Skip to main content
Learning Center
Money Movement & Transaction FraudWire Transfer & ACH Fraud

Wire Transfer & ACH Fraud

Business email compromise, wire fraud schemes, ACH fraud patterns, and real-time payment fraud detection

Wire Transfer & ACH Fraud: The $8.2 Billion Business Email Compromise Crisis

Understanding the fastest-growing fraud types targeting business payments

The Executive's Nightmare: Detective Marcus Reid's $4.7M Wire Fraud Case

At 9:42 AM on a Tuesday, Detective Marcus Reid received a call that would change how he understood business fraud. Patricia Chen, CFO of Meridian Manufacturing, had just discovered that her "urgent" wire transfer to a new supplier the previous Friday was actually a $4.7 million payment to criminals in Romania.

"I got the email from our CEO requesting the wire transfer," Patricia explained, her voice shaking. "It looked exactly like his normal emails. Same signature, same urgent tone about a confidential acquisition. I verified it was his email address before sending the wire."

But Marcus's investigation revealed something that made the case even more disturbing: Patricia had followed every security protocol correctly. The email really did come from the CEO's account, which had been compromised three weeks earlier through a targeted phishing attack. The criminals had been studying the company's email patterns, learning the CEO's communication style, and waiting for the perfect moment to strike.

By the end of Marcus's investigation, he had uncovered not just one wire fraud case, but a sophisticated criminal enterprise running 247 simultaneous business email compromise attacks across 31 states, generating $8.2 million monthly.

This wasn't random crime, it was organized fraud operating like a Fortune 500 company.

Understanding Wire Transfer Fraud: The Perfect Crime

Why Wire Transfers Are Criminal Gold

Wire transfers are the criminal's dream payment method:

  • Immediate settlement: Money moves instantly between banks
  • Irreversible: Once sent, wires cannot be recalled or disputed
  • High value: Average business wire: $284,000
  • Minimal protection: No consumer protection laws like credit cards
  • Global reach: International wires difficult to trace and recover

The Business Email Compromise (BEC) Playbook

Phase 1: Target Selection (Weeks 1-2)

  • Research companies using public information (LinkedIn, company websites)
  • Identify key executives and finance personnel
  • Study communication patterns through social media
  • Map organizational hierarchy and approval processes

Phase 2: Initial Compromise (Weeks 3-4)

  • Send targeted phishing emails to executives
  • Deploy credential harvesting or malware
  • Gain access to email accounts
  • Install persistence mechanisms to maintain access

Phase 3: Intelligence Gathering (Weeks 5-8)

  • Monitor email communications silently
  • Learn business processes and vendor relationships
  • Identify upcoming financial transactions
  • Study executive communication styles and signatures

Phase 4: The Strike (Week 9)

  • Send fraudulent wire transfer requests during optimal timing
  • Use learned communication patterns for authenticity
  • Create urgency and confidentiality to bypass verification
  • Provide detailed wire instructions to criminal accounts

Phase 5: Money Movement (Hours after wire)

  • Immediately move funds through multiple banks
  • Convert to cryptocurrency or other hard-to-trace assets
  • Layer funds through shell companies and money services
  • Complete theft before victim realizes fraud occurred

Real BEC Attack Patterns Detective Reid Identified

CEO Impersonation (73% of BEC attacks):

Subject: Confidential - Urgent Wire Transfer Needed
From: CEO@company.com (compromised account)

Patricia,

I need you to process an urgent wire transfer for a confidential acquisition we're closing today. The vendor requires immediate payment to secure the deal.

Amount: $4.7M
Bank: Deutsche Bank Romania
Account: [Criminal account details]
Reference: Acquisition Payment - CONFIDENTIAL

This must be completed by 2 PM today. Please confirm once sent.

Best regards,
Michael

Vendor Email Compromise (22% of BEC attacks):

  • Criminals compromise legitimate vendor email accounts
  • Send updated payment instructions for legitimate invoices
  • Redirect payments to criminal accounts
  • Harder to detect because vendor relationship is real

Attorney Impersonation (5% of BEC attacks):

  • Criminals research ongoing legal matters through public records
  • Impersonate law firms handling closings or settlements
  • Request urgent payments for "closing costs" or "escrow"
  • Create fake urgency around legal deadlines

ACH Fraud: The High-Volume, Low-Detection Attack

How ACH Fraud Differs from Wire Fraud

Wire Transfer Fraud:

  • Few transactions, high dollar amounts
  • Immediate and irreversible
  • Requires authorization by senior executives
  • Detected quickly due to amounts involved

ACH Fraud:

  • Many transactions, moderate dollar amounts
  • 1-3 day settlement window
  • Often authorized by lower-level employees
  • Can operate undetected for weeks or months

ACH Fraud Attack Patterns

Payroll Redirection:

  • Criminals compromise HR systems or employee accounts
  • Change direct deposit information for multiple employees
  • Small amounts ($500-$3,000) that don't trigger alerts
  • Detection when employees complain about missing paychecks

Vendor Payment Redirection:

  • Similar to BEC but targeting accounts payable processes
  • Change ACH payment instructions for regular vendors
  • Moderate amounts ($5,000-$50,000) consistent with normal payments
  • Detection when vendors report non-payment

Consumer Account Takeover:

  • Compromise individual customer online banking accounts
  • Set up ACH transfers to external accounts
  • Multiple small transfers to avoid detection thresholds
  • Detection through customer monitoring or complaints

Real-Time Payment Fraud: The New Frontier

Zelle/FedNow/RTP Fraud Characteristics:

  • Instant settlement: No detection window like traditional ACH
  • High success rate: 94% of fraudulent real-time payments are never recovered
  • Consumer targeting: Individual accounts easier to compromise than business systems
  • Social engineering dependent: Requires tricking users into authorizing payments

Common Real-Time Payment Scams:

  • Tech support scams: "Microsoft" calls requiring immediate payment
  • Romance scams: Online relationships requesting emergency funds
  • Fake emergency scams: "Grandson" needs bail money immediately
  • Purchase scams: Fake marketplace sellers requiring instant payment

Detection Strategies: What Fraud Analysts Should Monitor

Wire Transfer Red Flags

Immediate Alerts (Stop before sending):

  • First-time recipient receiving large amount (>$100K)
  • Wire requests outside normal business hours
  • Rush requests with unusual urgency language
  • Requests to change established vendor payment methods
  • Geographic risk: high-risk countries for destination

Behavioral Anomalies:

  • Email requests when phone calls are normal procedure
  • Communication style changes in executive emails
  • Requests bypassing normal approval workflows
  • Unusual confidentiality claims about routine payments

Technical Indicators:

  • Email authentication failures (SPF/DKIM/DMARC)
  • Login from unusual geographic locations
  • New device access to executive email accounts
  • Multiple email forwarding rules created recently

ACH Fraud Detection

Volume and Pattern Analysis:

  • Unusual increase in ACH origination volume
  • Geographic inconsistencies in recipient locations
  • Time pattern changes (weekend/overnight processing)
  • Multiple transactions to same recipient institution

Account Behavior Changes:

  • Recent changes to ACH recipient information
  • New external accounts added to online banking
  • Multiple small test transactions followed by larger amounts
  • Transactions inconsistent with account purpose/history

Cross-Channel Correlation:

  • ACH setup shortly after password reset or email compromise
  • New ACH recipients added from unusual IP addresses
  • Mobile app activity preceding ACH changes
  • Customer service calls about account access issues

Investigation Framework: The WIRE Protocol

W - Wire Analysis & Timeline

Document the complete transaction flow:

  • Trace authorization chain: who requested, who approved, who sent
  • Map timing: when was wire requested vs. sent vs. received
  • Identify communication channels: email, phone, in-person
  • Collect all electronic evidence before it can be altered

I - Intelligence Gathering

Investigate the criminal infrastructure:

  • Research receiving bank and account holder information
  • Check sanctions and watch lists for recipient details
  • Correlate with other known BEC cases and patterns
  • Gather intelligence on modus operandi and criminal organization

R - Recovery Actions

Act quickly to maximize recovery potential:

  • Contact receiving bank immediately (within hours, not days)
  • Coordinate with law enforcement for official notification
  • Freeze remaining funds if possible
  • Document all recovery attempts for insurance/legal purposes

E - Evidence Preservation

Collect comprehensive evidence for investigation:

  • Email headers and authentication records
  • Bank logs showing wire authorization and transmission
  • IP address logs for relevant system access
  • Communication records between all parties involved

Prevention and Response Protocols

Business Email Compromise Prevention

Email Security Controls:

  • DMARC policy set to "reject" for unauthorized senders
  • Multi-factor authentication required for all email accounts
  • Email filtering for suspicious content and external senders
  • Regular security awareness training focusing on BEC tactics

Process Controls:

  • Dual approval required for all wires over $10,000
  • Verbal verification required for wire transfer requests
  • Out-of-band verification for payment instruction changes
  • Segregation of duties between requesters and approvers

Technology Controls:

  • Email banner warnings for external senders
  • Automated flagging of urgent payment requests
  • Behavioral analysis for unusual email patterns
  • Integration between email security and wire transfer systems

Response Procedures

First 30 Minutes:

  • Stop any pending wire transfers immediately
  • Contact receiving bank's fraud department
  • Preserve all electronic evidence
  • Notify law enforcement if required by policy

First 24 Hours:

  • Conduct thorough investigation of compromise scope
  • Reset credentials for all potentially affected accounts
  • Review all recent wire transfers for other potential fraud
  • Coordinate with cybersecurity team on containment

First Week:

  • Complete forensic analysis of email compromise
  • Implement additional security controls
  • Conduct post-incident review and lessons learned
  • Update policies and procedures based on findings

Key Takeaways for Money Movement Fraud Investigation

Essential understanding for fraud professionals:

  1. Speed is critical: Wire fraud requires immediate response, hours matter, not days
  2. BEC is sophisticated: Modern attacks use extensive research and social engineering
  3. Email compromise enables wire fraud: Monitor email security as payment fraud prevention
  4. ACH fraud is stealthier: Lower amounts but higher volume make detection harder
  5. Real-time payments are highest risk: Instant settlement eliminates recovery opportunities

Remember Marcus's lesson: Wire transfer fraud is rarely a single transaction, it's the culmination of weeks of planning and intelligence gathering by sophisticated criminal organizations.

Your role as a fraud professional: Understand that modern money movement fraud requires both technical knowledge and behavioral analysis to detect the subtle signs of organized criminal activity.

References

¹ FBI Internet Crime Complaint Center. (2023). 2022 Internet Crime Report - Business Email Compromise Statistics. Federal Bureau of Investigation. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

² Association for Financial Professionals. (2023). 2023 AFP Payments Fraud and Control Survey. Association for Financial Professionals. https://www.afponline.org/docs/default-source/default-document-library/2023-afp-payments-fraud-and-control-survey-report.pdf

³ Financial Crimes Enforcement Network. (2023). SAR Activity Review - Trends, Tips & Issues. U.S. Department of Treasury. https://www.fincen.gov/sites/default/files/shared/SAR_Activity_Review_30.pdf

⁴ NACHA. (2023). ACH Network Risk Management Best Practices. The Electronic Payments Association. https://www.nacha.org/risk-management

⁵ Federal Financial Institutions Examination Council. (2023). IT Examination Handbook - Authentication. FFIEC. https://ithandbook.ffiec.gov/it-booklets/authentication.aspx

⁶ Federal Reserve Bank of Boston. (2022). Faster Payments and Financial Crime: Considerations for Financial Institutions. Federal Reserve Bank of Boston. https://www.bostonfed.org/publications/research-department-working-paper/2022/faster-payments-and-financial-crime-considerations-for-financial-institutions.aspx

Understanding wire transfer and ACH fraud patterns is essential for protecting business payments. The next module covers e-commerce and card fraud investigation techniques.

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.