The CFO approved the wire at 3:12 PM. By 3:15, $280,000 was gone. The invoice looked right. The email address was one character off. Nobody checked.

This happens to financial institutions every day. According to the FBI’s 2025 Internet Crime Report, business email compromise generated $3.04 billion in losses across 24,768 complaints — an average of $123,000 per incident. Eighty-six percent of those funds moved via wire transfer or ACH, which means the transaction passed through a real banking workflow before anyone suspected fraud.

BEC is not ransomware. There is no encryption event, no ransom note, no IT alert. Often the first sign is a vendor calling to say payment hasn’t arrived — only to discover the payment was received by someone else entirely. By then, the fraudster has had hours to move the money.

That makes BEC response harder than most cyber incidents. With ransomware, you know immediately that you have an incident. With BEC, you may not know until the wire is hours old. And recovery depends almost entirely on speed.

TL;DR

• BEC caused $3.04 billion in losses in 2025 — the second-largest cybercrime category by financial impact (FBI IC3 2025 Annual Report).
• The practical recovery window is 24 to 72 hours; after that, funds are typically moved or withdrawn and unrecoverable without law enforcement action.
• The FBI’s Financial Fraud Kill Chain (FFKC) can freeze funds for qualifying wires, but only if you contact law enforcement within 72 hours of the wire.
• Financial institutions must file a SAR regardless of whether law enforcement is engaged or funds are recovered — parallel obligations, not alternatives.

Why BEC Hits Financial Institutions Differently

Consumer-facing BEC typically targets employees at businesses — CFOs authorizing fake vendor payments, HR updating direct deposit instructions, executives approving urgent wire requests from fraudulent “CEO” emails. Financial institutions face that risk too, on top of a second category that’s unique to the industry.

For banks, credit unions, and fintechs, BEC can hit from two directions:

Outward-facing: Fraudsters compromise a business client’s email and send fraudulent wire instructions to your institution, impersonating the client’s authorized signers. The wire is legitimate from your systems’ perspective — it’s the instruction that’s fraudulent.

Internal: Fraudsters spoof or compromise an internal email account and direct operations staff to execute wire transfers, update vendor payee records, or bypass normal authorization procedures.

The 2019 FinCEN advisory FIN-2019-A005 specifically flags financial institutions as BEC targets and identifies three structural vulnerabilities: transaction information is often publicly available, communication is typically conducted via email, and wire and ACH processes often lack strong authentication at the instruction level.

That last point is where most institutions have work to do.

The Recovery Window: Why Every Minute Counts

The financial services wire recall system is fast — and it’s still usually slower than the fraudsters.

The FBI’s Recovery Asset Team (RAT), operating through the Financial Fraud Kill Chain (FFKC), froze $679 million across 3,900 incidents in 2025 with a 58% success rate. That’s a meaningful result. It’s only achievable when victims report quickly.

The FFKC activates when:

• The wire is $50,000 or more
• The wire is international (or domestic with indicators that funds will be moved internationally)
• A SWIFT recall notice has been initiated
• The wire occurred within the last 72 hours

For wires below those thresholds or beyond the window, recovery runs through your originating bank’s recall request via Fedwire or CHIPS, and separately through the IC3 complaint system.

For international wires, SWIFT’s GPI stop-and-recall service allows participating financial institutions to send a stop-and-recall request that notifies all institutions in the payment chain through the Tracker. The same rule applies: this only works if the funds haven’t already been withdrawn.

Once the fraudster’s account is cleared — typically within 24 to 72 hours of receipt — recovery depends on law enforcement action, asset tracing, and in many cases foreign jurisdiction cooperation. None of those are fast.

Hour-by-Hour Response Framework

Hour 0–1: Discover, Verify, and Escalate

The trigger is usually a vendor calling to report non-receipt, or an employee flagging a suspicious authorization after the fact.

Do not verify by calling the email address that sent the fraudulent instructions. The attacker may still have email account access or have configured forwarding rules to intercept your response.

Immediate actions:

1. Notify wire operations supervisor and activate the incident response team
2. Secure the wire details: amount, receiving bank name and routing number, account number, reference number, and timestamp
3. Identify who authorized the wire and document the complete email chain leading to it
4. Preserve all related email communications — do not delete or alter anything; this is evidence

If your own employee’s email account was the point of compromise, force an immediate password reset and disable the account from further access pending investigation.

Hours 1–4: Wire Recall and IC3 Filing — Simultaneously

These two actions must happen at the same time. Do not let one wait for the other.

Action 1: Contact your originating bank’s fraud wire operations.

If you are the originating bank (attack targeted your operations): contact your wire recall desk and relevant correspondent banking relationships.

If you are a business customer (attack impersonated your authorization): call your bank’s fraud line — not general customer service — and specifically ask for wire fraud operations.

What to request:

• Wire recall or reversal request submitted immediately
• Initiation of the Financial Fraud Kill Chain if the wire meets the $50,000+ threshold and other criteria
• For international wires: SWIFT GPI stop-and-recall request

Provide immediately: receiving bank name and routing number, fraudulent account number, wire amount, date and time of the wire, and your transaction reference number.

Action 2: File at ic3.gov immediately.

File a complaint now. An incomplete complaint filed within the hour is worth infinitely more than a thorough complaint filed 24 hours later. The IC3 complaint triggers RAT review and, for qualifying wires, initiates the FFKC process through the FBI.

Contact your FBI field office separately if you want, but the IC3 portal is the designated channel for fund recovery purposes — calling the field office alone is not a substitute.

Hours 4–24: Investigate and Contain

With the wire recall and IC3 report in motion, shift to investigation.

Compromised account audit:

• Review email forwarding rules, connected application authorizations, and OAuth tokens
• Pull access logs: login times, IP addresses, and devices — look for access from unusual geolocations or at unusual hours
• Expand scope check: was this a single compromised account or evidence of broader intrusion?

Social engineering chain reconstruction:

• Map the full email thread from first contact to wire authorization
• Identify whether the attack used spear-phishing to obtain credentials, lookalike domain spoofing, or actual account compromise
• Determine which process control failed: was callback verification supposed to happen? Was a second approver required?

Financial scope review:

• Check for pending wire requests using similar payee instructions
• Review ACH batch files for unauthorized record modifications
• Confirm no other banking portals or financial accounts were accessed

Hours 24–48: Regulatory Notifications and SAR Filing

BEC at a financial institution triggers parallel regulatory obligations. Missing them creates independent compliance exposure.

SAR Filing: Required, Not Optional

Under FinCEN Advisory FIN-2019-A005 and standard BSA requirements, financial institutions must file a SAR for BEC incidents meeting the filing threshold: $5,000 or more where a suspect can be identified, or $25,000 regardless of suspect identification.

SAR filing is not satisfied by reporting to law enforcement. These are parallel obligations. Missing a SAR on top of a fraud loss means the fraud examiner who eventually reviews your BSA program has two things to write up, not one.

Timing: Within 30 calendar days of detecting the suspicious activity (or 60 days if no suspect can be identified at initial detection, with a SAR filed noting the need for additional investigation).

What FinCEN expects in the SAR narrative per FIN-2019-A005:

• Description and timing of the suspicious email communications
• Identity of the parties who were impersonated
• The specific business process exploited (vendor payment authorization, payroll change, etc.)
• Transaction amount, receiving institution, and account information
• Whether law enforcement was contacted and any case numbers received

For ongoing BEC campaigns — where the same scheme is suspected across multiple transactions over time — continuing activity SARs are appropriate even when individual transactions fall below threshold.

Bank Regulator Notification

Assess whether the BEC incident meets the threshold for mandatory notification to your primary federal regulator under the FFIEC Computer-Security Incident Notification rule (effective May 1, 2022), which requires notification within 36 hours of determining a notification incident has occurred.

A “notification incident” includes significant disruptions to banking operations or incidents that affect a broad set of customers. A single fraudulent wire at a large institution may not qualify. A BEC attack that compromised internal systems, affected multiple transactions, or exposed broad customer data almost certainly does.

The 36-hour clock runs from when you determine you have a notification incident — not from when the attack began. Full requirements and filing instructions are covered here.

BEC Response Checklist

Post-Incident Review: Closing the Gap

Whether or not funds are recovered, the post-incident review determines whether this happens again.

Documentation to assemble:

• Incident timeline from first fraudulent contact to discovery
• Wire authorization chain showing where the breakdown occurred
• Email evidence and technical indicators of compromise
• Recovery actions taken and outcome
• SAR filing confirmation number
• Regulator notification records (if applicable)

Control gap analysis:

• Was callback verification required for this wire type? If not, why not?
• Was the wire amount above the threshold requiring a second approver?
• Was email MFA enabled on the compromised account?
• Was the spoofed or lookalike domain being monitored?

Training: BEC schemes exploit consistent patterns: urgency (“we need this today”), authority (“the CEO wants this done before he lands”), and novelty (“new vendor account, please update your records”). Post-incident training that uses the actual attack pattern — redacted appropriately — outperforms generic phishing awareness by a significant margin.

For a broader look at how to classify incident severity and manage the triage process, see Incident Triage Techniques: Severity Classification, Materiality, and the SEC 4-Day Clock.

So What?

BEC is the second-most financially damaging cybercrime in the United States, and financial institutions are in the middle of it from two directions: as victims and as the channels through which funds move. The controls are known. Callback verification, MFA, dual approval, lookalike domain monitoring — none of this is exotic. What’s less consistent is whether the response process is documented, practiced, and fast enough to actually catch the money.

The Incident Response & Breach Notification Kit includes playbooks for wire fraud and business email compromise incidents with step-by-step response protocols, SAR narrative templates, and regulatory notification checklists built for financial institutions.

The 72-hour recovery window is real. Having the playbook ready before the wire goes out is what makes the difference.