Business Email Compromise remains the single most expensive cybercrime category tracked by the FBI IC3, with annual adjusted losses reported in the billions. Most BECs look mundane — a spoofed invoice, a wire redirected, a payroll change request that "came from the CFO." The recovery playbook is narrow and the timing is everything.

The First Four Hours Decide Almost Everything

Money moves through the US banking system fast, but it does not instantly leave the system. A wire sent domestically and then on to a foreign bank generally has a narrow window during which a recall is still possible. Once the funds hit a money mule's account overseas and are cashed out or converted to cryptocurrency, recovery drops to near zero.

The rule: the moment you suspect a fraudulent wire, start two clocks simultaneously.

Clock 1: Your Bank

Call your bank's wire room, not the branch. The wire room is the department that can issue a recall request immediately.

  • Ask for a SWIFT recall (for international wires) or a Hold Harmless Agreement reversal request (for domestic).
  • Have the wire details ready: sender, amount, reference, timestamp, beneficiary name, beneficiary bank, and beneficiary account number.
  • Escalate to the bank's fraud department and request in writing that they freeze outgoing funds.
  • If the wire is intra-day and has not settled, some banks can stop it outright.

Persistence matters. The first agent you reach may deflect. Escalate until someone with authority to initiate the recall takes the case.

Clock 2: FBI IC3 and the Financial Fraud Kill Chain

File with IC3 at ic3.gov as soon as possible, and critically within 72 hours of the transfer. IC3 is the activation point for the FBI's Financial Fraud Kill Chain (FFKC), which coordinates with Treasury's Financial Crimes Enforcement Network (FinCEN) and foreign law enforcement to freeze funds abroad.

FFKC criteria when it was published:

  • The wire must generally be international and above a meaningful threshold.
  • IC3 report filed within 72 hours of the wire.
  • Beneficiary account and bank known.

Also call your local FBI field office directly (fbi.gov/contact-us/field-offices). Phone contact in parallel with the online filing moves things faster — the online form alone may queue.

Other Immediate Actions

  • Preserve the compromised mailbox. Do not reset passwords or force sign-out yet — you will lose the attacker's session evidence. Snapshot the mailbox, audit logs, and inbox rules first. In Microsoft 365, export the Unified Audit Log; in Google Workspace, export from the Admin Console.
  • Look for inbox rules. A standard BEC plants a rule that auto-forwards or auto-deletes messages matching keywords. Find it and document it before you clean it.
  • Enumerate OAuth grants. Attackers often add third-party app consent as persistence. Revoke after you have logged them.
  • MFA registrations. Check for rogue registered devices and hardware tokens. Remove.
  • Password reset — but only after evidence is preserved. Rotate the user's password, invalidate all active sessions, and re-enroll MFA.

Internal Communications

BEC is a deeply embarrassing incident for the people involved, usually finance staff who acted in good faith on an instruction that looked real. How you communicate internally matters:

  • Do not name and blame in the all-hands. BEC is engineered to succeed — that is the point. Naming a junior accountant publicly does nothing but harm.
  • Do send a factual message to the broader team that an incident occurred, that IT and finance are investigating, and that employees should be alert to unusual payment requests in the coming days.
  • Brief executives and the board under counsel.
  • For the affected individual or team, provide direct support. They are going to feel terrible. Reassure them this happens to sophisticated organizations constantly.

External Communications

If funds were paid to a counterfeit invoice impersonating a real vendor, call the real vendor. They may be the actual breach point (their mailbox was compromised and used to send a convincing "new banking details" note). A coordinated conversation may reveal a shared threat and helps both parties.

If your mailbox was the compromised one, proactively contact counterparties who may have received fraudulent instructions. Counsel drafts. Do not blast a generic notice; a short personal call goes further.

Insurance and Tax

  • Cyber insurance: Most policies have a social engineering fraud endorsement with sub-limits of $100K-$500K. Check your endorsement before assuming coverage.
  • Crime insurance: Traditional crime policies may cover "funds transfer fraud" or "computer fraud." Coverage terms vary widely.
  • Tax treatment: Generally a theft loss deductible in the year the loss is discovered, with reimbursement offsets. Talk to tax counsel.

Recovering Trust

The controls that prevent recurrence are not glamorous:

  • Callback verification for any vendor banking change, using a phone number on file from before the request — not a number in the email.
  • Dual approval for wires above a threshold.
  • Out-of-band confirmation for any CEO/CFO urgent-wire request.
  • Domain-based email authentication — DMARC at enforcement (reject or quarantine), not monitor. Most BECs succeed against organizations that have DMARC at p=none.
  • Phishing-resistant MFA — FIDO2/WebAuthn — for finance and executive staff.
  • Quarterly tabletop that rehearses a fake-CEO wire scenario with the actual finance team.

BEC is a procedural failure more often than a technical one. Fix the procedures, harden the email authentication, and drill the specific scenarios. Money recovered after the fact is rare. Money never sent is the win.