What Should a CPA Firm Do in the First Hour After a Wire Fraud?
The first hour after a fraudulent wire is identified determines how much of the loss is recoverable. Stop any additional instructions, call the bank wire fraud line directly, and begin building the evidentiary record your insurer and legal counsel will need. Speed of action in this window is the single most consequential factor in recovery outcome.
When a CPA firm discovers that a wire transfer was processed on a fraudulent instruction — whether the attacker cloned the managing partner's voice, spoofed a client CFO's number, or impersonated a bank representative — the instinct is often to investigate internally before taking external action. That instinct is exactly wrong. Bank recall windows close within hours. The FBI Financial Fraud Kill Chain requires an IC3 filing within 72 hours to activate. Every minute spent gathering facts before calling the bank is a minute the fraudulent funds are moving toward an account that will be emptied or transferred offshore. The correct sequence is: act first, document in parallel, investigate after.
Call the bank wire fraud desk — get a case number
Your bank's general customer service line is not the right contact. Every major financial institution has a dedicated wire fraud or financial crimes desk with authority to initiate a recall request. Call that number directly. Provide the complete wire details: transaction amount, destination routing number and account number, wire reference number, and the date and time the transfer was initiated. Request a wire recall immediately. Ask for a written case number — you will need this for your IC3 filing, your insurer notification, and all subsequent law enforcement communications. Do not hang up until you have confirmed the recall request has been entered into the bank's system.
Secure all evidence on a separate device
Before anything is overwritten, cleared, or lost in a system reboot, preserve every piece of evidence related to the fraudulent transaction. This includes: call logs showing the incoming call, any voicemail recordings, all email threads with the purported authorizing party, bank confirmation records, internal wire authorization forms, and any chat or messaging records. Save these to a device that is separate from any system the attacker may have accessed. Take screenshots. Do not rely on the assumption that your phone system or email server automatically retains records — verify retention and save copies independently. Legal holds apply from the moment fraud is suspected.
Alert managing partner and firm administrator
The staff member who discovered or processed the fraudulent wire should not manage the response alone. Notify the managing partner and firm administrator within the first hour. They need to: authorize the bank recall request and all subsequent communications on behalf of the firm, begin the internal assessment of whether written authorization procedures were followed (which determines the firm's professional liability posture), and make the decision to engage legal counsel and notify the E&O insurer. Clear chain of command in the first hour prevents the response from being fragmented or contradictory across multiple staff members.
Do not use compromised email systems
If the attacker gained access to the firm's email to send or receive fraudulent authorization instructions, those email systems must be treated as compromised until an IT security review is completed. Do not use compromised email to communicate internally about the incident, to contact the bank or law enforcement, or to notify the insurer. All incident communications should occur over verified, uncompromised channels — personal cell phones, a secondary email account, or in-person. This is not a minor precaution: attackers who have compromised email accounts routinely monitor those accounts after the initial fraud to intercept recovery efforts and recall requests.
Do not contact the client or the receiving bank account directly
The receiving bank account in a fraudulent wire is almost certainly a mule account — a temporary account opened specifically for the fraud, controlled by criminals, and designed to be emptied within hours of receiving funds. Contacting it directly will not recover your funds and may alert the attacker that the fraud has been discovered, causing them to move funds faster. Similarly, do not contact the client whose identity was impersonated without first speaking with your E&O insurer and legal counsel. The sequence of client notification, what is said, and how it is said are professional liability decisions — not customer service decisions.
If client funds were part of the fraudulent wire, do not contact the client without first consulting your E&O carrier and legal counsel. The content of your initial client communication — every word — can constitute a liability admission under professional liability law. A phrase like "we made an error in verifying the instruction" can be the basis of a negligence claim even if the firm's actual procedures were reasonable. Speak with counsel first. Communicate to the client second.
How Does the FBI Financial Fraud Kill Chain Apply to CPA Firm Wire Fraud?
The FBI Financial Fraud Kill Chain is the most powerful fund recovery mechanism available after a fraudulent wire — and it is triggered exclusively by an IC3 complaint filed at ic3.gov. For CPA firms with losses of $50,000 or more, filing within 72 hours is the single highest-impact action in the recovery window. The FFKC froze or recovered $561.6 million in fraudulent wire transfers in 2024.
The Financial Fraud Kill Chain works because the FBI has pre-established relationships with major financial institutions and can contact receiving banks directly to request a hold on fraudulent funds before they are moved offshore. When an IC3 complaint is filed and meets the threshold criteria — $50,000 or more, filed within 72 hours — a dedicated FFKC coordinator is assigned to contact the receiving financial institution. The coordinator's contact carries authority that a firm's own bank recall request does not. The key variable is time: funds that have already been wired to a second or third account, or converted to cryptocurrency, are substantially harder to recover even with FFKC involvement.
Compile all required data before filing IC3
The IC3 complaint is most effective when it is complete on first filing. Gather: the exact wire amount in USD, the destination bank's ABA routing number and SWIFT code if international, the destination account number, the date and time the wire was initiated and when it settled, the name the fraudulent caller used to identify themselves, how the authorization was communicated (phone call, email, or both), and the name and role of every firm employee involved in the authorization and execution of the wire. Having this data ready before you navigate to ic3.gov prevents a partially complete report that may delay FFKC coordinator assignment.
File at ic3.gov — do not call, do not mail
The IC3 filing system is web-based at ic3.gov. There is no phone number that triggers the Financial Fraud Kill Chain — the FFKC is activated exclusively through the online complaint system. Navigate to ic3.gov, select "File a Complaint," and complete the form with all wire transaction details, attacker contact details, and firm contact information. At the end of the filing you will receive a complaint reference number — save this immediately. This number is your proof of filing and the reference you provide to your bank, your insurer, and any subsequent law enforcement contacts. File now and update the complaint as additional facts become available.
Understand the FFKC coordinator role
Once an IC3 complaint meets the FFKC threshold criteria, it is routed to an FBI field office for FFKC coordinator assignment. The coordinator contacts the receiving financial institution directly — which typically means a faster and more authoritative hold request than a private firm's recall request through normal banking channels. The coordinator may also contact the originating bank to coordinate a bilateral hold. The FFKC coordinator does not contact the reporting firm during the process; you will learn of the outcome through your bank. Do not assume silence means inaction — the FFKC process runs in parallel with your bank's own recall process.
File FTC report at reportfraud.ftc.gov
File a secondary report with the Federal Trade Commission at reportfraud.ftc.gov. The FTC report does not activate the FFKC, but it contributes to the national fraud database used to identify organized fraud rings, connect related cases, and support federal enforcement actions. Your FTC report number is additional documentation for your insurer's investigation file and may be required in some state CPA board notification contexts. Filing with both IC3 and FTC also demonstrates the firm's good-faith effort to activate all available recovery mechanisms — which is relevant to professional liability defense.
Advise affected clients to file their own IC3 reports
If a client's funds were involved in the fraudulent wire, that client may be an independent victim of the same fraud. Once you have consulted legal counsel and are in a position to communicate with the affected client, advise them that they also have the right to file an IC3 complaint in their own name. A client IC3 filing creates an independent record of their victimization and may strengthen the FFKC coordinator's case for a hold at the receiving bank. A business client with a loss exceeding $50,000 should file their own IC3 complaint regardless of whether the firm has already filed — both complaints can be active simultaneously and reinforce each other.
What Professional Liability Exposure Does a CPA Firm Face After Wire Fraud?
Wire fraud at a CPA firm creates two simultaneous liability crises: the direct financial loss and the professional liability exposure that arises when client funds are involved. The two crises have different remedies, different timelines, and different audiences — and conflating them in the first 72 hours is the most common mistake firms make.
The professional liability analysis after a CPA firm wire fraud turns on three variables: whose funds were involved, what authorization procedures the firm had documented, and whether those procedures were followed. The answers to these three questions define the firm's exposure and the appropriate response strategy before any client communication occurs.
CPA firms that handle client funds — whether for payroll processing, tax payment remittance, trust account management, or real estate transaction coordination — occupy a fiduciary position. When funds entrusted to the firm's management are misdirected by fraud, clients will ask whether the firm met its duty of care. The answer to that question is determined by documentary evidence, not intentions.
The AICPA Code of Professional Conduct Section 1.700 governs member confidentiality obligations. In the context of a wire fraud incident, confidentiality obligations interact with the firm's disclosure duties: the firm must notify affected clients of the incident while being careful not to disclose information about other clients or make admissions that go beyond the factual record. This is why legal counsel — not the managing partner acting alone — must draft the client notification.
Client funds misdirected: fiduciary duty breach and board complaint risk
When client funds — funds the firm held or directed on behalf of a client — are misdirected to a fraudulent account, the client's primary question is whether the firm failed its duty of care. If the firm processed a wire solely on an incoming verbal instruction, without a callback to a verified number and without written confirmation, a court may find that the firm failed to apply reasonable professional judgment. This is the scenario with the highest professional liability exposure: both a potential negligence claim and a state CPA board complaint are likely. Document all existing verification procedures immediately and do not communicate with the client before engaging legal counsel.
Firm's own funds misdirected: no client liability but operational damage
If only the firm's own operating funds were involved in the fraudulent wire — the attacker impersonated an internal partner or a vendor, not a client — there is no direct client professional liability exposure. However, the operational impact can still be severe: depleted operating capital, disrupted payroll, compromised vendor relationships, and reputational damage with clients who become aware of the incident. The crime/fidelity bond and cyber liability coverage with social engineering endorsement are the relevant insurance instruments in this scenario. E&O coverage typically does not apply unless a client asserts a related third-party claim.
Tax filing funds misdirected: IRS implications and abatement requests
When a CPA firm manages tax payment remittances for clients and a fraudulent wire diverts those funds before they reach the IRS or a state tax authority, the client faces tax liability for non-payment — regardless of whether the firm was defrauded. The client will receive penalty and interest notices. The firm must act immediately: file IRS Form 14157 (Return Preparer Complaint) if appropriate, and prepare abatement requests under IRS First-Time Abatement or Reasonable Cause standards. The abatement request must document the fraud, the IC3 filing, and the bank recall attempt as evidence of reasonable cause. State tax authorities have their own abatement procedures that vary by jurisdiction.
Duty to notify engagement clients
Once legal counsel has been engaged and a notification strategy has been determined, the firm has a professional obligation to notify affected clients promptly. Delayed notification — particularly when funds are still potentially recoverable and timely client action could assist recovery — independently creates professional liability exposure. The notification must be specific (what happened, what client funds or information were involved, what recovery steps have been taken) and must be delivered through verified channels, not the compromised email system. Document every notification: date, time, channel, content, and client response.
Engagement letters that authorize electronic funds transfers without a verification callback are a significant liability exposure — review all active engagement letters immediately. An engagement letter that is silent on verbal authorization procedures, or that grants blanket authorization for wire transfers on the basis of verbal instruction alone, will be the first document a plaintiff's attorney requests in a professional liability action. Review every active engagement letter and identify which clients have verbal wire authority under language that lacks a callback or written confirmation requirement. Those engagements need immediate procedural supplements.
What Insurance Claims Should a CPA Firm File After Wire Fraud?
Wire fraud at a CPA firm typically implicates multiple insurance policies simultaneously. Each policy covers a different exposure, has different notice requirements, and is administered by a different claims process. Filing with all applicable carriers on day one — not sequentially as the scope of losses becomes clearer — is essential to preserving coverage.
The most common mistake CPA firms make in the insurance notification phase is waiting to determine the "right" policy before notifying carriers. In practice, the allocation of a wire fraud loss across policies is complex and will be determined by the carriers and counsel after the facts are established. Your job in the first 24 hours is to notify every potentially applicable carrier that an incident occurred and that a claim may follow. Carrier notification is not the same as filing a claim — it is preserving your right to file one.
E&O / Professional Liability — notify within policy window, strictly enforced
Your errors and omissions policy is the primary coverage instrument when a third-party client asserts that the firm's negligence enabled the fraud or caused their loss. E&O coverage triggers when a client makes or threatens a claim arising from the firm's professional services. Most E&O policies require notification within 24 to 72 hours of an incident that the firm "reasonably expects" may give rise to a claim. The standard is not certainty — it is reasonable expectation. If client funds were involved in the fraudulent wire, that standard is met. Call your E&O carrier today. Key E&O carriers serving CPA firms include CNA, CAMICO, and Aon Accountants Program. Know your carrier's direct claims reporting line before you need it.
Crime / Fidelity Bond — covers fraudulent funds transfer from firm accounts
A commercial crime policy or fidelity bond with a computer fraud or funds transfer fraud endorsement covers losses from the firm's own accounts caused by fraudulent third-party instructions. If the attacker impersonated a firm partner, a vendor, or a bank representative to cause the firm to transfer its own operating funds, the crime policy is the relevant coverage. Crime policies have their own notice requirements — typically 60 to 90 days from discovery — but earlier notification is always preferable. Provide the carrier with the IC3 report number, the bank recall case number, and the full timeline of the fraudulent transaction. Do not characterize the loss before the carrier's investigator has reviewed the facts.
Cyber Liability with Social Engineering Endorsement
If your cyber liability policy includes a social engineering endorsement — and many policies specifically designed for professional services firms do — it may cover losses from fraudulent voice or electronic impersonation instructions, including AI voice clone attacks. Social engineering coverage typically requires that the firm followed its documented verification procedures before acting on the instruction. A firm that had no documented procedures, or that failed to follow them, may find that the social engineering endorsement excludes the loss. Review your cyber policy's social engineering definition and exclusions with your carrier and broker simultaneously with your E&O notification.
Directors and Officers if partnership governance was implicated
If the fraudulent wire instruction was processed because of a breakdown in partnership governance — for example, a single partner authorized a large transfer without the dual authorization required by the firm's partnership agreement — the Directors and Officers policy may be implicated. D&O coverage applies when a claim arises from the governance acts or omissions of the firm's management. This scenario is less common but should be assessed by legal counsel in any incident where the authorization chain departed from the firm's documented governance procedures. Notify the D&O carrier at the same time as E&O if governance is a factor.
When notifying all carriers, provide a consistent documentation package. The package for each carrier should include: the IC3 complaint reference number, the bank wire fraud case number, the local police report number, a written incident timeline from discovery through the current response actions, copies of the engagement letter for any affected client engagements, and all communications with the attacker — email, call logs, voicemail recordings, and any documents the attacker provided to support the fraudulent instruction. A consistent, complete documentation package across all carriers prevents inconsistencies that can be used to deny or limit coverage.
How Should a CPA Firm Prevent Wire Fraud After an Incident?
Prevention controls implemented after a wire fraud incident serve two purposes simultaneously: they materially reduce the risk of a repeat attack, and they create the documented procedural record that defends against professional liability claims arising from the current incident. Both purposes are legally and practically significant — implement these controls as formal firm policy, not informal guidelines.
The controls that prevent wire fraud at CPA firms are procedural disciplines — not exotic technology. The accounting profession has required written authorizations for material transactions for decades. The gap in most firms is the application of those disciplines specifically to verbal and digital impersonation channels: recognizing that a call from a known client number using a familiar voice is not a sufficient authorization for a financial transaction, any more than an unsigned engagement letter would be. The voice cloning technology available to attackers in 2026 makes that discipline more important than it has ever been.
Update all engagement letters to require written authorization and callback for any wire or ACH
Add an explicit payment authorization protocol to your standard engagement letter template effective immediately. The protocol should state: no wire transfer, ACH payment, or payroll modification will be processed based solely on a verbal instruction; all verbal requests for financial transactions must be followed by written authorization from the client's verified email address on file; and the firm will initiate a callback to the verified client phone number before executing any transaction above a defined dollar threshold (recommended: $5,000). Having this protocol in the engagement letter means both the firm and the client have acknowledged the procedure in writing — which is the foundation of the firm's professional liability defense for all future transactions.
Implement a verbal passphrase with all clients for payment changes
Establish a pre-agreed, unique passphrase with each client specifically for use when authorizing financial transactions verbally. Establish this passphrase at engagement onboarding — in person or via a secure written channel such as an encrypted message — and store it in the client file under access controls. No verbal wire or ACH authorization is acted upon unless the caller provides the passphrase. This single control defeats the overwhelming majority of voice clone attacks, because the attacker cannot know a passphrase that was never spoken aloud in a call they could record, and that was never transmitted over a channel they could intercept.
No-action-on-inbound-call policy for any account or payment change
Establish a firm-wide policy that no account change, payment instruction, or wire authorization will be acted upon based on an inbound call — regardless of the caller ID, regardless of the caller's voice, and regardless of the caller's knowledge of account or client details. When a call comes in requesting a payment change or wire, the standard response is: "We will call you back at your number on file to confirm this request." Hang up, call the verified number from your records, and confirm the instruction with the real client. Attackers who can spoof caller ID and clone voices cannot intercept your outbound call to the real client's verified number.
Deploy Vicall to detect AI-cloned voices on incoming calls
Vicall detects synthetic and AI-generated voices on live calls in under one second — on-device, no cloud required, on any smartphone. When a call comes in using an AI clone of a client's or partner's voice, Vicall displays a real-time synthetic voice detection alert before any financial instruction is heard or acted upon. Deploy Vicall on the phones of all client services staff, engagement managers, and any partner or administrator who receives client calls about financial matters. For CPA firms deploying across a practice, Vicall's MSP partner portal provides centralized deployment and management across all staff devices without requiring individual device configuration by each user.
Annual vishing training for all partners and administrative staff
Technical controls are necessary but not sufficient — the last line of defense is a staff member who recognizes the behavioral patterns of a social engineering attack and applies the firm's verification procedures under pressure. Conduct annual vishing (voice phishing) training for all partners, senior managers, and administrative staff who handle client communications. Training should include simulated voice clone calls, practice applying the passphrase and callback protocols under realistic urgency conditions, and a review of the most recent documented attack techniques used against CPA and professional services firms. Document attendance and completion of training — this documentation is relevant to professional liability defense if a future incident occurs.
Frequently Asked Questions
Yes — recovery is possible if the firm acts within the FBI Financial Fraud Kill Chain window. The FFKC has a 66% success rate for losses of $50,000 or more when initiated within 72 hours of the fraudulent transfer. The critical steps are: call the bank wire fraud desk immediately to request a recall, file an IC3 complaint at ic3.gov within 24 hours, and contact the receiving bank with the destination account details. Every hour that passes reduces recovery probability. Firms that delay reporting to gather more information before filing consistently achieve worse recovery outcomes than firms that file immediately and update the report as additional facts become available.
Liability turns on whether the firm followed its documented authorization procedures. A firm that processed a wire solely on a verbal instruction — without a callback to a verified number, without written confirmation, and without a passphrase protocol — faces significant professional liability exposure under a fiduciary duty or negligence theory. A firm that can demonstrate it applied documented, reasonable verification steps is in a materially stronger position. E&O coverage often applies when a third-party client claim arises from alleged firm negligence, but coverage is conditioned on timely insurer notification and the absence of prior liability admissions. Engage legal counsel before communicating with affected clients — premature admissions can jeopardize your E&O coverage and create independent liability exposure.
Reporting requirements vary by jurisdiction. Some state CPA boards require notification when a licensee's professional conduct is implicated in a client financial loss. Others impose disclosure obligations through professional standards rules tied to the AICPA Code of Professional Conduct. Several states have independent data breach notification statutes that apply when client personally identifiable information is involved in a fraud incident. The AICPA's guidance on member confidentiality under Section 1.700 does not prohibit disclosure where required by law — but it also does not create an affirmative duty to disclose to the board independently of state statute. Consult legal counsel familiar with your state's CPA licensing statutes before making any determination on board notification.
Wire fraud losses at CPA firms vary widely depending on the firm's client base and the nature of the engagement. FBI IC3 2023 data shows business email compromise and wire fraud losses for professional services firms range from $50,000 to over $2 million per incident, with median losses clustering between $150,000 and $400,000 for established practices. Firms that manage payroll, tax payments, or trust accounts on behalf of clients face higher exposure because multiple client funds may be at risk from a single fraudulent instruction. Firms that handle large real estate transaction closings or M&A escrow face the highest single-incident exposure — in some cases exceeding $5 million per event.
Wire fraud incidents that result in client harm can trigger state CPA board complaints, peer review scrutiny, and in serious cases, license suspension or revocation proceedings. The board's focus is whether the licensee's professional conduct — specifically, the authorization and verification procedures applied before processing client fund instructions — met the applicable standard of care. Firms that had documented, reasonable procedures and followed them are in a defensible position before a board. Firms that had no documented procedures, or that failed to follow them, face higher risk of adverse board action. The AICPA Code of Professional Conduct and state-specific accountancy statutes govern the applicable standard of care for the jurisdiction in which the firm is licensed.
Know Before the Wire Moves.
Take the Voice Clone Risk Quiz.
Find out how exposed your CPA firm is to AI voice clone fraud — and what controls close the gap. Takes two minutes.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone social engineering, voice fraud, and how to protect your CPA firm.