What should I do in the first hour after a fraudulent wire?

Call your bank's wire fraud or AML team directly, not the branch and not the customer service line, and request a recall under fraudulent payment order or Article 4A reasoning. File at IC3.gov immediately so the FBI can engage the Financial Fraud Kill Chain. Send your bank a written email confirming the verbal report. Lock down the compromised inbox by signing out all sessions, rotating the password, and pulling forwarding rules. Notify your cyber insurance broker the same hour because most policies have a tight notice window.

Can the FBI actually recover money from a BEC scam?

Sometimes, through the Financial Fraud Kill Chain process triggered by an IC3 filing. Recovery odds are roughly seventy-five percent in the first twenty-four hours and drop into single digits after seventy-two hours. The variables that matter are speed, whether the receiving bank is US-regulated, and whether the attacker has already withdrawn or moved the funds. International wires to weakly-regulated jurisdictions almost never come back. Speed is the entire game, which is why the bank call and the IC3 filing happen in parallel.

What evidence should be preserved before our IT team cleans up the inbox?

Sign-in logs from Microsoft 365 or Google Workspace covering at least the thirty days before the incident, full mailbox audit logs showing what was opened, forwarded, modified, and deleted, an export of every inbox rule and filter, the full list of OAuth grants and consented apps, the fraudulent emails themselves with full headers, and every version of the wire instructions including the legitimate one and the swapped one. If IT has already deleted suspicious rules and reset passwords without preserving these artifacts, your insurance claim and any litigation become significantly harder.

What is an incident response retainer and do I need one?

A retainer is a pre-arranged agreement with a forensic and incident-response firm so that when something goes wrong, you call a number you already know rather than scrambling to vet a vendor under crisis pressure. Scope typically includes 24/7 contact, defined response times, a master services agreement already executed, hourly rates locked in, and pre-approved evidence-preservation procedures. For any business that wires meaningful sums or holds sensitive data, a retainer is cheaper than the first hour of an unplanned engagement.

Will my cyber insurance cover business email compromise losses?

Often, but only if the policy includes a specific endorsement. Standard cyber policies frequently exclude social-engineering wire fraud unless you have funds-transfer-fraud or social-engineering-fraud coverage written in. Sub-limits on those endorsements are usually small, often fifty thousand to two hundred fifty thousand dollars, even when the overall cyber limit is several million. Insurers will also ask whether you had MFA, dual-control on wires, and email-spoofing protection in place. No answers can reduce or void coverage. Read your declarations page now, not after.

How do attackers compromise a small business inbox in the first place?

Most BEC compromises trace to one of three patterns. A vendor's email is compromised and the attacker watches for an outbound invoice, then sends a we-changed-banks email from the legitimate vendor address. A CEO is impersonated through email spoofing or a lookalike domain that swaps m for rn. An executive's inbox is quietly accessed for weeks, often through a phishing page that captured the password and an MFA token. Multi-factor authentication, conditional access, and audit-log monitoring stop most of these in days rather than weeks.

Should we tell our customers and vendors that we were breached?

Talk to counsel before any external disclosure. Notification obligations vary by state, by the type of data exposed, and by contract. If customer or vendor data was accessed, several state breach-notification laws and contractual incident clauses may require written notice on a defined timeline. If only your wire was redirected and no third-party data was touched, the obligations look different. Counsel and your incident-response team should map your specific obligations before any email goes out.

BEC Scam Recovery for Small Business | First 48 Hours

All articles·9 min read·April 21, 2026

If a wire just left, do this in the next hour

Speed is the entire game with business email compromise (BEC). The FBI's Financial Fraud Kill Chain (FFKC) can recover funds, but only when the receiving bank is contacted before the attacker pulls the money out. Recovery odds drop from ~75% in the first 24 hours tosingle digits after 72 hours.

The 60-minute checklist

Call your bank's wire fraud department. Not the branch. Not the customer service line. The fraud or AML team. Tell them you have an unauthorized wire and request a recall under "fraudulent payment order" / Article 4A reasoning.
File at IC3.gov. The FBI's Internet Crime Complaint Center is the federal triage point. Note the exact wire amount, sending and receiving bank, account numbers, and timestamp. IC3 is what triggers the FFKC process.
Email your bank in writing. Within the hour, follow up your phone call with an email so you have a paper trail of when you reported the fraud. Your insurance policy will require this.
Lock down the compromised inbox. Sign out all sessions, rotate the password, audit and delete any forwarding rules or filters, revoke OAuth grants. See our forensic checklist for compromised email.
Tell your insurance broker. Most cyber policies have a 24-72 hour notice requirement. Late notice can void coverage.

Day 1-2: forensic preservation

Before anyone "cleans up" the compromised mailbox, preserve it forensically. The evidence you need:

Sign-in logs from Microsoft 365 / Google Workspace covering at least the 30 days before the incident
Mailbox audit logs — what was opened, forwarded, modified, deleted
Inbox rules and filters — exported and timestamped
OAuth grants and consented apps — full export
The fraudulent emails themselves — full headers, not just the body
Wire instructions sent and received — every version, including the legitimate one and the swapped one

If your IT vendor has already "fixed it" by deleting suspicious rules and resetting passwords without preserving the artifacts, your insurance claim and any subsequent litigation just got harder. We recover what is recoverable from incident response engagements like this.

How BEC scams actually work — so you can prevent the next one

Three patterns explain ~90% of small-business BEC losses:

Vendor email compromise. Attacker compromises one of your vendors, watches their email for invoices about to be sent, then sends a "we changed banks"email from the legitimate vendor address with new wire instructions. You pay the attacker. Defense: verbally verify any change in payment instructions using a phone number from your vendor file, not from the email.
CEO impersonation. Attacker spoofs your CEO's email (or, harder to detect, registers a lookalike domain that swaps `m` for `rn`) and asks the bookkeeper to wire urgently. Defense: written approval workflow for wires above a threshold; never wire on email instruction alone.
Inbox compromise of an executive. Attacker is reading the executive's email for weeks before striking, knows the deals in flight, and intercepts the right conversation at the right moment. Defense: MFA, conditional access, and audit-log monitoring catch this in days instead of weeks.

The insurance reality

Standard cyber policies often exclude social-engineering wire fraud unless you have a specific endorsement (often called "Funds Transfer Fraud" or "Social Engineering Fraud"). Read your declarations page.
Coverage limits on social-engineering fraud are usually a small sub-limit, often $50K- $250K, even when your overall cyber limit is $5M.
Insurers will ask whether you had MFA, dual-control on wires, and email-spoofing protection. "No" answers can reduce or void coverage.

What we do

24/7 incident response for BEC events —rapid containment, forensic preservation, recovery coordination with your bank and theFBI, and the written report your insurance carrier and counsel will need. Available as aretainer engagement for SMB clients who want a number to call before they need it.