Wire Transfer Fraud: prevention, best practices and recovery

A 125-year-old US company lost $17,2M through wire transfer fraud. Scoular, which trades in grains and storage, repeatedly fell victim to wire transfer scams. Unfortunately,  fraud recovery wasn’t an option for them. It’s a reality for many: in 2022, 56% of US companies were targeted by at least one fraud attempt. When you fall victim to a wire transfer scam, how can you recover your funds? Read on to find out.

Trustpair protects you against wire transfer fraud by continuously controlling payments before they’re executed and blocking any suspicious transactions. Request a demo to learn how you can block payment fraud!

What is wire transfer fraud? Definition

Wire transfer fraud is a popular type of payment fraud. In happens when fraudsters ask you to send money to their bank account under false pretenses. It’s a form of online theft that usually uses spoofing (or identity theft).

They do it by impersonating someone you trust, like a supplier, or people with innate authority, like a representative from a government agency or the CEO of your company.

Scamming scenarios are often elaborate and convincing: for example, they ask you to urgently wire money to an account to finalize a strategic deal. There is often an element of pressure to it, so their unsuspecting victim doesn’t take the time to rationally think about what’s being asked.

In 2015, Xoom lost more than $30M through CEO fraud. One of their financial executives got tricked into transferring this money to an account, thinking their boss was asking for it.

Wire transfer fraud works because of its immediacy. Once the funds have been transferred, they land almost immediately in the malicious hacker’s account.

Although traditional wire transfers take 1 to 2 business days, the recent move towards instant payment methods means the funds can be credited in a matter of seconds.

The common types of wire transfer fraud and examples

Wire transfer fraud continues to evolve, targeting companies of all sizes across industries. While the tactics may vary, the goal is the same: to manipulate your team into sending money to a fraudster’s account. Below are the most common types of wire fraud you should be aware of, along with examples to help illustrate how these scams play out in real life.

1. Business Email Compromise (BEC)

BEC is one of the most prevalent forms of wire fraud. It involves fraudsters impersonating a senior executive (like a CFO or CEO) or a trusted supplier using a lookalike email address. The attacker pressures an employee—usually in finance or accounting—to urgently send funds to a fraudulent account.

Example: A finance team member receives an email from what appears to be the CFO, instructing them to urgently transfer \$250,000 to a new vendor for a strategic acquisition. The email domain is nearly identical (e.g., `@company.co` instead of `@company.com`). The employee follows through, only to discover days later that the CFO never made the request.

2. Phishing and Spear Phishing

Phishing scams trick employees into clicking malicious links or providing sensitive information via fake emails or websites. Spear phishing is a more targeted version, often aimed at specific roles within the company. Discover examples of spear phishing right here.

Example:  A vendor sends an invoice via email, prompting the AP team to log in to a fake payment portal that captures login credentials. The attackers then access the real system and change the vendor’s bank details to divert future payments.

3. Vendor Fraud

Attackers pretend to be legitimate suppliers and request changes to payment instructions, usually via email. These requests often come from hacked vendor accounts or fake lookalike domains.

Example: A fake email, supposedly from a long-standing supplier, informs the accounts payable team of a new bank account for future payments. Without verification, the team updates the records and sends the next payment to the fraudster’s account. Discover more examples of vendor fraud in this article.

4. AI-Powered Deepfake Fraud

Criminals now use AI to mimic voices and even video likenesses of company executives to validate fraudulent payment requests. This tactic increases the perceived legitimacy of the scam.

Example: A controller receives a phone call with the voice of the CFO confirming an email payment request. The voice sounds authentic—because it is a deepfake generated from public recordings. Trusting the voice confirmation, the controller proceeds with the transfer.

Wire transfer fraud prevention: red flags and strategies

Recovering funds from this type of fraud is complicated and without any guarantees. What you can control, however, is ensuring that you adopt adequate fraud prevention measures to avoid wire transfer fraud. It’ll save you from future financial (and reputational) losses.

Red flags and warning signs

Spotting potential fraud early can save your organization from significant financial loss. While fraud attempts are becoming more sophisticated, there are still telltale signs that something isn’t right. Here are key red flags to watch for:

1. Urgent or unusual payment requests. If a payment request is marked as urgent or doesn’t follow the usual process, especially from senior executives or new suppliers, pause and verify. Fraudsters often rely on urgency to bypass internal controls.
2. Changes to vendor banking details. Any request to update supplier bank account information, especially when communicated via email, should trigger a verification process. This is a common tactic in vendor fraud.
3. Unfamiliar or inconsistent email addresses. Check email domains carefully. Fraudulent addresses often mimic real ones (e.g., `@supplier-pay.com` vs `@supplierpay.com`). Inconsistencies in tone, grammar, or formatting can also signal something is off.
4. Unusual timing or location. Emails sent outside business hours or from unfamiliar IP locations should be treated with caution, particularly if they involve financial instructions.
5. Pressure to bypass standard srocedures. If someone asks to skip a second approval, avoid a call-back, or ignore usual compliance steps, it’s a red flag. Legitimate vendors and internal stakeholders should never second-guess secure processes.

Increase your safety measures and internal controls

Working with your IT team, you can start improving your cybersecurity protocols. That looks like:

• Setting up strong password requirements so hackers cannot guess or hack them too easily.
• Adopting multi-factor authentication to ensure the person logging into your network and key software has authorization to access it.
• Requesting your employees never reveal any personal information like their phone numbers or social security numbers to any unknown or phony-looking sender.

Besides direct cyber security, it’s important to adopt better safety processes.

Adopting the concept of segregation of duties in your departments ensures no one person has too many responsibilities. It’s harder for online scammers to be successful when several people are involved. Furthermore, it’s a good way to prevent and reduce internal fraud risks.

When it comes to fraud detection, the 4-eye principle will also work in your favor. Requiring a minimum of two people (so, four eyes) to verify your transactions and other key operations reduces the risk of fraud.

Last but not least: make sure your team receives regular and up-to-date security awareness training. It should be given several times a year by security experts, and include real-life examples of the most recent scams. Teach your team to spot phishing emails, to watch out for too-good-to-be-true offers, or what to do when they have a scam artist over the phone (hang up!).

The more effort you put into your prevention, the more fraud-aware your team will be. Your employees are a good barrier against fraud — but they’re not infallible.

The best prevention strategy: use anti-fraud software

Fraud prevention software like Trustpair is an important element of your fraud prevention (and detection) plan.

Humans are, after all, quite vulnerable to mistakes as well as social engineering tactics. Often, the breach comes from someone from your team who didn’t think twice about a dangerous action they were taking.

42% of employees admitted taking dangerous action online according to the State of the Phish report (actions like clicking on a malicious link, or downloading viruses).

To protect yourself against cyber attacks and social engineering attacks, it’s necessary to use anti-fraud software.

Indeed, fraud prevention and detection software are more efficient in preventing wire transfer fraud and have access to data your employees cannot access on their own.

Trustpair has access to hard-to-find international databases that ensure even your international wire transfers to your overseas suppliers are secure. Our solution continuously audits your third-party account number in real time. We use three-way matching to ensure the funds you send always reaches its intended beneficiary. Each request for a banking information change is thoroughly analyzed before the banking details are changed. Fake account numbers and suppliers won’t go through!

Trustpair blocks any fraudulent transaction before it is sent to unauthorized third parties. Our software includes a machine learning component that:

• Detects suspicious patterns,
• Blocks the correspondent transfer and
• Raises the alert.

Using Trustpair means completely eradicating the risk of fraud in your company — so you never have to deal with wire transfer fraud recovery!

Fraud can have disastrous consequences on companies and employees. Lee-Ann Perkins, experienced treasurer in the US, shares her own story in our latest video series.

Regulatory and compliance considerations

In the U.S., wire transfer fraud isn’t just a financial risk, it’s a compliance concern. Financial teams are expected to implement strong internal controls and comply with regulatory frameworks designed to prevent fraud, money laundering, and unauthorized transfers.

Below are some of the key US regulations to know about:

Bank Secrecy Act (BSA): Requires financial institutions to keep records of cash purchases, report suspicious activity (SARs), and implement anti-money laundering (AML) programs.

OFAC Sanctions Compliance: Organizations must ensure they do not send funds to individuals or entities on the Office of Foreign Assets Control (OFAC) list. A fraudulent wire to a sanctioned entity could result in hefty penalties.

Uniform Commercial Code (UCC 4A): Governs the rights and responsibilities of parties involved in wire transfers. Under UCC 4A, companies may be liable if they fail to use commercially reasonable security procedures.

Sarbanes-Oxley Act (SOX): For public companies, SOX requires robust internal controls over financial reporting, including processes to prevent unauthorized payments.

Non-compliance with these regulations can result in financial penalties, legal exposure, and reputational damage. Beyond that, regulators expect businesses to proactively assess fraud risks, especially in the face of rising cyber threats and sophisticated scams.

What are the steps to recover funds from wire transfer scams?

When you discover the fraud, it’s a race against time to start the fraud recovery process. You need to act fast before:

• The funds are transferred to other bank accounts,
• Withdrawals are done to begin laundering the money,
• The funds are converted to cryptocurrency.

If any of that happens, you are even less likely to recover funds.

Of course, imposters know that, so they try to slow down your response time even further. They commit wire transfer scams on a Friday afternoon and even go as far as contacting you pretending to be your bank investigating the matter — giving them further time.

And unfortunately, with this type of fraud, fund recovery is never guaranteed. If you’ve been scammed, it’s highly unlikely you’ll ever see this money again, and your odds diminish with each passing hour.

However, when you’re a victim of online fraud, there is little you wouldn’t try to save your company. Here are the steps to take to try and get your funds back:

Contact your bank

The first thing to do when you become aware of the transfer fraud is to contact the financial institution you used to send money.

Call your bank and ask them to initiate a SWIFT recall. Explain you’ve been the victim of bank transfer fraud and that you need to freeze the wire transfer.

From there, there are two scenarios:

1. If the funds haven’t left your account yet, you might be able to stop the transfer and not lose your funds.
2. If the funds transfer has already been deposited to the payee’s account, however, things are not looking good for you. The cybercriminals may already have moved the money to another bank account.

It’s still worth asking your bank to call the recipient’s bank fraud department so they can freeze their account. If the money was indeed transferred to another account, then you need to contact the third correspondent bank.

You have to call each intermediary bank personally to explain the situation and freeze the whole chain of accounts in the different financial institutions.

Remember to make a list of your phone calls with the time you called and the details given — it’s a tedious task that can quickly get overwhelming.

Contact law enforcement

Then (or in parallel), you have to contact law enforcement to report the internet fraud. There are several legal entities to contact for the wire transfer fraud recovery process:

1. The Internet crime complaints center. They’re a division of the FBI in charge of Internet crimes. Explain the situation and give them all the scam details. Send them a copy of the scam emails and text messages (or a transcript of the phone call in case of vishing) with the wire instructions. They’ll issue you an IC3 number.
2. Local authorities. With your IC3 number, contact your local FBI agency, or your local police department. They’ll tell you which process to follow and what to expect next.
3. Federal Trade Commission. Reporting fraud to the Federal Trade Commission is helpful so they know the latest scams around. They’ll also be able to offer some practical help and guidance on your next steps.

Of course, you’ll want to involve your lawyers or your legal department. It’s helpful to nominate a few trustworthy people to help with recovering your funds from bank transfer fraud.

Identify the breach

Recovering your funds from payment fraud can take a while. There are a lot of actors who need to get in touch, all with different internal processes. Check in regularly with the relevant organizations, but also be patient.

While you’re waiting, there is more work to do!

If you haven’t already, contact your IT security team. They’ll probably have started acting on your contingency plan, but double-check that all your passwords have been changed and your security reinforced. Make sure the perpetrators cannot strike twice (they often do).

It’s also essential to find where the breach originated. Once more, your IT team should have its own protocol to follow in case of a security breach. They’ll have made a mirror copy of your system when the breach happened, so they can find the leak — like malware on one of your employee’s devices.

Key Takeaways:

• If you’ve been a victim of fraud, it’s almost impossible to recuperate your funds. The recovery process is a race against time that requires patience.
• Adequate protection against payment fraud is the smart choice. Using anti-fraud software like Trustpair completely eradicates the risk of fraud.