Field Guides · During · wire-fraud

Wire fraud, the first hour

A wire has gone to the wrong account. Recovery odds drop sharply after the first 60 minutes. The mailbox is probably still compromised. Move on the bank, not the keyboard.

live use · L1

A wire to the wrong account is recoverable if you move quickly. Banks can place a hold on the funds if they receive a fraud report fast enough. The window narrows over hours, not days.

The order matters. The bank call comes before the lawyer call. The lawyer call comes before the press call. Email comes never, until you are sure the channel is not compromised. If the request arrived in a supplier thread, the supplier mailbox is probably the one that was compromised. Your sender’s mailbox might be next. The first hour is not just about the money. It is also about cutting the access the attacker still has.

Most of what kills the first hour is not technical. It is people replying to the thread to ask what happened. Executives calling the bank themselves and adding noise. The callback that was skipped because the request felt legitimate, and is now unspoken in the room. Work the list. Do not freelance. The team that recovers the funds is the team that follows process under pressure.

Checklist

0/330/24 critical

First 10 minutes

Confirm the wire actually sent and to which accountCriticalGet the transaction reference and the receiving bank details in writing.
Halt any related pending payments to the same payeeCritical
Call your bank's fraud line. Reference the transaction. Request recall.CriticalVoice call. Not the relationship manager's email.
Do not email the original sender or the payeeCriticalIf the sender was compromised, you tip the attacker off. Use phone.
Incident declared. No one is waiting for an exec to confirm it is real.Critical

First 30 minutes

Have your bank contact the receiving bank with fraud report referenceCritical
Open an incident channel separate from any compromised accountCriticalAssume email is read. The corporate channel is the one the attacker is watching.
Restrict access to the payments system to a named small groupCritical
Preserve the original email, headers, message-id, and any related attachmentsCritical
Start a written timeline. Times. People. What was said.Critical
Incident commander named. One person owns coordination, not the CFO.

Mailbox and identity status

If the sender's account is in your tenant, freeze it and revoke active sessionsCritical
Check the sender's mailbox for forwarding rules, delegate access, and new linked appsCritical
Check OAuth grants on the sender's mailbox for recent additionsCritical
Pull sign-in history for the sender and any execs copied on the threadCriticalUnfamiliar IPs, geos, and user agents in the last 30 days.
Check the sender's domain against your lookalike-monitoring list
Check other finance and exec mailboxes for the same forwarding-rule patternsCritical

First 60 minutes

Legal counsel briefedCritical
Cyber insurer notified within their reporting windowCritical
File with national fraud authority (IC3, ActionFraud, AFP, equivalent)
Look back 60 days for other unusual payments to new payeesCritical
If the request came through a supplier thread, contact the supplier out of bandCriticalUse a number you held before the request. Do not reply in the thread.
Brief executives with what is known, what is not, and what is being done

What actually breaks

Finance team is not alone on the bridge. Security, IT, legal are in the room.Critical
If the callback was skipped, that fact is captured. Not hidden.CriticalThis is not a blame question. It is the timeline.
Executives are not freelancing calls to the bank or the supplierCriticalOne voice to each external party. Routed through IC.
Status updates are on cadence. The bridge is updated, not every exec individually.
No one has replied to the original email thread to "ask the sender what happened"Critical
Elapsed time since the wire is visible to the team. Someone owns the clock.

Decisions to make

Disclosure clock started (regulatory, customer, board)
Decide whether to engage IR firm now or hold
Pre-position public comms in case this becomes public
Flag payroll, treasury, and AP teams to elevated controls for the next 14 daysCritical

Accepted operational risks

24 of 24 critical items unchecked.

Every unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.

Confirm the wire actually sent and to which accountFirst 10 minutes
Halt any related pending payments to the same payeeFirst 10 minutes
Call your bank's fraud line. Reference the transaction. Request recall.First 10 minutes
Do not email the original sender or the payeeFirst 10 minutes
Incident declared. No one is waiting for an exec to confirm it is real.First 10 minutes
Have your bank contact the receiving bank with fraud report referenceFirst 30 minutes
Open an incident channel separate from any compromised accountFirst 30 minutes
Restrict access to the payments system to a named small groupFirst 30 minutes
Preserve the original email, headers, message-id, and any related attachmentsFirst 30 minutes
Start a written timeline. Times. People. What was said.First 30 minutes
If the sender's account is in your tenant, freeze it and revoke active sessionsMailbox and identity status
Check the sender's mailbox for forwarding rules, delegate access, and new linked appsMailbox and identity status
Check OAuth grants on the sender's mailbox for recent additionsMailbox and identity status
Pull sign-in history for the sender and any execs copied on the threadMailbox and identity status
Check other finance and exec mailboxes for the same forwarding-rule patternsMailbox and identity status
Legal counsel briefedFirst 60 minutes
Cyber insurer notified within their reporting windowFirst 60 minutes
Look back 60 days for other unusual payments to new payeesFirst 60 minutes
If the request came through a supplier thread, contact the supplier out of bandFirst 60 minutes
Finance team is not alone on the bridge. Security, IT, legal are in the room.What actually breaks
If the callback was skipped, that fact is captured. Not hidden.What actually breaks
Executives are not freelancing calls to the bank or the supplierWhat actually breaks
No one has replied to the original email thread to "ask the sender what happened"What actually breaks
Flag payroll, treasury, and AP teams to elevated controls for the next 14 daysDecisions to make