Skip to main content

Last month’s newsletter discussed measures a firm could take to prevent Business Email Compromise (BEC). BEC is where criminals spoof emails to appear as if they are coming from senior management within the company. Cybercriminals will often use this scheme to fool employees into wiring funds into an account controlled by hackers. The ploy can often be subtle and difficult to detect when it takes advantage of a legitimate transaction when a spoofed email directs employees at the last minute to send the funds to a different account. Hackers often target law firms, private equity firms, title companies, and CPA firms since they regularly transfer large amounts of funds.

So what can be done if your firm falls victim to a fraudulent BEC funds transfer? Time is of the essence when attempting to recover mistakenly transferred funds. Once the funds are deposited into an account controlled by the cybercriminals, they often are transferred to yet another account within minutes. Each account transfer makes recovery more challenging. If the funds are moved overseas, recovery becomes almost impossible as time elapses.

  1. Call the banks: contact the bank from which you transferred the money AND the bank that received the funds. Have a fraud alert sent to the receiving bank and demand that they place a fraud freeze on the account. This is not the time to be polite or patient. Insist the bank confirm whether your funds are still in that account. If the funds are not in the account, do not get off the phone until you have been assured the bank will alert any other banks that received your funds to place a fraud freeze on those accounts as well.

  2. Call the FBI: Ask for a Special Agent or Supervisory Special Agent that handles cyber crimes. The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover sizeable international wire transfers stolen from the United States. The FFKC is intended to be another potential avenue for U.S. financial institutions to return victim funds. Standard bank procedures to recover fraudulent funds should also be conducted. The FFKC can only be implemented if the fraudulent wire transfer meets the following criteria:

      • the wire transfer is $50,000 or above

      • the wire transfer is international

      • a SWIFT recall notice has been initiated

      • the wire transfer has occurred within the last 72 hours.

To initiate the FFKC process, provide the following information to your local FBI office, which you can locate by visiting

      • Summary of the incident

      • Name of victim

      • Location of the victim (City and State)

      • Originating bank name

      • Originating bank account number

      • Beneficiary name

      • Beneficiary bank

      • Beneficiary account number

      • Beneficiary bank location (if known)

      • Intermediary bank name (if known)

      • SWIFT number

      • Date

      • Amount of transaction

      • Any additional information that may be available, such as “for further credit” or “in favor of”

  1. Report the incident: Any wire transfers that occur outside of the FFKC thresholds should still be reported to law enforcement. File a complaint with the FBI’s Internet Crime Complaint Center (IC3). Have every detail about the transaction handy; you will need it to file the complaint. The IC3 will then issue you a complaint number. This information helps law enforcement identify and investigate similar illegal activities and proactively assist victims

  2. Determine legal action: Once you have contacted the banks and FBI, it’s time for legal action to help you determine if you need a temporary restraining order filed. Such an order would name all the banks that received your funds and prevent them from further transferring funds.

  3. Get a fraud freeze: Call all the banks that may have also received your funds. Start with the bank where the money was initially wired. You will want to speak with someone in fraud prevention. Ask for a fraud freeze on any further transfers and then confirm that such a freeze is in place. Also, ask how long the bank will maintain that freeze. Next, get the names and locations of all banks that received your funds. Keep a log of everyone with whom you have spoken and what time. Make sure you get direct callback numbers from everyone. Repeat these steps for all banks that received your funds.

Act with urgency: The preceding steps should happen within four hours of the wire fraud. Every minute that goes by lessens your chances exponentially of recovering your funds. Chances are, you will encounter skepticism, resistance, and reluctance. Be calm and polite, but also firm about what needs to be done. You must convince officials to take specific actions quickly and then confirm that those things were done. Nobody is going to care as much about your money as you do, so recovering from wire fraud ultimately means being your own advocate.

Don’t let it happen again: After the initial actions to recover your funds, it is also essential to determine how the BEC was successful and implement appropriate measures to prevent similar attacks in the future. Was your system or your vendor’s system compromised? Scan your system to ensure malware was not downloaded that enabled the attackers to spoof emails or conduct surveillance of financial transactions. Were verification processes followed? Identify gaps in your procedures and incorporate the lessons learned. Stay on top of BEC trends – cybercriminals are constantly refining their techniques to exploit new vulnerabilities.

If you need help with incident response or preventing another cyber attack, please contact Bawn.