The Wire Fraud Playbook: How Attackers Intercept Payments

The most expensive cybercrime you have never heard of

Ransomware gets the headlines. Wire fraud gets the money. According to the FBI's Internet Crime Complaint Center (IC3), business email compromise caused $2.9 billion in reported losses in 2023 alone. That figure only accounts for cases that were actually reported. The real number is almost certainly higher.

Wire fraud through BEC does not require malware, zero-day exploits, or sophisticated hacking tools. It requires patience, a compromised email account, and a well-timed message. The attack works because it exploits trust between people who already do business together.

The playbook: five steps to intercepted payments

Every BEC wire fraud follows a predictable sequence. Understanding it is the first step toward stopping it.

Step 1: Compromise the account

The attacker gains access to a business email account. The most common methods are credential stuffing (using passwords leaked in previous data breaches), phishing (tricking the user into entering credentials on a fake login page), and session token theft through adversary-in-the-middle proxies. In many cases, the victim never realizes their account was accessed.

Step 2: Set up silent forwarding

Within minutes of gaining access, the attacker creates an email forwarding rule. In Gmail, this is a filter that forwards matching messages to an external address. In Microsoft 365, this is an inbox rule or account-level auto-forwarding. The entire process takes less than 60 seconds.

The attacker also creates a second rule: any email containing words like "security alert," "new sign-in," or "unusual activity" gets automatically deleted or marked as read. This prevents the victim from seeing notifications about the compromise.

Step 3: Monitor for financial transactions

Now the attacker waits. They receive a copy of every incoming email through the forwarding rule. They study the organization's communication patterns, learn who handles payments, identify vendor relationships, and track billing cycles. This surveillance phase can last days, weeks, or even months.

The attacker is looking for specific trigger events: a real estate closing, a large invoice, a vendor payment, a payroll run. Any transaction that involves wiring money to an account.

Step 4: Spoof the payment instructions

When the attacker identifies a transaction in progress, they strike. They send an email to the person handling the payment, requesting a change in banking details. The email appears to come from a trusted source (the vendor, the attorney, the CFO) because the attacker has intimate knowledge of the transaction from weeks of monitoring.

The spoofed email often includes specific details that only someone involved in the transaction would know: the exact invoice number, the closing date, the property address, the amount due. This specificity is what makes the fraud convincing.

Step 5: The money disappears

The victim wires funds to the attacker's account. Once the wire clears (often within hours), the money is moved through a series of accounts and converted to cryptocurrency or withdrawn. Recovery rates for wire fraud are extremely low. The FBI estimates that only 29% of BEC losses are recovered, and that percentage drops significantly after the first 48 hours.

Why existing security tools miss this

Traditional email security tools scan for malicious content: phishing links, malware attachments, suspicious senders. Wire fraud through BEC does not involve any of these. The attacker is not sending malware. They are sending a normal-looking email with a different bank account number.

The forwarding rule that enables the entire attack is a configuration change, not a piece of malware. It does not trigger antivirus software. It does not appear in spam filters. It does not generate security alerts in most email platforms.

The prevention checklist

Preventing wire fraud requires controls at multiple layers. No single measure is sufficient on its own.

Out-of-band verification:

• Never change payment instructions based solely on an email request. Always verify through a separate channel (phone call to a known number, not a number provided in the email).
• Establish a verification code or passphrase with your bank and key vendors that must be confirmed verbally before any wire transfer changes.

Dual approval for wire transfers:

• Require two authorized individuals to approve any wire transfer above a defined threshold.
• Ensure the two approvers receive the request through independent channels, not just a forwarded email from the same thread.

Email authentication (DMARC, SPF, DKIM):

• Publish a DMARC policy set to "reject" for your domain. This prevents attackers from sending emails that appear to come from your domain.
• Verify that your SPF and DKIM records are correctly configured and aligned with your DMARC policy.

External sender tagging:

• Configure your email platform to add a visible warning banner to all emails originating from outside your organization.
• Train employees to treat any email with an external sender banner that claims to be from an internal colleague as suspicious.

What to do if it happens

Speed is critical. The first 24 hours determine whether recovery is possible.

1. Contact your bank immediately. Request a wire recall. Banks can sometimes freeze funds if the receiving account has not yet been emptied. The sooner you call, the better your chances.
2. File a complaint with the FBI IC3at ic3.gov. The IC3's Recovery Asset Team (RAT) has a 71% success rate on cases reported within 24 hours where the fraud exceeds $50,000.
3. Secure the compromised account. Reset the password, revoke all active sessions, remove any forwarding rules or delegates that were not authorized, and review OAuth application permissions.
4. Contact your insurance carrier. Cyber liability insurance and crime insurance policies may cover wire fraud losses. Document everything from the moment of discovery.
5. Preserve evidence. Do not delete the fraudulent emails or modified forwarding rules. Screenshot everything. Your legal team and law enforcement will need the full audit trail.

The 60-second vulnerability

The entire wire fraud playbook depends on one thing: a forwarding rule that silently copies emails to the attacker. That rule takes 60 seconds to create and can persist for months without detection. It survives password resets. It survives MFA enrollment. It is invisible to spam filters and antivirus software.

InboxWatch checks for exactly this. It scans your Gmail and Microsoft 365 accounts for hidden forwarding rules, unauthorized delegates, suspicious OAuth applications, and inbox rules that redirect or delete emails matching financial keywords. If someone sets up a forwarding rule on your account, you will know within minutes, not months.