What Should a Nonprofit Do in the First Hour After Wire Fraud?
The first hour after discovering a fraudulent wire transfer is the highest-leverage period in the entire recovery process. The sending bank can initiate a hold or recall while funds are still in transit — but this window closes fast. The order of operations in the first sixty minutes determines whether recovery is possible at all.
Wire fraud against nonprofits overwhelmingly targets the same two vulnerabilities: a finance staff member who receives what sounds like a legitimate call from the executive director, board chair, or a major donor instructing a payment — and a payment authorization process that does not require independent verification. AI voice cloning has made those calls indistinguishable from the real thing without technology-based detection. Once the wire moves, recovery requires activating federal mechanisms immediately.
Call the bank wire fraud desk — not general customer service
Contact your sending bank's dedicated wire fraud or wire recall line immediately. Ask specifically for the wire recall team or the wire fraud desk — general customer service representatives often cannot initiate recalls on their own. Provide the receiving account number, routing number, wire amount, and the time the wire was sent. Ask the bank to contact the receiving institution directly to flag the account and request a hold. Some banks have direct FBI liaison contacts for fraud cases above $50,000 — ask about this specifically. Document the name of every bank representative you speak with and the time of each call.
Document all wire authorization records immediately
Preserve every record related to the fraudulent transaction: the original wire instruction (email, voicemail, or call log), the internal approval documentation, the wire confirmation from the bank, and any communications that preceded or followed the fraudulent request. Do not alter, delete, or annotate any existing records. If the request came by phone, preserve call logs from the office phone system and any mobile devices involved. Contact your phone system administrator before system logs are overwritten. This documentation is required by the FBI, your bank, your insurer, the IRS, and your board — and its completeness directly affects recovery and claim outcomes.
Alert executive director and board chair — if ED was the victim, alert board directly
Notify the executive director and board chair within the first hour. If the executive director was the person impersonated — the most common attack vector in nonprofit voice clone fraud — notify the board chair first and directly, without routing through the ED. Do not wait for complete information before making this notification. Notify with what is known: a fraudulent wire was processed, the amount, and when. The board chair needs to be in the loop immediately to begin the governance response in parallel with the operational and financial response. Most nonprofit bylaws require board notification of significant financial incidents — the timing of this notification is a governance compliance matter, not just an internal communication preference.
Do not use potentially compromised systems
If the fraud was preceded by suspicious emails, unknown attachments, or any sign of account compromise — phishing links clicked, password reset emails received — treat organizational email and financial systems as potentially compromised. Do not send sensitive information through accounts that may have been accessed by the attacker. Use personal devices and out-of-band channels (personal email, phone calls to verified numbers) for incident communications until IT can confirm system integrity. Notify your IT provider or managed service provider immediately if there is any indication of system access beyond the voice call itself.
Preserve all evidence — nothing gets deleted
Issue an immediate evidence hold to everyone who had any involvement with the fraudulent transaction: finance staff, operations staff, the executive director, and anyone who communicated with the apparent caller. Evidence holds are not about blame — they are about ensuring that the FBI, your bank, and your insurer have the documentation they need to act. Evidence that is deleted — even accidentally, during routine system maintenance — can complicate law enforcement investigations and insurance claims. If your organization uses a cloud-based phone system, contact the provider immediately to preserve call records that may otherwise be overwritten on a rolling retention schedule.
If the fraudulent wire used funds from a restricted grant, the funder must be notified — do not delay this communication beyond 24-48 hours. Most grant agreements contain mandatory reporting clauses that require notification of material financial irregularities. Delayed notification of a funder — particularly a federal agency — can be treated as a compliance violation separate from and in addition to the fraud itself. Review the grant agreement immediately and notify the program officer directly by phone before sending written notice.
How Does the FBI Financial Fraud Kill Chain Apply to Nonprofit Wire Fraud?
The FBI's Financial Fraud Kill Chain (FFKC) is the most powerful fund recovery mechanism available to nonprofit fraud victims — but it is strictly time-gated. For losses of $50,000 or more, the FFKC freezes or recovers funds in 66% of cases when the IC3 report is filed within 24 hours. The mechanism works by contacting the receiving bank through federal channels before the fraudster can withdraw or move the money.
Filing an IC3 report at ic3.gov is the step that activates the FFKC. The report sends an alert through the FBI's network to the financial institution holding the fraudulent wire — triggering an account review and, in qualifying cases, a freeze. The IC3 report is not a substitute for your bank recall request — both must happen in parallel, as quickly as possible. Do not wait to complete a thorough incident report before filing; file with what you have and supplement later.
File at ic3.gov — include nonprofit-specific data
Go to ic3.gov and complete the complaint form. In addition to standard wire fraud fields, include all nonprofit-specific data available: your organization's EIN, the grant number if grant funds were involved, the fund restriction category (restricted vs. unrestricted), the program name the funds were designated for, and any vendor contract number associated with the fraudulent payment. The more specific the filing, the more effectively the FBI can act. Include the receiving bank account number and routing number — this is the key data that activates the FFKC contact to the receiving institution.
Specify the nature of the voice impersonation
In the narrative section of the IC3 report, specify that the fraud involved AI voice cloning — not just a standard social engineering call. Note the name of the person impersonated (executive director, board chair, major donor, grant officer), what was requested, and that the voice was indistinguishable from the real individual's voice. The FBI tracks AI-enabled fraud separately from traditional wire fraud, and this classification affects which investigative resources are assigned to the case.
File a secondary report with the FTC at reportfraud.ftc.gov
The FTC fraud report does not trigger the same recovery mechanism as the IC3 report, but it contributes to the federal fraud tracking database and may be required documentation for regulatory inquiries. File the FTC report after the IC3 report is submitted — the IC3 complaint number should be referenced in the FTC filing. The FTC report takes approximately 15 minutes and creates an official federal record of the incident independent of the FBI filing.
For federal grants: notify the awarding agency under 2 CFR Part 200
If the nonprofit receives federal grants from HHS, USDA, DOJ, NEA, NEH, or any other federal agency, fraud involving those funds triggers notification obligations under 2 CFR § 200.345 — the Uniform Guidance provision for notifications of noncompliance and financial irregularities. Contact the grants management officer at the federal awarding agency directly, by phone, as soon as the IC3 report has been filed. Follow up with written notification within 24 hours. Failure to notify the federal awarding agency can be treated as a compliance violation independent of the fraud itself and can affect the organization's ability to receive future federal funding.
File a local police report for the insurance paper trail
File a report with local law enforcement. Most wire fraud cases are ultimately handled at the federal level, but the local police report creates an official incident number that your insurer will require. Request a case number and a copy of the report for your records. Provide the same core documentation to local police that you provided to the FBI: the wire details, the fraudulent instruction, and the method of impersonation. The local report filing typically takes 30-60 minutes and can be done simultaneously with IC3 and FTC filings by different staff members.
What Funder and IRS Reporting Obligations Does a Nonprofit Have After Wire Fraud?
Wire fraud triggers a cascade of reporting obligations beyond law enforcement filings — obligations to funders, to the IRS, and in some states to the attorney general. These obligations run in parallel to recovery actions and cannot be deferred until the recovery process is resolved. The obligation to notify does not wait for the outcome of the FFKC or bank recall.
The specific obligations triggered depend on the nature of the funds lost — restricted vs. unrestricted, grant vs. donor gift vs. operating revenue — and the jurisdiction in which the organization operates. The starting point is a rapid legal review within the first 24 hours to identify which obligations apply, with what deadlines, and to whom.
Private Foundation Funders
Review every active grant agreement immediately. Most foundation grant agreements contain a clause requiring the grantee to notify the funder of any material financial irregularity affecting grant funds. The notification timeline in these clauses varies — some specify 30 days, some specify "promptly," and some specify "immediately." In practice, notifying the program officer by phone within 24-48 hours of confirming the loss, followed by written notice within 72 hours, satisfies the promptness standard in virtually all foundation grant agreements and demonstrates good faith. Do not wait for legal review to complete before making initial contact — call the program officer, explain what happened, and confirm you are taking immediate action including law enforcement filing.
Government Grants: 2 CFR § 200.345
For nonprofits receiving federal grants, the Uniform Guidance at 2 CFR § 200.345 requires organizations to promptly notify the federal awarding agency of any circumstances that may adversely affect their ability to comply with the terms of the award — including fraud involving federal funds. This is a regulatory obligation, not a voluntary disclosure. Contact the grants management officer at the relevant federal agency (HHS, USDA, DOJ, NEA, NEH, or other) within 24 hours of confirming the loss, by phone, with written follow-up. Include the IC3 complaint number in the written notice. Noncompliance with 2 CFR § 200.345 is a separate compliance violation from the fraud and can affect eligibility for future federal awards.
IRS Form 990: Part VI and Schedule O
IRS Form 990 Part VI, Section B, Question 5 asks whether the organization became aware of a significant diversion of assets during the year. Wire fraud losses meet the IRS definition of a significant diversion if they are material — generally $250,000 or 5% of total assets, whichever is less. The disclosure is made on Schedule O and must describe the nature of the diversion, the amount, and what the organization did in response. A well-drafted Schedule O disclosure that documents prompt reporting, recovery efforts, and corrective controls demonstrates organizational integrity to the IRS. A missing or materially incomplete disclosure is a much more serious problem than the fraud itself from a regulatory standpoint.
State Attorney General Charity Registration
Several states — including California, New York, Florida, and others with active nonprofit oversight programs — require charities to notify the state attorney general's office of significant fraud losses. The threshold and notification requirements vary by state. Your legal counsel should advise on whether your state has this requirement and within what timeframe. California nonprofits registered with the Registry of Charitable Trusts should contact the Registry proactively if the loss is material. New York nonprofits should review their CHAR500 filing obligations in light of the incident.
Donor Notification for Misdirected Restricted Gifts
If the funds lost were donor-restricted gifts — contributions the donor designated for a specific program or purpose — and those funds were fraudulently misdirected, the organization has both an ethical and potentially legal obligation to notify the affected donors. Donor notification requires legal counsel review before it goes out. The notification must be accurate, must not speculate about attacker identity or method, must clearly communicate what the organization is doing to address the situation and recover the funds, and must describe the corrective controls being implemented. Do not issue a mass donor notification — work with counsel to identify which donors are specifically affected and notify them individually.
Failing to disclose a material financial fraud on Form 990 can trigger IRS penalties and jeopardize 501(c)(3) status — consult a CPA or tax attorney before filing. The IRS treats omission of a material financial event as a more serious compliance failure than the event itself. Organizations that disclose transparently, document their response, and demonstrate corrective action are in a significantly better regulatory position than those that minimize or omit material incidents from their 990 filing.
What Insurance Claims Should a Nonprofit File After Wire Fraud?
Most nonprofits carry at least one insurance policy with coverage relevant to wire fraud losses — but many organizations do not know which coverage applies, what the sublimits are, or what documentation is required to file a qualifying claim. Notify all potentially applicable carriers within 24-72 hours of the incident. Delayed notification is one of the most common reasons nonprofit fraud claims are denied.
Nonprofit insurance coverage for fraud differs from commercial coverage in several important ways: sublimits are typically lower, social engineering endorsements are less standard, and coverage for grant fund losses requires specific policy language. Review all active policies with your insurance broker immediately after the incident and before filing claims — the broker can advise on which policies apply and coordinate notification to avoid inadvertent waiver of coverage.
Directors and Officers (D&O) Insurance
D&O coverage responds when board members or officers face claims alleging that a governance failure — inadequate financial controls, failure to implement adequate oversight — contributed to the fraud loss. If a donor, grantor, or other stakeholder later claims that board negligence enabled the fraud, D&O coverage provides defense costs and potential indemnity. Notify the D&O carrier immediately after the incident — before any board communications, press statements, or donor notifications go out. The D&O carrier will likely require review of any public communications before they are issued. Nonprofit D&O carriers with strong track records include Chubb, Markel, and Travelers.
Crime / Fidelity Bond
Crime or fidelity bond coverage is specifically designed for fraudulent funds transfer losses. Most nonprofit crime bonds provide coverage for "computer fraud" and "funds transfer fraud" — but the sublimits are often significantly lower than commercial equivalents, typically ranging from $25,000 to $100,000 for smaller nonprofits. Review your bond's sublimit for funds transfer fraud specifically, as it is frequently separate from and lower than the overall bond limit. The claim documentation required includes the IC3 complaint number, the bank case number, the police report number, a copy of the board resolution or authorization documentation for the fraudulent payment, and the grant agreement if grant funds were involved.
Cyber Liability with Social Engineering Endorsement
Standard cyber liability policies do not always cover social engineering fraud — including voice clone attacks — without a specific endorsement. Review your cyber policy's social engineering endorsement language before filing a claim. Some policies cover "computer fraud" but exclude "social engineering" unless the endorsement explicitly applies. If your policy includes a social engineering endorsement, notify the cyber carrier immediately alongside the crime insurer — the two carriers will need to coordinate on coverage allocation if both policies apply to the same loss. Document the AI voice cloning method explicitly in the claim filing, as this may affect which coverage provisions apply.
Business Interruption Insurance
If the wire fraud incident disrupted programs, delayed grant disbursements, or required significant staff time that diverted resources from program operations, business interruption coverage may apply. Document all operational disruption: staff hours diverted to incident response, programs delayed or suspended, grant deliverables affected. Business interruption coverage for nonprofits is less common and typically requires specific policy language — review with your broker before filing.
Nonprofit-Specific Carriers
Several insurance carriers specialize in nonprofit coverage and have claims teams with experience handling fraud incidents in the nonprofit sector: Philadelphia Insurance Companies (PHLY), Nonprofits Insurance Alliance (NIA), and GuideOne. If your organization is insured through one of these carriers, their claims teams will be familiar with the specific documentation requirements for nonprofit fraud claims, including grant fund loss documentation and Form 990 disclosure coordination.
How Should a Nonprofit Prevent Wire Fraud After an Incident?
The period immediately following a wire fraud incident — when leadership attention is focused and the board is engaged — is the highest-probability window for implementing controls that were absent before. These five controls, implemented and enforced consistently, block the overwhelming majority of AI voice clone wire fraud attempts before they can result in a transfer.
Prevention is not solely a technology question. The controls that matter most are policy-level — dual authorization requirements, callback verification protocols, and written confirmation rules — that eliminate the single-person, single-call authorization pathway that fraudsters exploit. Technology like Vicall adds a detection layer that flags synthetic voices before the conversation reaches a financial request. Both layers are necessary.
Board policy requiring dual authorization above a threshold
Adopt a board-level financial policy requiring dual authorization — two separate individuals, contacted through independent channels — for any wire transfer or grant disbursement above a defined threshold. The suggested threshold is 10% of annual operating budget or $10,000, whichever is lower. This policy must be adopted formally by the board, documented in board minutes, and implemented in writing with finance staff — it cannot be a verbal understanding. The dual authorization requirement cannot be waived for urgency; if a request cannot wait for dual authorization, that urgency itself is a red flag. This single control eliminates the most common attack vector: a single finance staff member authorizing a wire based solely on a phone call from a seemingly trusted voice.
Verbal passphrase plus written callback for any vendor bank account change
Establish a pre-agreed verbal passphrase with every vendor, contractor, and financial counterparty with whom the organization regularly transacts. This passphrase is agreed upon in person or through a previously verified secure channel — never by email or phone. Any call requesting a change to bank account information or payment instructions must supply the passphrase before any action is taken. After the passphrase is supplied, a written callback procedure must be completed: the finance staff member hangs up, independently locates the vendor's verified phone number from the organization's records (not from the inbound call), calls that number, and verbally confirms the change before processing it. A voice clone attacker cannot supply a passphrase that was never spoken on a recorded or accessible channel — and cannot intercept a callback to a verified number.
No-action-on-inbound-call policy for payment redirects
Adopt a formal written policy: no payment redirect, vendor account change, or new payee setup is ever processed based solely on an inbound phone call — regardless of who the caller claims to be, how urgent the request is, or how convincing the voice sounds. Any inbound call requesting a payment action initiates a verification process — the staff member takes the request, ends the call, and independently verifies the request through a known, verified channel before taking any action. This policy applies without exception to calls that claim to come from the executive director, board chair, auditors, bank representatives, or any other authority. Post this policy in the finance operations area. Train every staff member with any payment authority on it explicitly.
Deploy Vicall to detect AI-cloned voices on organizational phone lines
Vicall's on-device synthetic voice detection identifies AI-generated audio in under one second, delivering a REAL VOICE or SYNTHETIC DETECTED verdict before the conversation can proceed to a financial request. Deploy Vicall on the phones of every staff member who can authorize or initiate financial transactions — starting with the executive director, the finance director, and the development director. A SYNTHETIC DETECTED verdict ends the call immediately, regardless of how convincing the cloned voice sounds. Vicall operates on-device with no cloud dependency, which means it works reliably on mobile phones even in environments with intermittent connectivity — and the verdict is displayed before the caller can make a financial request. For organizations that have already experienced a voice clone attack, Vicall is the fastest single control to deploy. Learn more at vicallapp.com/voice-clone-fraud.html.
Annual vishing training for executive staff and finance committee members
Voice clone fraud is now a material financial risk for nonprofits — it belongs in annual training alongside financial controls, conflict of interest policies, and whistleblower protections. Annual training should cover: what AI voice cloning is and how convincing it sounds, the specific attack vectors targeting nonprofit organizations (ED impersonation, donor impersonation, grant officer impersonation), the verification protocols staff must follow for any payment request, and what to do if a suspicious call is received. Training should include live simulations — calls where a trainer attempts a social engineering attack to test whether staff follow protocol. Board members on the finance committee should receive this training alongside staff. Document all training completions for governance and regulatory purposes.
Frequently Asked Questions
Recovery is possible and most likely within the first 72 hours. The FBI's Financial Fraud Kill Chain (FFKC), activated through an IC3 report at ic3.gov, freezes or recovers funds in approximately 66% of cases over $50,000 when reported within 24 hours. The mechanism works by contacting the receiving bank before funds are withdrawn or moved offshore. Separately, your sending bank can initiate a wire recall — the earlier this call is made, the higher the probability of recovery. For restricted grant funds that were lost, the funder may have repayment or program continuity obligations. Cyber liability insurance with a social engineering endorsement may cover losses not recovered through the FFKC or bank recall. Recovery probability drops sharply after 72 hours — file the IC3 report and call the bank before any other step.
Individual board members generally are not personally liable for wire fraud losses when the business judgment rule applies — meaning the board acted in good faith, with appropriate due diligence, and in what it reasonably believed to be the organization's best interest. However, if a board member had direct oversight responsibility for failed financial controls, or if the board is found to have been grossly negligent in governance, personal exposure can increase. Directors and officers (D&O) insurance covers defense costs and liability arising from claims alleging governance failure. Board members should notify their D&O insurer immediately after a material fraud incident and should not make any public statements about the incident without legal counsel review. The best protection against personal liability is a documented governance response: prompt notification, board minutes recording the incident and the response, and evidence that corrective controls were implemented.
Yes, in most cases involving material losses. IRS Form 990 Part VI, Section B asks whether the organization became aware of a significant diversion of assets during the year. The IRS defines a significant diversion broadly — including unauthorized transfers resulting from fraud. The general materiality threshold is $250,000 or 5% of total assets, whichever is less, but the specific disclosure obligation depends on the facts of the incident. Disclosure is made on Schedule O, and must describe the nature of the diversion, the amount, and the organization's response. Failing to disclose a material financial fraud on Form 990 can trigger IRS penalties and, in serious cases, threaten 501(c)(3) status. Consult a CPA or tax attorney before filing the 990 following a fraud incident. Proactive, accurate disclosure is far less damaging than a failure to disclose that is later discovered.
Grant funds lost to wire fraud create immediate notification and potential repayment obligations. For private foundation grants, the grant agreement typically requires notification of material financial irregularities — most agreements require this within 30 days, and many require it promptly or immediately. For federal grants (HHS, USDA, DOJ, NEA, NEH), 2 CFR § 200.345 requires notification to the federal awarding agency of any fraud involving federal funds. In some cases, the funder may require repayment of lost restricted funds from unrestricted operating reserves, or may suspend or close out the grant. The organization should contact the program officer at the funding agency as soon as the incident is confirmed — before the funder hears about it through other channels. Some funders will work with grantees to modify grant terms, extend deadlines, or allow unrestricted funds to cover the gap while recovery efforts proceed.
Wire fraud targeting nonprofits is significantly more common than most organizations realize. The Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations found that nonprofit organizations experience fraud at a median loss of $76,000 per incident — higher than many for-profit sectors. The Association of Fundraising Professionals (AFP) has documented a sharp increase in voice-based impersonation fraud targeting development and finance staff specifically, driven by the rise of AI voice cloning tools. Nonprofits are attractive targets because they often have smaller finance teams, less robust internal controls, and a culture of trust that attackers exploit. AI voice cloning has lowered the technical barrier for impersonating executive directors and major donors to near zero — a convincing clone can be created from publicly available audio in under 30 seconds using freely available tools.
Know If the Voice on the Call Is Real
Before It Costs You Everything.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Find out your organization's voice clone risk profile before the next call comes in.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your nonprofit organization.