What Should a Government Agency Do in the First Hour After Wire Fraud?
The first hour after discovering wire fraud is the highest-leverage window for recovery. Banks can place fraud holds and initiate recalls before funds leave the receiving account — but only if contacted while the wire is still traceable. For government agencies, the first hour also initiates a chain of internal notifications that are legally required and operationally critical: director, general counsel, and finance leadership must be in the room before any external statements are made or any system access is changed.
Call the bank wire fraud desk
Call the sending bank's wire fraud or fraud investigations line immediately — not the general customer service line. Request a wire recall and a fraud hold on the receiving account. Provide the complete wire details: amount, destination bank name and routing number, receiving account number, wire reference number, and the exact time the wire was transmitted. Ask for a case number and the name of the fraud officer handling the case. Every minute matters — funds that have not yet been withdrawn from the receiving account can be frozen.
Alert agency director and general counsel
The agency director and general counsel must be notified simultaneously with or immediately after the bank call. This is not optional — wire fraud involving public funds has legal, audit, and public disclosure implications that require leadership and legal oversight from the first moment. Do not send a summary email to a broad distribution list. Make direct phone calls to the agency director, general counsel, and chief financial officer. Brief them on facts only — amount, wire destination, time, and how the fraud was discovered.
Document all authorization chain records
Immediately secure and print copies of all records in the wire authorization chain: purchase orders, vendor contract documents, wire transfer approvals, emails or phone records related to the transaction, and any system logs showing who accessed the wire authorization workflow. Do not wait for the investigation to begin — these records are at risk of being altered, overwritten by routine system processes, or lost. Designate a specific person to hold physical and digital copies under controlled access.
Do not use potentially compromised systems
If the fraud involved any system access — email credentials, a vendor portal, a payment system login — treat those systems as potentially compromised until IT security has assessed them. Do not use the same communication channels to coordinate the response that may have been used in the fraud. Establish a separate, verified communication channel for the response team. If agency email or phone systems were involved in the attack, use personal devices or out-of-band secure channels for the initial response coordination.
Secure evidence — do not alter or delete
Issue an immediate litigation hold notice to all staff who may have relevant records. Government records retention laws already restrict destruction, but a formal litigation hold ensures staff understand that normal deletion schedules are suspended for any records related to the incident. This includes call logs, voicemails, emails, system access logs, bank records, procurement files, and any recordings of phone calls. Altering or destroying evidence — even unintentionally — can complicate prosecution and audit outcomes.
All internal communications about this incident are likely subject to public records law and may be discoverable in any subsequent legal or audit proceeding. Do not speculate about cause or employee negligence in writing. Stick to facts. Route all written communications through or with the review of general counsel from the first hour forward.
How Does the FBI Financial Fraud Kill Chain Apply to Government Agency Wire Fraud?
The FBI's Financial Fraud Kill Chain (FFKC) is the most powerful recovery mechanism available after a wire fraud — and it applies to public funds exactly as it applies to private funds. The mechanism works by coordinating between IC3, the FBI's financial crimes unit, the sending bank, and the receiving bank to freeze and recover fraudulent wire transfers. For government agencies, IC3 filing requires additional data specific to public fund accounting — and failure to include that data can slow or prevent the FFKC from being activated.
File a detailed IC3 report at ic3.gov within 24 hours
File at ic3.gov within 24 hours of discovering the fraud. To activate the FFKC, the loss must meet the $50,000 minimum threshold. For government agencies, include all standard wire fraud data plus government-specific identifiers: the appropriation account number from which the funds were drawn, the fund source (federal grant program name and CFDA number, state appropriation number, or municipal general fund), the purchase order or contract number associated with the wire, and the vendor contract number if applicable. The more complete and specific the IC3 filing, the faster the FBI can act.
Contact the nearest FBI field office directly
IC3 filing initiates the FFKC process, but a direct call to your nearest FBI field office can accelerate coordination. Government fraud cases involving public funds — particularly those tied to federal grant programs — may receive prioritized handling. Provide the field office with your IC3 report number, the agency name and jurisdiction, the total loss amount, and the wire destination. Ask specifically whether the case qualifies for the Financial Fraud Kill Chain and what additional information the field office needs.
File a secondary report with the FTC
File a secondary fraud report at reportfraud.ftc.gov. While the FTC does not operate the FFKC, FTC reports feed federal fraud databases that support pattern analysis and criminal prosecution coordination. Government agencies filing FTC reports should identify the entity type as a government agency — this data is tracked separately and informs federal fraud policy and resource allocation.
Assess CISA reporting obligations if IT systems were involved
If the fraud involved compromise of a government IT system — phishing of credentials, unauthorized access to a payment portal, or compromise of a government email account used to authorize the wire — CISA (Cybersecurity and Infrastructure Security Agency) notification may be required under FISMA (Federal Information Security Modernization Act). Federal agencies and federal contractors should assess whether the incident constitutes a reportable cybersecurity incident. CISA reports are filed at cisa.gov/report.
Federal agencies: notify OMB and the awarding agency
Federal agencies and federal grant recipients must notify the Office of Management and Budget and the relevant awarding agency if federal funds were involved. This notification is separate from IC3 filing and operates under OMB Uniform Guidance. Awarding agencies — such as HHS, USDA, DOJ, or DOT — have their own program officers and OIG offices that must be looped in. Failure to notify the awarding agency can result in repayment requirements and adverse audit findings even if the fraud itself was not the agency's fault.
What Inspector General and Audit Reporting Obligations Arise After Government Wire Fraud?
Wire fraud involving public funds is not simply a financial loss — it is a reportable event under multiple parallel oversight frameworks. Government agencies face audit and Inspector General reporting obligations that exist independently of law enforcement reporting. These obligations are not optional and carry their own consequences for non-compliance. The agency's auditors and legal counsel must be engaged immediately to map which obligations apply and in what timeframe.
Office of Inspector General: notify immediately
The OIG notification standard for wire fraud is immediate — same day as discovery — for all federal agencies and most state and local government entities with an OIG function. Each federal agency has its own OIG: USDA OIG, HHS OIG, DOT OIG, DHS OIG, and so on. State governments typically have a State Inspector General or State Auditor with equivalent jurisdiction. Municipal governments may report to a county or city OIG, or to the state auditor if no local OIG exists. Provide the OIG with the same fact set provided to the FBI: amount, wire destination, fund source, and how the fraud was executed.
Government Accountability Office: federal agencies and major grant recipients
The GAO has oversight jurisdiction over federal agencies and federal grant recipients. For large-dollar wire fraud incidents — particularly those involving federal program funds — GAO may become involved through its own audit work or through referral from the awarding agency OIG. Federal agencies should coordinate with their budget and audit offices to assess whether GAO notification or cooperation is required. State and local grant recipients whose loss is material relative to the federal award may also come under GAO scrutiny through the single audit process.
OMB Uniform Guidance 2 CFR § 200.345: mandatory disclosure for federal grant funds
Under 2 CFR § 200.345, non-federal entities receiving federal awards are required to disclose in writing any fraud or other irregularities that affect the federal award. This disclosure goes to the federal awarding agency and may also be reported in the agency's Single Audit. The disclosure obligation is triggered by the loss of federal program funds — it is not contingent on the agency having done something wrong. Even an agency that was the victim of an external fraud must comply with this disclosure requirement if federal award funds were involved.
State audit agency: state and local governments
State comptroller offices and state audit agencies — such as the California State Auditor, Texas State Auditor's Office, or New York State Comptroller — have jurisdiction over losses of state funds by state and local government entities. Most state audit agencies have specific guidance on reporting losses of public funds, including timeframes that are often as short as 30 days from discovery. Local governments — cities, counties, school districts, special districts — should check their state's specific requirements and consult with their state auditor's office if uncertain about the applicable reporting standard.
Legislative appropriations committee: material losses
For losses that are material relative to the agency's appropriated budget, notification of the relevant legislative appropriations committee may be required — by law in some jurisdictions, by political necessity in most. The agency director and general counsel should assess whether the loss amount triggers any legislative notification requirement under state or local statute. Even where not legally required, proactive notification to the appropriations committee — before they hear about it through press or public records — preserves the agency's credibility and gives leadership control over the narrative.
Failure to notify the OIG within required timeframes can trigger a separate finding in the agency's financial audit — which affects future appropriations, federal grant eligibility, and the agency's audit opinion. An adverse audit finding for failure to report is a compounding consequence that goes beyond the financial loss itself. OIG notification is not bureaucratic paperwork — it is a legal obligation with real downstream consequences.
What Insurance and Risk Pool Claims Should a Government Agency File After Wire Fraud?
Most government agencies are not covered through commercial insurers — they participate in state or county risk pools that provide equivalent coverage for government-specific exposures. Wire fraud losses may be covered under a government crime bond or public entity bond, or under cyber liability coverage if the fraud involved compromise of an IT system. Filing the correct claim with the correct coverage program, with the correct documentation, is a parallel track that should begin within the first 72 hours — not after law enforcement reporting is complete.
Government crime bond / public entity bond
A government crime bond — also called a public entity bond or fidelity bond — typically covers fraudulent funds transfer losses from government accounts. This is the primary coverage vehicle for wire fraud losses that do not involve a system compromise. Review the policy or risk pool coverage agreement for the specific coverage trigger: most require that the loss result from a fraudulent instruction from a third party, which is the standard pattern for voice-clone-enabled wire fraud. File a written claim promptly — most bonds have a notice requirement measured in days, not weeks.
Cyber liability coverage through state risk pool or commercial insurer
If the wire fraud involved compromise of a government IT system, email account, or payment portal, cyber liability coverage may apply in addition to or instead of the crime bond. Many state and county risk pools now include cyber liability coverage as a standard component of government entity coverage. Review the coverage definitions carefully — some cyber liability policies require a technical system compromise as the trigger, which may not be present in a pure voice phishing incident where no system was technically breached.
SLGE coverage programs and PRIMA member pools
State and local government entities (SLGEs) covered through Public Risk Management Association (PRIMA) member pools should contact their pool's claims coordinator immediately. PRIMA member pools cover a large share of municipal, county, and special district entities across the country and have established claims processes for wire fraud incidents. The pool's claims coordinator can identify which coverage lines apply, what documentation is required, and what the claims timeline looks like. Contact information for your risk pool is typically maintained by the agency's finance director or risk manager.
For all insurance and risk pool claims, have the following documentation ready before filing: the IC3 report number, the bank case number from the sending bank's fraud team, the OIG case number, a police or sheriff's report if local law enforcement was notified, and the full authorization chain documentation showing how the wire was approved and executed. Gaps in documentation delay claims processing. Assemble this package as part of the first 72-hour response, not after.
How Should a Government Agency Prevent Wire Fraud After an Incident?
A wire fraud incident is the most powerful forcing function for implementing controls that were previously deprioritized. Post-incident, agencies have a window — measured in weeks, not months — to put preventive controls in place before organizational attention moves on. The five controls below address the specific vulnerabilities that voice-clone-enabled wire fraud exploits in government settings: phone-based authorization, vendor payment change requests, and the absence of real-time detection tools.
Implement dual-authorization for all wire transfers via policy or ordinance
Require two separate authorizers — contacted through independent channels, not simply one person confirming to another — to approve any wire transfer. This control should be codified in formal financial policy or, for municipalities, in an ordinance that cannot be suspended by administrative convenience or emergency conditions. The second authorizer must independently verify the legitimacy of the request: not simply confirm what the first authorizer told them. Set a dollar threshold appropriate to the agency's payment volumes — but do not set it so high that routine large payments are excluded from the control.
Verbal passphrase + written authorization for vendor bank account changes
Any request to change a vendor's banking information — routing number, account number, or ACH details — must require two verification steps: a verbal passphrase established with the vendor during onboarding and confirmed on a callback to the vendor's verified directory number, plus a written authorization on vendor letterhead submitted through a separate channel from the one that initiated the request. Payment redirect fraud is among the highest-value attack patterns targeting government procurement — this control directly eliminates it.
No-action-on-inbound-call policy for payment redirects — codified in internal controls
Adopt a formal policy: no payment action is taken based on instructions received in an inbound phone call, regardless of the caller's apparent identity. All payment instructions received by phone must be verified by calling the relevant party back on a number from the agency's verified directory — not the number that called. This policy must be documented in the agency's internal controls and included in finance and procurement staff onboarding. It should also be communicated to registered vendors so they understand the verification process.
Deploy Vicall to detect AI-cloned voice on agency phone lines
Vicall's on-device synthetic voice detection gives finance clerks and procurement officers a real-time verdict — REAL VOICE or SYNTHETIC DETECTED — before any payment instruction is acted on. For government offices on modern VoIP systems, Vicall deploys via mobile app. For offices on older analog infrastructure, Vicall provides an on-premises Mac mini deployment with no cloud dependency and no data sovereignty concerns. Detection is under one second. A SYNTHETIC DETECTED result on a call requesting a payment authorization means the call ends immediately, regardless of how convincing the scenario sounds. Learn more at the complete voice fraud guide.
Annual security awareness training — track completion for audit purposes
Annual security awareness training for finance, procurement, and administrative staff should specifically cover voice phishing (vishing) and phone-based social engineering — not only email phishing. Training completion should be tracked and documented, with completion records maintained as part of the agency's internal control documentation for audit purposes. For agencies subject to single audit under OMB Uniform Guidance, documented security training is evidence of an effective internal control environment. Simulated vishing exercises — where a trainer calls staff posing as an official or grant officer — are particularly effective for government settings where phone-based authorization is routine.
Frequently Asked Questions
Recovery is possible but time-critical. The FBI's Financial Fraud Kill Chain has a 66% success rate when IC3 reports are filed within 72 hours and the loss meets the $50,000 minimum threshold. For government agencies, the state treasurer's office may also have mechanisms to facilitate interbank fund recovery in coordination with law enforcement. The sending bank's wire recall process should be initiated within the first hour — before funds are withdrawn from the receiving account. After 72 hours, recovery rates drop sharply as funds are moved or withdrawn.
Sovereign immunity generally shields government employees from personal civil liability for acts performed within the scope of their official duties. However, this protection is not absolute. Employees who acted with gross negligence, willful misconduct, or who violated explicit agency financial policies may face personal liability exposure. Criminal liability can attach if the employee participated in or facilitated the fraud. Agencies should consult legal counsel early — both to protect employees who acted in good faith and to assess whether any conduct warrants further investigation.
Federal grant fund losses trigger specific obligations under OMB Uniform Guidance (2 CFR Part 200). The agency must notify the federal awarding agency promptly. Under 2 CFR § 200.345, non-federal entities must disclose fraud or other irregularities affecting federal awards. The awarding agency may require repayment of lost funds from non-federal sources. Depending on the dollar amount and materiality, the loss may be reported in the agency's Single Audit (formerly A-133 audit). The agency should work with its auditors and legal counsel to understand specific repayment and disclosure obligations for each affected grant program.
Public disclosure obligations depend on jurisdiction and governing body structure. All records created during the incident — communications, bank records, investigation documents — are subject to public records laws (FOIA at the federal level; state equivalents at the state and local level) and may be requested by journalists, advocates, or the public at any time. Many agencies are also required to notify their governing board, city council, or legislative body of material losses of public funds. The agency's legal counsel and public affairs office must be involved before any external communications to ensure disclosures are accurate, legally compliant, and made in the correct sequence.
FBI IC3 data consistently identifies government agencies — federal, state, and municipal — among the most targeted institutions for business email compromise and wire fraud. The 2024 FBI IC3 Annual Report recorded $16.6 billion in total cybercrime losses, with BEC and wire fraud accounting for the largest share. Government agencies face elevated risk due to public disclosure of officials' voices, transparency-mandated publication of vendor and payment data, and the large dollar values of government procurement payments. The combination makes government a structurally attractive target for voice-clone-enabled wire fraud.
How Exposed Is Your Agency to
Voice Clone Fraud?
Take the two-minute Voice Clone Risk Quiz to understand your agency's specific exposure — and what controls close the gap fastest.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.