Feature Incident Response
AI-Powered BEC Stole $3 Billion in 2025: What Your Incident Response Playbook Is Missing
The FBI's 2025 IC3 report logged $3.046 billion in BEC losses—86% via wire or ACH—with AI now generating the emails, cloning the voices, and running the deepfakes. Most financial institution IR playbooks were written before this threat existed. Here's the gap analysis and what to add before the next one hits.
Table of Contents
The FBI’s 2025 Internet Crime Complaint Center Annual Report landed in spring 2026 with a number that should have stopped every wire operations team in the country: $3.046 billion in verified Business Email Compromise losses, from just 24,768 complaints.
That’s $122,000 average loss per complaint. 86% of it moved via wire transfer or ACH. For financial institution-specific incidents, the FBI tracked a 38% year-over-year increase in BEC attacks with an average loss per banking sector incident of $4.7 million.
And that’s before accounting for the AI upgrade.
TL;DR
- The FBI’s 2025 IC3 report documents $3.046B in BEC losses—86% via wire/ACH, $4.7M average banking sector loss, 38% YoY increase in attacks on financial institutions
- AI has fundamentally changed what BEC attacks look like: LLM-generated emails are grammatically perfect, deepfake voice calls defeat the “call to verify” control, and the fraud moves faster than most IR playbooks anticipate
- FinCEN issued a deepfake alert (November 2024) with specific red flags and urged live behavioral verification to replace static deepfake detection
- The 72-hour wire recovery window is real and tight: the FBI’s Financial Fraud Kill Chain achieved 66% success at freezing funds in 2024 when complaints were filed promptly
- Most financial institution IR playbooks predate AI-enhanced BEC and are missing: deepfake verification protocols, wire recall procedures, FBI Financial Fraud Kill Chain activation steps, and Section 314(b) fraud intelligence sharing
What AI Actually Changed About BEC
Business email compromise has existed for over a decade. FinCEN’s original BEC advisory dates to 2016. Most financial institution fraud teams know the playbook: a fraudster impersonates a CEO or CFO, creates urgency around a wire transfer, and pressures an operations employee to move funds before anyone notices.
What changed is execution quality and speed.
Traditional BEC relied on compromised email accounts or spoofed domains. Attackers often worked in off-hours, produced emails with recognizable tells—slightly off syntax, unusual phrasing, generic job titles, wrong email domains—and the “call to verify” control caught a meaningful percentage of attempts.
AI killed those detection signals.
Large language models now generate emails that match the writing style of the person being impersonated, including internal jargon, active project references, and relationship context scraped from LinkedIn and public sources. Between October 2025 and January 2026, 27.1% of callback phishing campaigns impersonated financial services brands including PayPal, Venmo, and Bank of America. The emails don’t have typos. The tone is right. The domain looks correct.
The deepfake layer is worse. FinCEN’s November 13, 2024 alert on fraud schemes involving deepfake media documented cases where attackers used real-time AI voice synthesis and video deepfakes to conduct live “verification calls” that passed the out-of-band check. A wire operations employee calls the CEO’s known number to confirm a $2M transfer. A voice that sounds exactly like the CEO confirms it. The transaction goes through.
Research published in 2025 found that humans can correctly identify high-quality deepfake video only about 55–60% of the time—barely better than random chance. If your verification protocol relies on a human making that call, it is no longer a reliable control.
For institutions tracking how AI threats are reshaping operational risk, the NIST AI Risk Management Framework adoption playbook covers the governance layer that underpins AI-specific controls like deepfake verification.
The Wire Transfer Anatomy of BEC Losses
The 86% figure from the 2025 IC3 report is the most important number in this article for financial institutions. Supply chain attacks follow similar dynamics—a single compromised vendor can expose dozens of institutions simultaneously, just as the Marquis Software ransomware breach demonstrated when 80 banks found their customer data exposed through a mid-tier marketing vendor.
Most fraud discussions focus on account takeover, card fraud, or ACH returns. Wire transfers are different. Wire fraud is usually irreversible once sent. There are no chargeback rights. The funds leave your institution and move to a receiving bank that has no obligation to you and no knowledge that the transfer was fraudulent.
Here’s the recovery math: SWIFT research shows fraudulent wire funds are typically moved out of the receiving account within 72 hours of arrival—sometimes within hours. Recovery success rates drop to low single digits after the first day.
The FBI runs a program that changes this calculation, but only if you use it fast. The Financial Fraud Kill Chain, operated through IC3, coordinates directly with receiving financial institutions to freeze fraudulent funds when a complaint is filed promptly. In 2024, this program achieved a 66% success rate, freezing $561.6 million across more than 3,000 incidents.
66% success. But that requires: knowing the fraud happened, knowing to call IC3 immediately, and filing a complete complaint before the funds have moved again.
How many of your employees know to call IC3 as Step 1, not Step 5?
Where Most IR Playbooks Fall Short
Most financial institution incident response plans were written three to five years ago, before generative AI changed the BEC threat landscape. They describe BEC accurately as it existed then. They don’t describe it as it exists now.
The specific gaps:
Gap 1: The “call to verify” control assumes the voice is real.
Standard dual authorization requires a callback to confirm wire instructions. The callback was designed to defeat email-based impersonation—you can spoof an email, but you can’t fake a voice call to a known number. You can now. If your playbook says “verify via phone call before processing,” and the phone call itself can be deepfaked, the control has a hole that most procedures don’t acknowledge.
What should be there instead: live behavioral verification. A video call where the approver is asked to perform a specific real-time action—“hold up three fingers,” “look left”—that a static deepfake or pre-recorded video can’t accommodate. For very large transactions, biometric authentication independent of the communication channel.
Gap 2: No wire recall procedure.
Most IR playbooks describe how to investigate an incident and notify regulators. They don’t describe how to recover fraudulent funds. There’s an entire set of first-hour actions—contact the sending bank’s wire ops, file at IC3, activate Financial Fraud Kill Chain, initiate SWIFT gpi recall for international transfers—that need to happen within hours and are completely absent from most playbooks.
Gap 3: No Section 314(b) fraud intelligence sharing step.
The June 12, 2026 FinCEN 314(b) guidance update makes this even more pressing.
FinCEN’s June 12, 2026 update to its Section 314(b) guidance explicitly expanded the information-sharing safe harbor to cover fraud—including wire fraud, bank fraud, and fraud connected to unauthorized computer access. Institutions can now share fraud intelligence with peer institutions in real time, including sharing personally identifiable information about suspected fraudsters.
If your institution is a victim of AI-enhanced BEC and you’ve identified account numbers, IP addresses, phone numbers, or identity markers associated with the attacker, you can share that with other enrolled financial institutions immediately. That coordination can freeze the attacker’s ability to use the same identity at a peer institution within hours. Most playbooks have no step for this.
Controls That Actually Work in 2026
Not every BEC prevention control has been defeated by AI. Some work better than ever. Here’s what the current threat landscape tells us about control effectiveness.
Out-of-band verification—still essential, but the channel matters.
The single most effective prevention control remains out-of-band verification: confirming wire instructions via a completely different communication channel from the one that delivered them. If an instruction arrived by email, the confirmation should be by phone to a number from your own records—not from the email. If an instruction came in via a vendor portal, the confirmation call goes to the vendor’s published number.
What changed: the confirmation call now needs behavioral challenge if deepfake voice is a realistic threat for that transaction size. For wires above $100K–$500K (your threshold will vary), a video call with a live challenge element is more defensible than a voice call alone.
Dual authorization above defined thresholds—non-negotiable.
Any wire above a defined threshold should require two independently authorized individuals, each of whom verifies the request through separate out-of-band channels. Not one person calling the CEO—two people, independently, each using separately verified contact information.
DMARC/DKIM/SPF enforcement—catches domain spoofing before it reaches inboxes.
DMARC, DKIM, and SPF authentication block the most common BEC vector: spoofed domains that look like internal email addresses. If you haven’t enforced DMARC at the reject level for your own domains, you’re accepting an easily preventable risk. Enforcement should also be on the receiving side—emails from external domains that fail authentication should flag before any action is taken.
Treat urgency and secrecy as automatic red flags.
Every BEC attempt emphasizes urgency: “This needs to happen today,” “Don’t mention this to anyone,” “Bypass the normal process.” This is a social engineering feature, not a coincidence. Any wire request that is urgent, confidential, or outside normal channels should trigger automatic escalation—not accommodation.
FinCEN deepfake red flags as detection triggers.
FinCEN’s 2024 deepfake alert identified specific indicators your fraud team should have in their monitoring playbook:
- Biometric selfie submissions that are too similar to the document photo (sign of image synthesis)
- Customers who cannot respond in real-time to behavioral challenges in video calls
- Unexpected requests to change contact information (phone, email) immediately preceding unusual transaction requests
- Wire instructions to newly added or recently changed beneficiaries—especially if added in the same session as the instruction
If a Wire Goes Out: The First 72 Hours
The 72-hour clock starts the moment funds leave your institution. Here’s the response sequence:
Hour 1:
- Contact your wire operations team and instruct them to submit a wire recall request immediately
- File a complaint at ic3.gov and specifically request FBI Financial Fraud Kill Chain activation—include the sending account, receiving bank routing and account number, transfer amount, and any suspect contact information
- For international wires: contact your correspondent banking team to initiate a SWIFT gpi recall through your SWIFT BIC
Hours 1–4:
- Preserve all evidence: the fraudulent email thread, any phone numbers used, any login activity in your systems, IP addresses if available
- Identify whether any other accounts at your institution may have been targeted in the same campaign
- Assess whether the incident meets your SAR reporting threshold—if funds were fraudulently transferred through your institution and you have reason to believe the transaction involves criminal activity, the suspicious activity reporting obligation may apply regardless of whether your institution was the victim
Hours 4–72:
- Continue coordination with IC3 and receiving bank
- Assess Section 314(b) sharing opportunities—if you’ve identified fraud indicators that other institutions should know about (account numbers, phone numbers, email patterns, identity documents), share them with enrolled peer institutions
- Prepare regulatory notification assessment: if the incident is a “computer-security incident” that materially disrupts customer accounts under the FFIEC notification rule, your primary federal regulator may need notification within 36 hours
Post-incident:
- Conduct a full playbook review to capture what the existing procedures missed
- File after-action report documenting what controls were bypassed and how
- Update training materials with the specific AI techniques used in the attack
What to Add to Your IR Playbook Right Now
Five additions that most financial institution playbooks are missing:
-
Deepfake verification protocol: Written procedure specifying that for wires above [threshold], video call verification must include a live behavioral challenge. Define the challenge types, who conducts it, and what constitutes a failed challenge.
-
Wire recall and FBI Financial Fraud Kill Chain procedure: Step-by-step instructions for the first 60 minutes, including specific contact numbers for IC3, your wire operations team, and your correspondent bank’s fraud team.
-
SWIFT gpi recall procedure: Separate procedure for international wire fraud with the specific steps your team must take to initiate a recall through the SWIFT gpi Payments Controls Service.
-
Section 314(b) fraud intelligence sharing: Add a step to your BEC response procedure for sharing confirmed fraud indicators with peer institutions enrolled in 314(b). This requires your institution to be enrolled—check enrollment status if you haven’t recently.
-
SAR decision tree for BEC incidents: A structured decision flowchart that determines whether a BEC incident triggers a SAR filing obligation, including the amount thresholds, the “knows, suspects, or has reason to suspect” standard, and the 30-day filing deadline.
So What?
The FBI’s $3.046 billion figure is not a projection. It’s what was verified and reported in 2025. The actual loss number is higher—IC3 captures only reported incidents, and many BEC losses go unreported because institutions either absorb them quietly or don’t recognize them as BEC.
AI didn’t create business email compromise. It industrialized it. The emails are better, the voice calls are convincing, the deepfake video is real-time, and the funds move faster than most response procedures anticipate.
The good news: the controls work, the recovery window exists, and the FBI’s Financial Fraud Kill Chain has a 66% success rate when used correctly and quickly. The gap is almost always procedural—teams that don’t know the FBI program exists, IR playbooks that describe investigation but not recovery, and verification protocols that assume the phone call is real.
The Incident Response & Breach Notification Kit includes step-by-step playbooks for payment fraud incidents, breach notification timelines for all 50 states, and tabletop exercise scenarios your team can run before the next BEC attempt arrives. When something goes wrong, you don’t have time to look up what to do.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is AI-powered business email compromise and how is it different from traditional BEC?
What does the FBI's 2025 IC3 report say about BEC losses at financial institutions?
What is the 72-hour recovery window for wire fraud and how does it work?
What did FinCEN's November 2024 deepfake alert say financial institutions must do?
What should a financial institution do in the first hour after discovering a fraudulent wire has been sent?
How should financial institutions update their IR playbooks to address AI-enhanced BEC?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Incident Response
KYC in the Deepfake Era: Why Document + Selfie Verification Is Failing and What Actually Works
FinCEN's November 2024 alert formally put financial institutions on notice that AI-generated deepfakes are bypassing KYC onboarding at scale. Here's what's failing in the document+selfie stack, what examiners expect, and which controls are working in 2026.
Jul 5, 2026
Incident Response
Breach Notification Letter Template: What the Law Requires, What Regulators Charge For, and Why Your Approval Process Fails Under Pressure
The content of a breach notification letter isn't optional — multiple regulatory frameworks specify exactly what must be in it, and enforcement actions from the FTC, SEC, and CFTC show how specific the mistakes regulators will charge you for. Here's what goes in the letter and how to build an approval process that holds up when the 30-day clock is running.
Jul 3, 2026
Incident Response
Supply Chain Cyber Incident Response for Financial Institutions: Lessons from Marquis, MOVEit, and CrowdStrike
Supply chain attacks are now the top global cyber threat. When Marquis Software ransomware hit 74+ banks and credit unions, those institutions owned the regulatory response even though their own systems were never touched. Here's the incident response playbook for incidents you didn't cause.
Jun 30, 2026