What to do if your business has just wired money to a fraudster

This guide is for finance leads, controllers, and operations managers at small and mid-sized organisations who have just realised — or reasonably suspect — that a payment instruction your team executed in good faith was directed by a fraudster.

It applies to wire transfers, instant payments, and ACH/SEPA debits where your bank has already processed the instruction and the funds have left your account. If the payment is still pending in your banking platform, the answer is to cancel it now and stop reading. This guide is for the case where the money has moved.

How to know it has happened

The most common pattern we see in business payment fraud:

• A payment instruction looked correct when it was approved (the invoice was real, the supplier was real, the amount was expected).
• The payee bank details on that instruction were not the supplier’s — they had been substituted in an upstream email, a forged invoice PDF, or a compromised supplier mailbox.
• The instruction was processed by your bank in the normal course of business and the funds settled to the fraudster’s account.

You may discover this because the real supplier asks why they have not been paid, because a duplicate invoice arrives from the genuine address, or because a colleague spots the swapped account number on a routine review. In our experience, the median lag between settlement and discovery is between four and seventy-two hours.

If the discovery time is closer to four hours than to seventy-two, the actions in the next section meaningfully change the outcome.

The first sixty minutes

Do these in order. Each step takes minutes, not hours.

1. Phone your bank’s fraud line. Not the email channel. Not the secure-message inbox. The number is on the back of your corporate card or in the relationship banker’s signature; if you cannot find it in two minutes, the bank’s main number will route you. Tell the agent you have been the victim of authorised push-payment fraud and you need a recall raised against the wire.
2. Note the wire reference, exact amount, settlement date and time, and beneficiary account. The fraud-line agent will ask for all of these; having them ready saves five to ten minutes that matter.
3. Email the agent’s details to a single internal address that will be the case file. Do not start a chain — start a thread that everything subsequent attaches to. The thread will be the evidentiary record if recovery becomes a legal matter.
4. Tell your manager and the controller. Two-person sign-off is needed for the next steps and for any disclosures.
5. Do not contact the apparent supplier yet. If the supplier’s mailbox has been compromised, the fraudster is reading it.

The first twenty-four hours

After the first hour, the recall request is in flight. The next focus is containment of the rest of the supply-chain interaction and the start of an investigation that will produce the report your insurer and regulator will eventually ask for.

• Freeze any other pending payments to the same payee. If you have a payment file scheduled for the next batch run, halt it. If the instruction has already been queued but not yet released, cancel it. The fraudster usually expects multiple settlements.
• Reach the genuine supplier through a known-good channel — a number from your records, not from any email. Tell them what has happened and ask whether they have seen anything similar.
• Pull the originating instruction. Save the email, the attachment, the headers, and the chain leading up to the instruction. If you can preserve the mailbox state on the relevant user, do so before any cleanup is performed.
• Notify your insurer. Most cyber and crime policies require notification within twenty-four hours of discovery for the loss to be covered. The notification does not have to be complete; it has to be timely.
• Decide whether to engage external incident response. If the loss is over a threshold your organisation has defined in advance, or if there is any indication the fraudster has access to a mailbox or other internal system, engage. The marginal cost of an IR engagement is small relative to the loss being prevented from recurring.

What to report and to whom

Different jurisdictions, different regulators, different obligations. The list below is not exhaustive; check your own regulatory inventory.

• Your bank — you have already done this in the first sixty minutes.
• Local law enforcement / fraud reporting authority — in the UK this is Action Fraud; in the US it is IC3 (the FBI’s Internet Crime Complaint Center); in the EU varies by member state.
• Your sector regulator — if you are a regulated institution, there is almost always a reporting obligation with a defined timeline, often forty-eight to seventy-two hours.
• Your insurer — both notification (within hours) and proof of loss (later, with evidence).
• Your board and audit committee — at material thresholds.
• Your legal counsel — early, not late.

What to do this week

Once the immediate response is in flight, three things are worth doing in the same calendar week:

• A written timeline of what happened, when each control did or did not fire, and what was missed. This is for the post-incident review, not for blame.
• A test of the supplier-authentication process for any payment above a defined threshold. The most common single control gap we see is the lack of a verbal callback to a known number for payments above £10,000 / $10,000 / €10,000.
• A short briefing to the rest of finance and operations. Not a presentation. A one-page note that says: this happened; here is the loss; here is what we are doing.

What changes after the recall window closes

If recall succeeds — meaningfully more likely if the bank acted within the first banking day — the investigation shifts to root cause and supplier-channel hardening. If recall does not succeed, the work is the same, but the loss is realised and the conversation with insurer, regulator, and counsel becomes the dominant track for weeks.

In our engagements, the median time from incident to a written post-incident review that satisfies the regulator is six to eight weeks. The work is dull, document-heavy, and matters.

RELATED

Also see

• SERVICE

  Incident response

  Retainer-based incident response. We work the technical containment and the regulatory clock in parallel.

• EDITORIAL · 2026-03-15

  On disclosure timelines

  When ninety days is too long; when it is too short. A practitioner view from inside financial-sector vulnerability work.

• PAGE

  Coordinated disclosure policy

  How we coordinate vulnerability disclosure with vendors, researchers, and our clients.