What Should a Construction Company Do in the First Hour After Wire Fraud?
The first hour after discovering a fraudulent wire determines whether recovery is possible at all. Every minute between discovery and the bank call narrows the window for a successful wire recall. In construction, the stakes are compounded: the defrauded funds are almost always tied to a payment application, meaning subcontractors, suppliers, and bonding obligations are all immediately downstream of the loss. Act on the bank call first — everything else follows.
Call your bank's wire fraud line — not the branch manager
Every major commercial bank has a dedicated wire fraud or financial crimes desk. This is not the branch manager and not the general customer service line. Call the wire fraud desk directly and request an emergency wire recall. Provide the exact transaction details: wire amount, date and time of transfer, destination routing number, destination account number, and the name of the receiving institution if known. Ask them to contact the receiving bank immediately to request a hold on the funds. Document the name of every representative you speak with, the time of each call, and the case number they assign.
Document all wire confirmations before anything is overwritten
Before any system access is changed or email accounts are locked down, capture everything: the wire transfer confirmation record, all emails or messages related to the payment instruction, any voicemails from the number that issued the fraudulent instruction, and all internal approvals associated with the wire. Screenshot, print, or export — do not rely on digital access alone. If the payment was triggered by a phone call, document the caller ID shown, the exact time of the call, who took the call, what was said, and what action was authorized.
Alert the project manager, project owner, and GC through a verified channel
Notify project leadership immediately, but use a verified out-of-band channel — in person, or a phone number you have independently confirmed belongs to the person you are calling. Do not use the same email thread or phone line that may have been involved in or compromised by the attack. The project owner and GC need to know because they have contractual obligations to subcontractors that are now at risk, and they may have independent exposure from the same attack if the fraud targeted shared project accounts.
Do not use potentially compromised email or communication channels
If the fraud was initiated through email — a spoofed address, a compromised inbox, or a business email compromise — treat the entire email environment as potentially compromised until IT has assessed it. Do not issue any payment instructions, banking change confirmations, or fraud-response communications through the compromised channel. Stand up a clean out-of-band communication method: phone calls to verified numbers, in-person conversations, or a separate verified email account. This prevents the attacker from monitoring your response and moving funds before the recall can land.
Do not attempt to contact the receiving account — freeze all pending payments
Do not call, email, or otherwise contact the account that received the fraudulent wire. Any contact can tip off the attacker and cause immediate fund movement or withdrawal. Instead, freeze every pending wire transfer and payment change queued on affected projects — and on any other project managed by the same personnel whose voice or credentials may have been used. Process no further payments until each pending transaction has been verified through an out-of-band channel with the legitimate recipient.
Evidence preservation is critical from the first minute. Do not delete emails, clear call logs, or change passwords on potentially compromised accounts before your IT team or a forensic professional has captured the state of those accounts. Deleted evidence cannot support an FBI investigation, insurance claim, or legal proceeding. If the construction project involved an AIA G702/G703 payment application, document the specific application number, the draw amount, and the project name — this detail is required for the IC3 filing and the insurance claim.
How Do You File an FBI IC3 Report for Construction Company Wire Fraud?
The IC3 filing is the single most consequential action a construction company can take after a fraudulent wire — and most firms either skip it or file it days too late. For losses of $50,000 or more, filing at ic3.gov within 24 hours activates the Financial Fraud Kill Chain, a coordinated process between the FBI and financial institutions that has frozen or recovered funds in 66% of qualifying cases. Construction payment amounts regularly exceed this threshold, which means the FFKC is almost always available — and almost always underused.
File at ic3.gov — include all construction-specific transaction details
Go to ic3.gov and file an Internet Crime Complaint. Include every detail you have: the wire amount, date and time, your sending bank's name and routing number, the destination routing number, the destination account number, and the name of the receiving institution. For construction fraud, also include the contract number, project name, payment application number, and AIA document reference (G702/G703) associated with the defrauded payment. The more specific your filing, the faster the FBI's Financial Crimes Unit can act to contact the receiving institution.
Note your sending bank's case number in the IC3 filing
By the time you file at ic3.gov, you should have a bank case number from your wire fraud desk call. Include this number in the IC3 complaint — it links the FBI's action to the bank's internal recall process and speeds up the Financial Fraud Kill Chain coordination. If you do not yet have a bank case number, file the IC3 report anyway and update it as soon as you have the case number from the bank.
File a secondary report with the FTC at reportfraud.ftc.gov
After filing with the FBI, submit a separate complaint to the Federal Trade Commission at reportfraud.ftc.gov. The FTC report feeds national fraud tracking databases that support broader enforcement investigations. While the FTC does not have a direct fund-recovery mechanism, FTC filings contribute to pattern analysis that identifies fraud rings operating across multiple victims — including the voice-cloning operations increasingly targeting construction GCs and project owners.
File a local police report and obtain the case number
File a report with your local law enforcement agency. Local police typically have limited jurisdiction over interstate wire fraud, but the police report number is required by most crime insurance and cyber liability carriers to process a claim. File in person if possible to obtain the report number on the same day. Bring your documentation: wire confirmation, IC3 report number, bank case number, and the specific payment application and contract records associated with the fraud.
If federally funded project: notify the contracting government agency
On federally funded construction projects — including projects funded under federal infrastructure programs, HUD contracts, or any federal agency contract — you may have a contractual or regulatory obligation to report fraud events to the contracting agency. Review your prime contract terms and consult your construction attorney before making this notification to ensure it is handled correctly. Government contracting agencies often have their own fraud investigation units, and proactive disclosure protects your firm far better than discovery after the fact.
What Bonding and Lien Obligations Does a Construction Company Have After Wire Fraud?
Wire fraud in construction does not occur in a contractual vacuum. The moment a fraudulent wire redirects a payment application, a chain of bonding, lien, and contract obligations activates — and none of them pause while you attempt recovery. Understanding your exposure across all four dimensions below before the next pay application cycle is not optional. It determines whether a single wire fraud loss becomes a cascading project crisis.
Surety Bond: Notify Your Bonding Company Immediately
If the defrauded funds were connected to a bonded contract — a payment application, retainage draw, or project escrow — your surety needs immediate notification. Fraud does not relieve the GC's obligations under the bond. The performance bond and payment bond remain in force, and if the GC's ability to meet payment obligations is impaired by the loss, the surety has a right to early notice. Most surety agreements require prompt reporting of any event that may trigger a claim. Delay can void coverage or create coverage disputes at exactly the moment you need the surety's cooperation. Provide the surety with: your IC3 report number, bank case number, police report number, the specific contract and payment application affected, and a written description of the fraud event.
Payment Bond: Subcontractors and Suppliers Retain Their Rights
This is the point most GCs miss in the immediate aftermath of wire fraud: a subcontractor or supplier whose payment was fraudulently redirected to an attacker's account never received their contract payment. The fraudulent wire does not satisfy the GC's payment obligation. The subcontractor retains full rights under the payment bond, including the right to make a bond claim if payment is not received within the statutory notice period. If your project is covered by a Miller Act bond (federal projects) or a state-equivalent bond (state and local public work), the notice and claim deadlines do not stop running because your payment was fraudulently diverted. Subcontractors begin their clock from the date the payment was owed — not the date the fraud was discovered. Contact your construction attorney immediately to map the lien and bond notice deadlines across every affected subcontract.
Mechanic's Lien: The Owner Still Owes the GC — Double Payment Risk Is Real
From the project owner's perspective, a fraudulently redirected wire may not be visible until the subcontractor files a lien. The owner still owes the GC for work completed and certified in the payment application. But if the GC cannot pay the subcontractor because the funds were stolen, the subcontractor can lien the project property. The owner then faces a lien on their property for work they already paid the GC for. This creates a double-payment risk: the GC owes the subcontractor (because fraud does not satisfy the obligation), the subcontractor can lien the owner, and the owner may have recourse against the GC. The fraud loss compounds into a multi-party legal dispute if it is not addressed quickly and transparently.
AIA Contract Provisions and Fraudulent Payment Diversion
Standard AIA contracts — including the A201 General Conditions — establish specific obligations around payment, notice of claims, and owner-contractor disputes. Most AIA contracts do not contain explicit fraud diversion provisions, which means contract interpretation will govern. Review Article 9 (Payments and Completion) and Article 15 (Claims and Disputes) of your A201 with your construction attorney for language that may affect your recovery position and your notification obligations to the owner.
You may owe subcontractors and suppliers regardless of whether you recover the fraudulent wire. A fraudulent redirect of your payment does not extinguish your contractual obligation to pay the subcontractor — the obligation runs from the prime contract and subcontract terms, not from whether your wire reached its intended destination. Consult your construction attorney before the next pay application cycle. Do not make any payment or non-payment decisions without legal guidance on your specific contract terms and lien exposure.
What Insurance Claims Should a Construction Company File After Wire Fraud?
Most construction firms have at least two insurance products that may respond to wire fraud — and many have never tested the coverage. Filing promptly with the right carriers in the right order is critical: most policies require notification within a specific period of discovery (often 30 to 60 days) and require a police report and FBI report number as part of the claim submission. Notify your insurer before making any further project payments that could affect the claim record.
Crime or Fidelity Bond Insurance
A commercial crime or fidelity bond policy typically covers three relevant fraud categories for construction firms: employee theft, computer fraud, and fraudulent funds transfer. Wire fraud triggered by a voice-cloned GC or project owner — where an employee is deceived into authorizing a fraudulent payment — most commonly falls under the fraudulent funds transfer or social engineering coverage. Not all crime policies include social engineering coverage as a standard endorsement; check your policy declarations carefully. Construction industry carriers that frequently write commercial crime policies for GCs and specialty contractors include Zurich, Travelers, Liberty Mutual, and CNA. Submit: your IC3 report number, bank case number, police report number, the specific payment application and contract documents, and a written incident timeline.
Cyber Liability with Social Engineering or Funds Transfer Fraud Endorsement
If your cyber liability policy includes a social engineering fraud endorsement or funds transfer fraud endorsement, a wire fraud loss triggered by a voice-cloned instruction may be covered under this policy in addition to or instead of the crime policy. Coverage limits and sublimits vary widely — some policies cap social engineering coverage at $100,000 or $250,000 even when the overall policy limit is much higher. Read your endorsements carefully. If you have both a crime policy and a cyber policy, your broker needs to coordinate the two carriers early to prevent coverage disputes over which policy applies first.
Builder's Risk Insurance
If the wire fraud has disrupted active project operations — for example, if a key subcontractor has halted work pending payment, causing project delay — your builder's risk policy may respond to delay-in-completion losses. Builder's risk policies vary significantly in their treatment of fraud-related delays. Notify your builder's risk carrier of the event and ask them to identify whether any delay-related coverage applies. At minimum, documenting the claim with the carrier preserves your rights even if you determine the loss does not ultimately trigger a covered event.
Professional Liability for Design-Build Firms
If your firm operates as a design-builder and design staff were impersonated in the fraud — for example, if an architect of record's voice was cloned to authorize a payment change or redirect a project account — notify your professional liability carrier as well. While professional liability policies are primarily designed to cover errors and omissions in design, some carriers may assert that the fraud event intersects with professional services delivery and want early notice. Consult your broker on this specific exposure.
How Should a Construction Company Prevent Wire Fraud After an Attack?
Every voice clone wire fraud attack on a construction company exploits the same vulnerability: verbal authorization is trusted without authentication. Project managers and accounting staff are conditioned to act quickly on verbal instructions from GCs and owners — that speed is a feature of construction workflows that becomes a fatal liability when the voice on the other end is synthetic. These five controls close the gap without requiring firms to slow down legitimate payment operations.
Establish a verbal passphrase for all subcontractor and vendor payment changes
Before each project begins, establish a random, project-specific passphrase between the PM, the GC's accounting team, and the project owner's authorized representative. This phrase should be nonsensical enough that it would never arise naturally in a construction conversation — not a project name, not a dollar amount, not a reference to a specific trade. Any verbal authorization for a wire transfer or banking change that does not include this phrase is treated as suspicious and no action is taken. Set the phrase face-to-face or via a secure written channel — never over the phone or by email. Rotate it per project phase for long-duration projects.
Require a signed AIA G706 lien waiver plus a separate written banking change authorization
No subcontractor or vendor banking detail change — routing number, account number, or payee name — should be processed based on a phone call alone, regardless of how authoritative the caller sounds. Require written authorization from the payee, submitted from an email address in your existing vendor records, plus a callback verification to the payee on their verified number before any change takes effect. For bonded projects, also require a signed AIA G706 Contractor's Affidavit of Payment of Debts and Claims at the point of each draw to confirm the payment flow is clean. Document every change and every verification call with date, time, and the name of the person who confirmed.
Implement a no-action-on-inbound-call policy for payment redirects
This is the single most effective structural control available to construction accounts payable teams. Policy: no payment account change is processed as a result of an inbound call — ever, from anyone, regardless of who they claim to be. Any inbound caller requesting a banking change is told that the firm's policy requires written submission and callback verification, and is given the written submission process. This eliminates the primary attack vector for voice clone fraud. Train every person with payment authority on this policy before they handle their first wire. Post it visibly at every accounting workstation. Include it in vendor and subcontractor onboarding documentation.
Deploy Vicall to detect AI-cloned voices on project calls
Vicall detects synthetic voices on live phone calls in under one second — on-device, no audio sent to the cloud, compatible with any smartphone. When a cloned GC or project owner calls your accounting team or PM and Vicall flags the call as SYNTHETIC DETECTED, the call is terminated before any instruction is acted upon. Deploy Vicall on every smartphone used by accounting staff, project managers, site superintendents, and anyone with payment authority. For office lines, the Mac mini on-premises deployment covers analog and VoIP desk phones. Vicall provides the first signal that stops a voice clone attack — before the passphrase protocol or the written authorization requirement ever needs to engage. See the full voice fraud guide for how AI voice synthesis has evolved in construction targeting.
Train project managers and office admin with annual vishing simulations
Annual security awareness training that includes vishing (voice phishing) simulations is the difference between a firm whose staff recognizes a social engineering attempt and one that processes a fraudulent wire before anyone asks a question. Run simulated vishing calls against your accounting staff and PMs using a variety of pretexts: urgent payment redirects, "owner's representative" banking changes, "subcontractor" account updates. Debrief on any staff member who nearly complied. Update your passphrase and written authorization protocols based on what the simulations reveal. Make this training a condition of handling payment authority — and document it in case your insurance carrier ever asks whether reasonable controls were in place. Also see wire fraud recovery for small businesses for additional training protocols applicable to smaller construction firms.
Frequently Asked Questions
Recovery is possible but time-sensitive. The FBI's Financial Fraud Kill Chain (FFKC), activated by filing at ic3.gov within 72 hours of a fraudulent wire, freezes or recovers funds in approximately 66% of cases involving losses over $50,000 when reported within 24 hours. The FFKC is a coordinated process between the FBI and financial institutions that can freeze funds before they are moved or withdrawn. After 72 hours — especially if funds were forwarded internationally — recovery becomes significantly less likely. Construction payment amounts are often large enough to meet the $50,000 FFKC threshold, which is both a risk factor and an advantage: the FBI prioritizes larger-loss cases. Contact your bank's wire fraud desk and file at ic3.gov immediately upon discovery — every hour matters.
Yes. The subcontractor's legal right to payment under their subcontract survives the fraud. A fraudulent redirect of the GC's payment does not satisfy the GC's payment obligation to the subcontractor — the subcontractor never received the funds and retains all their contractual and statutory remedies, including mechanic's lien rights and payment bond claims. The GC bears the financial exposure unless the fraud is recovered or covered by insurance. This means a defrauded GC may face double payment: the original fraudulent wire plus the legitimate payment to the subcontractor. Consult your construction attorney before the next pay application cycle and notify your crime or cyber liability insurer immediately.
Yes, and in most cases notification is required promptly under your bond and policy terms. If the fraudulently redirected funds were contract funds on a bonded project — payment application proceeds, retainage, or project escrow — your surety needs to know. Wire fraud does not relieve the GC of bond obligations, and if subcontractors file payment bond claims as a result of non-payment, the surety will investigate the root cause. Delay in notification can void coverage or create additional liability. Most crime insurance and cyber liability policies with funds transfer fraud endorsements also require prompt reporting — typically within 30 to 60 days of discovery. Notify all insurers and your surety immediately after contacting the bank and filing with the FBI.
Construction is among the highest-loss sectors for business email compromise and wire fraud. FBI IC3 data shows business wire fraud losses averaging $120,000 per incident across all industries, but construction payment flows — which regularly involve payment applications in the $250,000 to several-million-dollar range — push industry-specific losses significantly higher. A single fraudulently redirected draw request on a mid-size commercial project can represent a six-figure or seven-figure loss. The construction industry's combination of multiple parties, large irregular payment amounts, and verbal authorization culture makes it a high-value target. Voice-cloned GC or project owner calls are a growing attack vector, specifically designed to exploit the trust structures of construction payment workflows.
Wire fraud hits a construction project across several dimensions simultaneously. Cash flow: the GC or subcontractor is immediately short the defrauded amount, which may prevent payment of labor, materials, or next-tier suppliers. Timeline: project management resources are diverted to fraud response and the resulting subcontractor disputes can halt work. Lien risk: subcontractors and suppliers who are not paid on time can file mechanic's liens against the project property, clouding title and triggering disputes with the project owner. Bonding: if the GC fails to meet payment obligations, subcontractors can file against the payment bond, which damages the GC's surety relationship and bonding capacity on future work. The 72-hour response window is critical not just for recovery — it also limits the cascade of downstream project consequences.
Is Your Construction Team a Voice Clone
Target?
Vicall detects AI-synthesized voices on live calls in under one second — on-device, no cloud, any phone. Find out how exposed your payment authorization workflow is before the next attack.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.