Wire and ACH Fraud

1. The Story

Tuesday, 2:47 PM. Patricia Chen stared at her screen, her stomach dropping. The wire transfer she'd sent last Friday wasn't sitting in a supplier's escrow account. It was gone.

Patricia was the CFO of Meridian Manufacturing, a company with 400 employees and $80 million in annual revenue. On Friday, she'd received an email from her CEO requesting an urgent wire transfer for a confidential acquisition. The email came from his actual account. It matched his writing style. It even referenced a real conversation they'd had about expansion plans.

She'd sent $4.7 million to what she believed was an escrow account in Germany.

By the time Patricia discovered the fraud on Tuesday, the money had already moved through three banks and been converted to cryptocurrency. The receiving bank in Germany had forwarded the funds to a correspondent bank in Hong Kong within hours of receipt. From there, the trail went cold.

What Patricia didn't know: criminals had been inside her CEO's email account for six weeks. They'd read every message, learned every communication pattern, and waited for the perfect moment. When the CEO mentioned an acquisition target in an email to the board, they struck.

The FBI agent who took her report said something that stuck with her: "You did everything right. You verified the email address. You confirmed the CEO was traveling. You followed your approval process. The problem is that your process assumed the CEO's email was secure."

This story is fictional, but the patterns are real.

---

2. Why This Matters

In Payment Systems 101, you learned that wire transfers are instant and irreversible. ACH has a 1-3 day settlement window but limited return rights. Real-time payments like Zelle settle in seconds with no reversal mechanism.

This article explores how criminals exploit each of these payment rails. Understanding the mechanics helps you recognize fraud patterns, not just after the fact, but while they're developing.

Patricia's case illustrates a critical point: wire fraud isn't a single event. It's the final step in a longer operation. By the time money moves, criminals have typically spent weeks or months building toward that moment.

---

3. How Wire Fraud Works

The Anatomy of a Wire Fraud Attack

Wire fraud almost always involves impersonation. Someone pretends to be a person with authority to request large payments. The most common impersonation targets:

Executive impersonation: Criminals pose as the CEO, CFO, or other senior executive. They request urgent wires for acquisitions, legal settlements, or vendor payments. This works because employees are conditioned to follow executive requests quickly.

Vendor impersonation: Criminals compromise a legitimate vendor's email or create a convincing lookalike. They send "updated payment instructions" for real invoices. The victim pays a real invoice to a fake account.

Attorney impersonation: Criminals research ongoing legal matters through public court filings. They pose as outside counsel requesting wire payments for settlements, escrow, or closing costs.

Why Wire Fraud Succeeds

The attack Patricia experienced succeeded for specific reasons:

Legitimate access. The criminals controlled the CEO's actual email account. They didn't need to spoof anything because they were sending from the real address.

Contextual awareness. They knew about the acquisition discussions because they'd been reading the CEO's email for weeks. The request fit naturally into ongoing business.

Urgency and confidentiality. The "confidential acquisition" framing explained why Patricia shouldn't verify through normal channels. The tight deadline prevented careful review.

Process exploitation. Meridian's wire approval process required executive authorization. The CEO's email provided exactly that authorization.

The Money Movement Phase

Once Patricia sent the wire, the clock started. Wire transfers settle in hours, not days. The criminal infrastructure was ready:

First hop (hours 0-4): The receiving bank in Germany processed an incoming international wire. The account holder (a shell company) had been established months earlier with forged documents.

Second hop (hours 4-12): Before the end of the business day, the funds moved to a correspondent bank relationship in Hong Kong. This appeared as a normal business payment.

Third hop (hours 12-24): The Hong Kong account converted the funds to cryptocurrency through an exchange with minimal verification requirements.

Final layering (days 1-7): The cryptocurrency moved through multiple wallets, mixed with other funds, and eventually converted back to cash in jurisdictions with weak banking oversight.

By the time Patricia discovered the fraud on Tuesday, the money had crossed four jurisdictions and changed form twice. Recovery was functionally impossible.

---

4. How ACH Fraud Works

ACH fraud operates differently than wire fraud. The settlement window (1-3 business days) creates both opportunities and constraints for criminals.

Payroll Redirect Attacks

In a payroll redirect attack, criminals change where employee paychecks go:

Step 1: Credential theft. The attacker obtains login credentials for an HR system or employee self-service portal. This might come from a phishing email, a data breach, or malware on an employee's computer.

Step 2: Account change. The attacker logs in and changes the direct deposit information for one or more employees. They might change their own account (if they're an insider) or multiple employees' accounts (if they have admin access).

Step 3: Extraction. When payroll runs, the funds route to accounts the attacker controls. Because individual paychecks are typically under $10,000, they often don't trigger high-value alerts.

Step 4: Discovery. Employees notice missing paychecks and complain to HR. This can take days or weeks, especially if the attack targets employees who don't check their accounts frequently.

The per-employee amounts are small, but attackers often hit multiple employees simultaneously. A hundred compromised paychecks averaging $3,000 each produces $300,000 in fraud.

Vendor Payment Redirect Attacks

Vendor payment redirects work similarly to wire fraud impersonation, but target ACH payments instead:

Step 1: Compromise or impersonate. The attacker either compromises a vendor's email account or creates a convincing lookalike domain (suppliercompany.com vs supplier-company.com).

Step 2: Send new payment instructions. The attacker sends an email explaining that the vendor has changed banks. They provide new ACH routing and account numbers.

Step 3: Accounts payable updates records. If the AP team doesn't verify through a known phone number or other out-of-band method, they update the vendor record in their system.

Step 4: Normal payments redirect. Every subsequent payment to that vendor goes to the attacker's account until someone notices. This can continue for months if the real vendor isn't actively following up on missing payments.

The ACH Return Code System

Unlike wire transfers, ACH transactions can be returned under certain conditions. The NACHA Operating Rules define specific return codes:

The catch: Returns are processed, not guaranteed. The receiving bank initiates a return, but if the account has been emptied, there's nothing to return. Criminals withdraw funds quickly precisely because they know the return window exists.

In October 2024, NACHA expanded the use of existing return code R17. Originally used for file format errors, R17 can now also be used when a receiving bank believes an entry is fraudulent (marked as "QUESTIONABLE" in the addenda field). But this is optional, not required, and many fraud accounts are emptied before any return is initiated.

---

5. Real-Time Payment Fraud

Zelle, FedNow, and the RTP network share a critical characteristic: payments settle in seconds and cannot be reversed. This creates the highest-risk environment for consumers.

Why Real-Time Payments Attract Scammers

Real-time payments combine characteristics that make them attractive to fraudsters:

Instant settlement means no detection window. With ACH, you have hours or days to spot problems before funds actually move. With real-time payments, the money is gone before you can react.

Consumer access means individual accounts are targets. Wire fraud typically requires compromising business processes. Real-time payment fraud can target any person with a smartphone.

Low friction means victims can send money quickly without the verification steps that slow down wire transfers. A scammer on the phone can walk someone through a Zelle payment in minutes.

Common Real-Time Payment Scam Patterns

Tech support scams. The victim receives a call or popup warning that their computer is infected. The "Microsoft technician" walks them through "fixing" the problem, which includes sending money via Zelle to "secure their account."

Imposter scams. The scammer poses as a bank employee, government agent, or utility company representative. They create urgency (your account will be closed, you'll be arrested, your power will be shut off) and demand immediate payment.

Purchase scams. The victim tries to buy something from a fake seller on a marketplace. The seller insists on Zelle payment. The product never arrives.

Romance scams. After weeks or months of building an online relationship, the scammer requests emergency funds via Zelle. Medical bills, travel emergencies, or business problems provide pretexts.

---

6. Authorized Push Payment (APP) Fraud

Many attacks in this article share a common pattern: the victim authorizes the payment themselves. Patricia sent the wire. The accounts payable clerk updated vendor payment details. The romance scam victim pressed "send" on Zelle. This pattern has a name: Authorized Push Payment (APP) fraud.

APP fraud describes any fraud where the victim initiates the payment, even though they've been deceived. It's the opposite of unauthorized fraud, where someone steals your credentials and moves money without your knowledge.

Not every attack fits this pattern. Payroll redirect attacks, for example, involve credential theft: the attacker compromises an HR system and changes where paychecks go. The employees whose pay is stolen never authorized anything. That's unauthorized fraud, and different liability rules apply.

Why This Distinction Matters

Fraud liability rules treat authorized and unauthorized transactions very differently.

Unauthorized fraud (someone steals your card, hacks your account): Banks must reimburse you. Regulation E covers debit transactions. Regulation Z covers credit. The bank processed something you didn't approve, so the bank bears the loss.

Authorized fraud (you send money after being tricked): You pressed "send." The bank processed exactly what you asked for. Many fraud protections don't apply because, technically, no unauthorized access occurred.

This creates a strange situation: the more sophisticated the scam, the less protection the victim has. A crude attack that steals your password triggers reimbursement requirements. A clever attack that convinces you to send money yourself may not.

APP Fraud Across Payment Rails

APP fraud happens on every payment type covered in this article:

Wire transfers: Patricia's $4.7 million loss was APP fraud. She authorized the wire after being deceived by a spoofed email. The bank executed her instructions correctly.

ACH payments: When an accounts payable team updates vendor payment information based on a fraudulent email, the subsequent ACH payments are APP fraud. The company authorized every transaction.

Real-time payments: Zelle scams are almost entirely APP fraud. The victim sends money to a scammer after being convinced by a tech support call, romance scheme, or fake marketplace listing.

The payment rail affects speed and reversibility, but the liability problem is the same. If you authorized it, recovering the funds is difficult regardless of how the money moved.

The Reimbursement Gap

A 2024 Senate investigation found that the three largest banks on the Zelle network reimbursed only 12% of scam victims in 2023.^[1] This means 88% of people who lost money to APP scams received nothing back.

The UK addressed this differently. In October 2024, UK regulators made APP fraud reimbursement mandatory for most cases.^[2] Banks must reimburse victims up to £85,000 within five business days unless the victim acted with "gross negligence." The US has no equivalent requirement for any payment rail.

---

7. The Business Email Compromise Connection

Wire fraud and BEC aren't separate problems. They're two phases of the same attack.

Business Email Compromise refers to the initial compromise of email accounts. Wire fraud is what criminals do with that access. The pattern:

Weeks 1-3: Access. Criminals gain access to email accounts through phishing, credential stuffing, or malware. They might target executives directly or compromise someone with access to executive communications.

Weeks 4-6: Reconnaissance. With email access, criminals read everything. They learn communication patterns, ongoing projects, vendor relationships, and approval processes. They identify the right person to target and the right pretext to use.

Week 7: Attack. The criminals send a wire request that fits naturally into ongoing business. Because they've read the real communications, they know exactly how to phrase requests to avoid suspicion.

This is why email security and payment security can't be separated. A wire fraud investigation often leads back to an email compromise that happened weeks or months earlier.

For detailed coverage of email compromise techniques and email header analysis, see the Email Security module.

---

8. Key Takeaways

• Wire transfers settle in hours and can't be reversed. Recovery depends on acting within the first 24-48 hours, before funds move through correspondent banks.
• ACH fraud exploits the gap between initiation and settlement. Criminals target payroll systems and vendor payment processes where changes might not be noticed immediately.
• Real-time payments combine instant settlement with consumer accessibility, making them attractive for scammers targeting individuals.
• APP fraud (Authorized Push Payment) spans many of these attacks. Wire fraud, vendor ACH redirects, and Zelle scams are APP fraud because the victim authorizes the transaction. Payroll redirect is different: it's unauthorized fraud via credential theft.
• Most wire fraud starts with email compromise. By the time a fraudulent wire request arrives, criminals have typically been inside the organization's email for weeks.
• The US and UK handle APP fraud differently. The UK now requires mandatory reimbursement up to £85,000. The US has no equivalent, leaving 88% of scam victims without recourse.

---

9. Key Terms

---

References

1. U.S. Senate Permanent Subcommittee on Investigations (2024). Zelle Fraud Investigation Report.↗ Banks reimbursed only 12% of scam victims in 2023.

2. UK Payment Systems Regulator (2024). APP Fraud Mandatory Reimbursement.↗ £85,000 cap, 5 business day requirement, effective October 7, 2024.

---

Generated with AI assistance. Reviewed by humans for accuracy.