINTRAC & US State Supervision
Support for FINTRAC AML/CTF evidence in Canada and state-level escrow/settlement agent supervision in the United States.
The details
Designed for the way
fiduciary firms actually operate.
Predictive threat intelligence
Know about look-alike domains and impersonation infrastructure the day they are created.
Autonomous interception
Protect your trust officers with a real-time warning layer at the point of instruction.
Regulator-ready evidence
Automated evidence packs for DNB, CSSF, MFSA, DORA, and national NIS2 frameworks.
Zero IT friction
Deploy in under 20 minutes with no DNS changes, no IT project, and no network reconfiguration.
Frequently Asked Questions
Preservers intercepts fraudulent client instructions before trust officers act on them. It continuously monitors the external threat surface around the firm and its client entities, detects impersonation attempts as they are being prepared, and places a verification layer on high-risk instruction emails. Every action is logged as regulator-ready evidence for DNB, CSSF, MFSA, DORA, and national NIS2 frameworks.
Yes. Preservers produces examination evidence packs framed in the language each regulator uses — Wtt 2018 integrity risk controls for DNB in the Netherlands, equivalent framing for CSSF in Luxembourg and MFSA in Malta. DORA incident reports are pre-populated for filing within the four-hour notification window. National NIS2 reports are produced in the appropriate local format.
Trust and Corporate Service Providers, fiduciary firms, title and settlement agents, and boutique corporate services firms across the EU, UK, and US. Particularly effective for firms that administer client entities, execute high-value instructions, and operate under AML-focused supervisory regimes.
Under twenty minutes. No IT project, no DNS changes, no network reconfiguration, no procurement committee review. Designed for boutique firms without dedicated cybersecurity staff.
For TCSPs: Wtt 2018 (DNB, Netherlands), CSSF circulars (Luxembourg), MFSA supervisory framework (Malta), DORA EU-wide, national NIS2 transpositions, FINTRAC requirements (Canada), and US state-level title and settlement supervision. Evidence packs are pre-formatted for each regulator.
Stop instructions becoming fraud.
Neutralize Your Risks today.
Every day, your trust officers act on client instructions. Most are genuine. One won't be. Preservers intercepts the threat before the instruction lands.
Deployment in under 20 minutes