What Should an Insurance Agency Do in the First Hour After Wire Fraud?
The first hour after a fraudulent wire transfer determines how much is recoverable. Bank recalls succeed only while funds remain in transit or in the receiving account — often a window of hours, not days. Carrier notifications made before grace periods expire protect client coverage. These five steps, executed in order and without delay, define the difference between recovery and permanent loss.
Call your bank's wire fraud desk — not general customer service
Request an immediate hold or recall on every fraudulently authorized wire. Use the wire fraud or fraud escalation line — general customer service cannot initiate recalls. Have the wire reference number, date, dollar amount, sending account, and receiving bank details ready before you call. For ACH transactions, reversals may be available for up to two business days after posting. Speed is the single most important variable: domestic wire recalls are only viable while funds have not yet been swept from the receiving account, which can happen within hours of settlement.
Document all wire authorizations and communications immediately
Record the exact call time, the number displayed on caller ID, the name the caller claimed, what was specifically requested, the dollar amount and destination provided, and who in the agency authorized the transfer. Include the name of every staff member involved in the transaction chain. This contemporaneous record is the foundation of your IC3 complaint, your E&O defense, your bank fraud claim, and every regulatory notification that follows. Write it down within the first 30 minutes — do not rely on memory reconstructed hours later.
Alert the agency principal and compliance officer
Incident response at the agency level requires principal authority. The agency principal must authorize emergency bank actions, sign off on carrier notifications, and make decisions about client communication. The compliance officer must begin the regulatory notification assessment immediately — E&O policy windows, state insurance department requirements, and NAIC model law obligations all begin running from the moment of discovery, not from when a decision is made to report. Do not allow a wire fraud incident to be managed at the staff level beyond the first 30 minutes.
Do not use potentially compromised systems or communications channels
If the fraud was enabled by a compromised email account, phone system, or internal messaging platform, do not continue to use those channels for incident response communications. Attackers who maintain access to a compromised channel can intercept recovery efforts, modify wire instructions a second time, or monitor the agency's response to refine their attack. Use a separate device and a separate email account — personal or an uncompromised agency account — for all incident communications until IT has confirmed the breach vector and locked it down.
Preserve all evidence — call logs, voicemails, bank authorizations, and digital records
Export all phone system call logs, voicemails, call recordings, email threads, bank authorization records, wire confirmation notices, and internal approval communications immediately. If your phone system or email server overwrites logs on a rolling cycle, manual export takes priority over everything else in this window. Do not delete, modify, or allow auto-purge of any record that may be relevant to the incident. These records support IC3 filing, E&O defense, bank fraud claims, police reports, and state insurance department notifications — all of which will require copies.
If client premium funds were misdirected, policies may lapse unless the carrier is notified immediately — call the carrier's agent services line before the banking system closes for the day. Most carriers will hold coverage in-force and work toward reinstatement when fraud is properly documented, but only if they are notified before the grace period expires. A lapse that occurs because the carrier was not informed is far harder to cure than one caught within the grace window.
How Does the FBI Financial Fraud Kill Chain Apply to Insurance Agency Wire Fraud?
The FBI's Financial Fraud Kill Chain (FFKC) is a coordinated inter-agency process activated by an IC3 complaint for wire fraud losses of $50,000 or more, filed within 72 hours. For insurance agencies, the FFKC is the highest-probability path to recovery — but only if the IC3 complaint includes the insurance-specific data that gives federal investigators the context to act quickly. Here are the exact steps for an effective IC3 filing.
File at ic3.gov within 24 hours — do not wait for complete information
Navigate to ic3.gov and submit a complaint as soon as you have the core wire details: date, amount, sending account, receiving bank name and account number if known, and a description of the fraud method. The FFKC success rate is approximately 66% for losses over $50,000 when the IC3 complaint is filed within 24 hours — that rate declines sharply as hours pass and drops to near zero for international transfers after 48 hours. File an initial complaint immediately and supplement it with additional documentation as it becomes available. Do not delay filing while waiting for a police report or complete bank records.
Include insurance-specific context in the IC3 narrative
Federal investigators work faster when they understand the context. In the narrative field, specify that the target was an insurance agency, identify the relevant policy number if a client account was involved, name the premium account or trust account from which funds were redirected, and describe the carrier relationship that was impersonated. If the attack involved a voice-cloned carrier representative, adjuster, or agency principal, state that explicitly. IC3 analysts who can quickly classify the attack type route complaints to the right field office faster.
Provide all available wire transfer details
Include the originating financial institution name, account number (partial is acceptable), the receiving financial institution name, the receiving account number, the wire amount, the wire date and time, the SWIFT or routing number if available, and any intermediary bank details. If the attacker provided a specific account name or business name as the receiving beneficiary, include that — it is frequently the most actionable piece of information for investigators attempting to freeze the receiving account before funds are moved again.
File FTC secondary report at reportfraud.ftc.gov
Submit a secondary report to the FTC at reportfraud.ftc.gov immediately after the IC3 filing. FTC reports are aggregated into a national fraud database that investigators use to identify patterns across victims. Voice clone wire fraud campaigns targeting insurance agencies often involve the same criminal actors targeting multiple agencies across multiple states — your FTC report may directly contribute to identifying and stopping the same operation elsewhere. The FTC report does not activate a recovery mechanism, but it is a required filing for comprehensive fraud documentation and supports FTC civil enforcement actions.
File with the state insurance fraud division as a tertiary report
Most states have a dedicated insurance fraud unit within the state department of insurance that investigates fraud targeting licensed agencies, brokers, and insurers. This report is separate from any cybersecurity notification obligation — it goes to the fraud division specifically. Provide the IC3 complaint number and FTC report confirmation as attachments. State insurance fraud units frequently coordinate with the FBI on cases where licensed agencies are targeted, and a filed state fraud report strengthens the federal case. It also creates a record that protects the agency's license in subsequent regulatory proceedings.
What E&O and State Insurance Department Obligations Arise After Wire Fraud?
Wire fraud affecting an insurance agency triggers a cascade of professional and regulatory obligations that run in parallel with law enforcement reporting. E&O notification windows begin at the moment of discovery. State insurance department obligations depend on jurisdiction and whether client or policyholder information was compromised. Each obligation has its own deadline, format, and consequence for non-compliance.
(1) E&O insurer notification — immediate, regardless of whether a client claim has been made. Most errors and omissions policies for insurance agencies require notification "as soon as practicable" of any circumstance that might give rise to a claim. This is not the same as waiting for a client to actually file a claim. If client premium funds were redirected, if a client's policy may have lapsed, or if client data was extracted — the potential for an E&O claim exists the moment those facts are known. Notify your E&O carrier in writing on the day of the incident. Failing to notify within the policy window — even if no claim ever follows — can result in the carrier denying coverage on late-notice grounds. Preserve proof that the notification was sent.
(2) State insurance department notification. Most state departments of insurance require reporting of significant financial crimes involving licensees. States that have adopted the NAIC Insurance Data Security Model Law require notification of the insurance commissioner when a cybersecurity event affects nonpublic information — defined broadly to include any personally identifiable information of policyholders. California DOI requires notification within 72 hours of a cybersecurity event under certain circumstances. Texas TDI and New York DFS have their own specific timelines. Even in states without a mandatory timeline, proactive notification is advisable — it creates a record of good-faith response and protects the agency's license.
(3) Client notification — when client funds were misdirected. If client premium payments were redirected to fraudulent accounts, affected clients must be personally notified. This notification is both a legal obligation under applicable state data breach and fraud notification statutes and a fiduciary duty the agency owes the client. Notification timelines are state-specific — most states require notification within 30 to 90 days of discovery, and some require specific written formats. Agencies with clients across multiple states must comply with the most stringent applicable state law. Review notification content with E&O legal counsel before sending — the framing of client notification has significant E&O implications.
(4) Carrier notification — for every policy or premium account affected. Each carrier whose client accounts were touched by the fraud must be notified individually. This notification is separate from any carrier impersonation that may have been part of the attack. Carrier notification enables the carrier to flag affected policies, hold them in-force status during the investigation, and prepare for reinstatement requests. It also gives the carrier an opportunity to alert other agencies in their network to an active fraud campaign.
(5) NAIC model regulation compliance. The NAIC Insurance Data Security Model Law (MDL-668), adopted in more than 20 states, imposes specific incident response, investigation, and notification obligations on insurance agencies as "licensees." Obligations under the model law include investigating the nature and scope of the cybersecurity event, preserving records for at least five years, and providing a written notification to the insurance commissioner within 72 hours (in some adopting states) of determining that a cybersecurity event has occurred. Review your state's specific adoption language — some states modified the model law's timelines and thresholds when enacting it.
E&O policies typically exclude coverage for intentional acts but cover negligent acts that enabled the fraud — document every step your agency took to verify the wire request before it was processed. If the agency had a callback verification procedure that was either bypassed under pressure from the fraudulent caller or was not yet in place, document both the procedure status and the specific circumstances of the fraudulent call. The difference between "the fraud circumvented our controls" and "we had no controls" is the difference between covered and uncovered E&O exposure.
What Insurance Claims Should an Insurance Agency File After Wire Fraud?
Wire fraud targeting an insurance agency may trigger claims under multiple policies simultaneously. E&O, crime/fidelity, cyber liability, and business interruption coverages each address different aspects of the loss — and each has its own notification requirements, documentation standards, and coverage terms. Filing all applicable claims in parallel is standard practice; missing a policy's notification window is not recoverable.
(1) E&O / professional liability — if client funds were affected or if a client alleges the agency was negligent in processing a fraudulent wire request, E&O coverage applies. Coverage is triggered by the potential for a claim, not the filing of one. Notify your E&O carrier immediately and provide a written description of the incident, the client accounts affected, and every step the agency took to verify the wire request. Agency-specific E&O carriers include Swiss Re Corporate Solutions, Travelers, CNA, and Burns & Wilcox — each has its own notification format and claims intake process.
(2) Crime / fidelity bond — fraudulent funds transfer coverage. Most agency crime or fidelity bonds include a fraudulent funds transfer provision that covers losses from unauthorized wire transfers initiated by an outside party using fraudulent instructions. This is distinct from employee dishonesty coverage. The fraudulent funds transfer provision typically requires that the instruction was transmitted electronically or telephonically and that the agency acted in good faith on the instruction. Confirm with your surety carrier whether voice-cloned telephone instructions qualify under the bond's coverage language — policy wording varies. File this claim simultaneously with E&O notification.
(3) Cyber liability with social engineering endorsement. If the attack involved electronic impersonation — voice cloning, email spoofing, or a combination — the cyber liability policy's social engineering endorsement (also called funds transfer fraud endorsement) may cover the loss. Social engineering endorsements are subject to sublimits that are often lower than the main policy limit. Check whether your policy requires the agency to have had a verification procedure in place before the transfer as a condition of coverage — some endorsements impose this as a pre-loss condition. Cyber liability may also cover forensic investigation costs, client notification costs, and credit monitoring for affected clients.
(4) Business interruption — if agency operations were disrupted by the incident — staff taken offline for investigation, systems locked down, client-facing operations suspended — business interruption coverage under the commercial property or cyber liability policy may apply. Document every hour of lost productivity and every direct operational cost incurred in response to the incident from the moment it was discovered.
Documentation checklist for all insurance claims: IC3 complaint confirmation number, bank wire fraud case number, local police report number and case number, state insurance department fraud division case number, state cybersecurity notification confirmation, carrier notification records with timestamps, client communication log with dates and names of each client contacted, internal incident report written within 24 hours, and a written timeline of every verification step attempted before and after the wire was processed.
How Should an Insurance Agency Prevent Wire Fraud After an Incident?
The controls that prevent wire fraud in insurance agencies are primarily procedural — with one technology layer that stops AI-cloned voice fraud at the point of detection. Written authorization requirements, no-action-on-inbound policies, and pre-agreed passphrases each independently defeat the most common attack vectors. Deployed together, they eliminate the conditions that made the initial incident possible.
Verbal passphrase required for all premium account changes and carrier payment redirects
Establish a unique, randomly generated passphrase with each client and carrier contact — set face-to-face or through a verified non-phone channel, never stored digitally alongside the account record. Any inbound call requesting a premium account change, banking update, or payment redirect must supply the passphrase before the request is evaluated. A caller who cannot supply the phrase — regardless of how familiar the voice sounds, regardless of the urgency claimed — is not authorized to make the request. Document this requirement in the agency policy manual and include it in carrier and client onboarding materials so all parties know the standard.
Written authorization required for any banking change — no action on inbound request alone
Codify a firm agency policy that no premium payment redirect, banking account change, carrier payment routing update, or wire instruction is processed from any telephone call — inbound or outbound — without a corresponding written authorization submitted through a verified channel (signed document, authenticated client portal, or encrypted email). Post this policy on the agency's website and include it in the client service agreement. When clients and carriers know this is your standard operating procedure, they will not be surprised when you enforce it — and fraudulent callers will know immediately that their approach will not work.
No-action-on-inbound-call policy for payment or account changes, codified in the agency policy manual
The single most effective procedural control is a standing policy that no banking or payment change is ever initiated as a result of an inbound call — period. Before any action is taken, the call is terminated and a callback is made to a number from the agency's verified contact directory. For carriers, that means the agency services number from the carrier's official website — not the number that called. For clients, that means the number on file from their original enrollment. This control defeats the core social engineering mechanism of voice clone fraud: the attacker depends on the victim acting during the initial call while under pressure or emotional manipulation. A no-action-on-inbound policy removes that attack surface entirely.
Deploy Vicall to detect AI-cloned voice on all agency calls
Vicall's on-device synthetic voice detection surfaces a REAL VOICE or SYNTHETIC DETECTED verdict in under one second — no cloud dependency, no call recording, no latency on the call itself. For agency staff receiving calls from clients, carriers, or adjusters requesting financial actions, Vicall provides a real-time fraud signal before any procedure is invoked. A SYNTHETIC DETECTED verdict is grounds for immediate call termination — the staff member does not need to make a judgment call about how familiar the voice sounds or how urgent the request feels. The technology layer removes the human judgment point that voice cloning specifically exploits.
Annual vishing training for CSRs, account managers, and billing staff
Train every staff member who handles inbound calls on the specific attack scenarios used against insurance agencies: carrier representative impersonation requesting banking updates, agency principal impersonation authorizing emergency wires, client impersonation redirecting premium payments, and adjuster impersonation requesting settlement payment changes. Run simulated vishing exercises — calls from a trainer posing as a carrier representative or agency principal using pressure tactics — to build the reflexes to pause, use the passphrase, and callback before acting. Retrain annually at minimum and immediately following any real incident. Document all training as part of the agency's E&O risk management record.
Frequently Asked Questions
Yes — but timing is the critical variable. For domestic wires, the FBI's Financial Fraud Kill Chain recovers or freezes funds in approximately 66% of cases over $50,000 when the IC3 complaint is filed within 24 hours. That rate drops sharply after 72 hours and becomes negligible for international transfers once funds have cleared the receiving institution. Contact your bank's wire fraud desk first to initiate a recall, then file at ic3.gov within 24 hours to activate the FFKC. Do not wait for law enforcement confirmation before calling your bank — the bank recall and the IC3 filing must happen simultaneously, not sequentially.
Potentially yes. If client premium payments were redirected due to a fraudulent instruction the agency acted upon without adequate verification — resulting in a policy lapse, coverage gap, or financial loss — the agency faces E&O exposure. The negligence standard turns on whether the agency had written authorization procedures in place and whether it followed them. E&O policies typically cover negligent acts that enabled the fraud but exclude intentional misconduct. Document every verification step taken (or attempted) before the wire was processed. Engage E&O legal counsel before making any admissions to affected clients or carriers — the framing of initial communications has significant legal consequences.
In most states, yes — particularly if the fraud involved client premium funds, trust account misdirection, or compromise of nonpublic policyholder information. States that have adopted the NAIC Insurance Data Security Model Law require notification of the insurance commissioner when a cybersecurity event affects nonpublic information. California DOI, Texas TDI, and New York DFS each have their own specific timelines and formats for fraud and data breach notification. Even where not legally mandated, proactive notification to your state department of insurance fraud division creates a record of good-faith response. Check both your state data breach statute and insurance-specific cybersecurity regulations — they are separate legal frameworks with separate notification requirements.
Policies may lapse for non-payment if the carrier is not notified that the missed or misdirected payment was the result of fraud rather than insured non-payment. Call the carrier's agent services line immediately — before the grace period expires — and explain the fraud circumstances. Most carriers will reinstate coverage without a new underwriting review when the lapse is documented as fraud-caused. If any claim occurred during a potential coverage gap, document the gap as fraud-caused and work with the carrier and E&O counsel on coverage analysis. Do not communicate a coverage position to affected clients without legal guidance — what is said in that initial conversation has significant E&O implications.
Highly common. The FBI's 2023 Internet Crime Report recorded over 21,000 business email compromise and wire fraud complaints in the financial services and insurance sector, with losses exceeding $2.9 billion sector-wide. Insurance agencies are disproportionately targeted because they handle premium flows, trust accounts, and carrier payment relationships — all high-value redirection targets. Voice-cloned impersonation of agency principals, carrier representatives, and clients has emerged as a primary attack vector since 2023, replacing traditional BEC email fraud in many targeted campaigns. See voice cloning fraud in insurance agencies for a detailed breakdown of attack patterns.
Stop Phone Social Engineering
Before It Costs You a Wire.
Vicall identifies synthetic voices in under one second — on-device, no cloud, any phone. Take the quiz to assess your agency's exposure.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.