Wire fraud targeting small businesses has reached record levels, driven in large part by the explosion of AI voice-cloning tools that let attackers impersonate owners, CFOs, and trusted vendors with near-perfect fidelity. Unlike phishing emails — which most employees are trained to scrutinize — a call in the boss's voice creates an entirely different psychological dynamic. Employees act fast, because that is exactly what they have been trained to do when an authority figure calls with an urgent request. By the time anyone realizes the voice was synthetic, the wire has cleared. This guide covers every step a small business must take in the first 72 hours to maximize recovery, fulfill reporting obligations, and close the gaps that made the attack possible. For a broader overview of how these attacks are constructed, see the small business voice clone fraud overview or the voice clone attack response guide.
What Should a Small Business Do in the First Hour After a Wire Transfer Fraud?
The first sixty minutes after discovering a fraudulent wire transfer are the highest-leverage period in the entire recovery process. A wire that has not yet been released by the receiving bank can sometimes still be recalled. Every call you make, every record you capture, and every action you avoid in this window directly determines your recovery options for the next 72 hours and beyond.
Call your bank's wire fraud line and request a freeze or recall immediately.
Do not call the branch — call the bank's dedicated wire fraud or wire operations desk. Provide the wire amount, the receiving bank's ABA routing number and account number, the exact date and time the wire was sent, and the name of any internal employee who authorized it. Explicitly request a wire recall and ask the fraud officer whether the wire has settled at the receiving institution or is still in a pending state. Obtain a bank fraud case number before ending the call — you will need this for your IC3 filing, your police report, and every insurance claim that follows.
Switch to a personal device — do not use potentially compromised business email or phones.
If the fraud was facilitated by a compromised business email account, the attacker may still have visibility into your communications. Use a personal phone and personal email for all fraud-response calls and messages until your IT security posture has been assessed. Alert the business owner and principals via personal phone or in person — not through any system that may have been part of the attack chain. This is especially important if the initial fraudulent wire request arrived via email.
Screenshot and print all wire confirmation records and related communications.
Before anything else changes — before passwords are reset, before inboxes are cleaned, before any IT work begins — capture every record associated with the fraudulent transaction. This includes the wire confirmation from your bank, any emails authorizing or discussing the transfer, the voicemail or call log entry if the request came by phone, and any bank portal screenshots showing the transaction in your account history. Print physical copies and save digital copies in a location you control independently of your business systems.
Alert the business owner and all principals — then freeze further transactions.
Contact the business owner, CFO, and every employee with payment authority or banking access. Brief them factually: a fraudulent wire was sent, law enforcement is being notified, and no further payments, wires, or banking changes should be made until further notice. If a second wire request comes in during this window — from the same supposed source — treat it as a follow-on attack and do not act on it. Attackers frequently send a second request while the business is distracted by the first.
Do not contact the receiving account — under any circumstances.
It may be tempting to call the bank account where your funds landed and demand the money back. Do not do this. The receiving account is either controlled by the attacker or is a money mule account operated by someone who will not cooperate and who may move funds immediately if alerted. Contacting the receiving account can also complicate law enforcement's ability to use that account as part of an active investigation. Let your bank's fraud desk and the FBI handle all contact with the receiving institution.
Do not delete voicemails, emails, or call recordings — these are required by law enforcement and insurance. Destroying evidence — even unintentionally during routine IT maintenance or password resets — can eliminate your ability to file a successful insurance claim and may impair the FBI's ability to pursue the case. Preserve everything first. Remediation comes after evidence is secured.
How Do You File an FBI IC3 Report as a Small Business Wire Fraud Victim?
Filing at ic3.gov is the single most important action a small business can take after a wire fraud event. It is the only mechanism that triggers the FBI's Financial Fraud Kill Chain — a federal rapid-response program that can freeze fraudulent funds in transit. The FTC report is a required secondary filing that feeds into a different enforcement network. Both must be filed; neither substitutes for the other.
Gather this information before you open the IC3 form
The IC3 form requires specific financial details that you will need to have in front of you. Pull together: the exact dollar amount of the wire, the destination bank's ABA routing number and SWIFT code (if international), the receiving account number, the exact date and time the wire was initiated and sent, the full name and title of the person who authorized the wire internally, the name of the person or entity that made the fraudulent request, the phone number or email address used to make the request, and the bank fraud case number you obtained from your sending bank. Submitting an incomplete IC3 complaint slows FFKC activation — have all of this ready before you begin.
Go to ic3.gov and select "File a Complaint."
Navigate to ic3.gov on a secure, uncompromised device. Select the option to file a new complaint. You will be asked to categorize the fraud — select "Business Email Compromise" or "Wire Fraud" as the primary category. If the fraud involved a voice-cloned caller, note this explicitly in the narrative section of the form.
Enter all wire details with complete precision.
Enter the wire amount, destination bank name, ABA and SWIFT codes, receiving account number, and the date and time of the transfer. Accuracy here is critical — the FFKC protocol works by contacting the receiving financial institution, and incorrect account details mean the freeze request goes to the wrong place. Double-check all numbers against your bank's wire confirmation before submitting.
Describe the attack method in detail — including voice cloning if applicable.
Use the narrative section to describe exactly how the fraud occurred: who was impersonated, how the request was delivered (phone call, voicemail, email, or combination), what urgency framing was used, and what action was taken as a result. If a voice-cloned call was used, state this explicitly — the FBI tracks AI-assisted fraud separately and this detail affects how the case is prioritized and investigated.
Submit and record your IC3 complaint number immediately.
After submitting, you will receive an IC3 complaint number. Write it down, screenshot it, and save it in multiple places. This number is your reference for every subsequent step: calling the FBI field office, filing with the FTC, filing your police report, and opening your insurance claim. Without the IC3 number, you cannot request FFKC activation by phone.
Call your nearest FBI field office and request FFKC activation.
After filing at ic3.gov, call your nearest FBI field office — not a tip line, but the main field office number — and tell them you have filed an IC3 complaint for wire fraud and are requesting Financial Fraud Kill Chain activation. Provide your IC3 complaint number. FFKC is available for wires of $50,000 or more reported within 72 hours of the fraudulent transfer. If your wire is under $50,000 or outside the 72-hour window, the FBI will still take your complaint but the FFKC mechanism will not apply.
After completing the IC3 filing and FBI call, file a secondary report with the FTC at reportfraud.ftc.gov. The FTC report feeds the Consumer Sentinel Network — a law enforcement database used by hundreds of agencies at the state and federal level. It does not trigger the FFKC, but it builds the enforcement record that supports future prosecutions and helps identify attack patterns targeting similar businesses. IC3 activates the financial response; FTC builds the investigative record. File both.
What Financial Exposure Does a Small Business Face After Wire Fraud?
The immediate loss — the wire amount — is only the first layer of financial exposure a small business faces after a wire fraud event. Cash flow disruption, downstream vendor and payroll obligations, potential liability to third parties whose funds were misdirected, and credit implications can compound the initial loss significantly over the weeks that follow.
The unrecovered wire amount
The wire itself is the most visible loss, but recovery is probabilistic, not guaranteed. Even with FFKC activation, 34% of qualifying cases result in no recovery. For wires below $50,000 or reported outside the 72-hour window, the unrecovered amount should be treated as a total loss for cash flow planning purposes while recovery efforts proceed. Do not count on recovery funds to cover operational expenses during the response period.
Secondary vendor and payroll disruptions
If the fraudulent wire was large enough to affect your operating account balance, you may face secondary disruptions — outstanding vendor payments that cannot clear, payroll that must be funded from a line of credit or reserve account, or vendor relationships damaged by delayed payment. Communicate proactively with any vendor or payroll processor that may be affected. Most will accommodate a brief delay with advance notice; none will be accommodating if a payment simply fails without explanation.
Potential third-party liability if client funds were misdirected
If your business holds client funds in trust, escrow, or any fiduciary capacity — and those funds were part of the fraudulent wire — your exposure extends beyond your own loss to a potential liability claim from the client whose money was taken. This is a materially different legal situation from a business losing its own operating funds. The client may have a breach of fiduciary duty claim regardless of the criminal nature of the fraud.
If client funds were wired out of a trust or escrow account, you may have a fiduciary liability exposure — consult an attorney before communicating with the client. Do not make representations about recovering the money, do not speculate about timelines, and do not admit liability in any oral or written communication until you have legal guidance. What you say in the first hours can create or eliminate coverage under a professional liability or errors and omissions policy.
Credit line and banking relationship implications
A significant wire fraud event may affect your business banking relationship. Some banks place fraud holds on accounts pending investigation, which can temporarily block access to credit lines, ACH origination, or other banking services. If your operating account is frozen as part of the bank's fraud investigation, you will need access to a backup funding source — a personal account, a secondary business account at a different institution, or a pre-arranged emergency credit facility. Identify this before you need it.
SBA emergency loan and resource options
The Small Business Administration provides disaster loan programs and fraud resources that may be available to wire fraud victims depending on circumstances. If the attack has created a genuine working capital crisis — disrupted payroll, inability to fulfill contracts, or vendor obligations that cannot be met — contact your SBA district office to discuss emergency loan eligibility. SBA Economic Injury Disaster Loans (EIDL) have historically been available for certain fraud-related disruptions. If you have an existing SBA-backed loan or line of credit, notify your SBA lender of the fraud event — failure to report a material change in your business's financial condition may have loan covenant implications.
What Insurance Claims Should a Small Business File After Wire Fraud?
Wire fraud is an insurable event — but only if you carry the right coverage, notify your carrier promptly, and provide complete documentation. Many small businesses discover after an attack that their standard Business Owners Policy does not cover wire fraud without specific endorsements. Understanding which policies apply and what they require is critical to maximizing your insurance recovery.
Business crime / fidelity bond — fraudulent funds transfer rider
A business crime policy or fidelity bond with a fraudulent funds transfer (FFT) rider is the most direct coverage for wire fraud losses. This coverage is specifically designed for situations where an employee was deceived into transferring funds to a fraudulent account. To file a claim, your insurer will typically require: a completed proof of loss form, your IC3 complaint number, your bank's fraud case number, a local police report, a complete internal incident timeline from first contact to discovery, and copies of all wire confirmation and communication records. Sublimit coverage on small business crime policies commonly ranges from $25,000 to $250,000 — check your declarations page for the specific FFT sublimit, which is often lower than the policy's overall crime coverage limit.
Cyber liability with social engineering / funds transfer fraud endorsement
A standalone cyber liability policy with a social engineering endorsement — sometimes called a "funds transfer fraud" or "fraudulent instruction" endorsement — covers losses caused by deception, including voice-clone-assisted wire fraud. This is the coverage most directly applicable when the attack involved AI-generated voice impersonation. Social engineering sublimits on small business cyber policies are commonly $25,000 to $100,000, and some policies exclude losses above a specific per-occurrence threshold. Notify your cyber carrier the same day you notify your crime/fidelity carrier — some policies have coordination-of-benefits provisions that affect how multiple policies interact on the same claim.
Business interruption coverage
If the wire fraud event caused a material disruption to your business operations — inability to fulfill client work, suspended service delivery, or staff time redirected to fraud response — your business interruption coverage may apply. Document all operational disruption, including staff hours spent on fraud response, client engagements delayed or cancelled, and revenue lost during the response period. Business interruption claims require contemporaneous records; reconstruct these as soon as possible if you did not capture them in real time.
Common small business carriers with applicable coverage
Carriers that commonly write small business crime, cyber, and social engineering coverage include Chubb (CrimeShield and Cyber Enterprise Risk Management), Travelers (CrimeGuard and CyberRisk), and Hiscox (Business Crime and CyberClear). Coverage terms, sublimits, and endorsement availability vary significantly by carrier, policy version, and state. The specific coverage you have depends on your policy documents — read the crime and cyber endorsement pages of your policy before assuming coverage applies.
Documentation checklist for all insurance claims
Every wire fraud insurance claim — crime, cyber, or business interruption — will require the following documentation regardless of carrier: your IC3 complaint number and confirmation, your bank's fraud case number, a local police report and report number, a complete chronological incident timeline (first contact → wire authorization → wire sent → discovery → first response actions), copies of all fraudulent communications (emails, voicemails, wire confirmations), and a written explanation of the authorization chain — who approved the wire, on whose authority, and based on what representation. Prepare this documentation package as soon as your immediate response actions are complete and provide it to all carriers simultaneously.
How Can a Small Business Prevent Wire Fraud After an Attack?
The controls that prevent wire fraud and voice-clone-assisted financial attacks require no enterprise IT infrastructure, no dedicated security team, and minimal ongoing cost. Every control below can be implemented by any small business within one week. Begin with the passphrase at the same meeting where you brief employees — give them a concrete new procedure to follow, not just a warning about future risk.
Establish a verbal passphrase required for any wire or ACH approval.
Set a random, nonsensical passphrase — something like "blue anchor Thursday" — in person with every employee who has payment authority. No wire transfer, no banking change, and no ACH instruction gets processed unless the caller supplies this exact phrase. Because it is never stored digitally or shared over any electronic channel, no data breach, no AI system, and no social engineering attack can expose it. The passphrase is re-established in person on a quarterly basis and changed immediately if any employee with knowledge leaves the company.
Require two-person authorization for all transfers above a threshold (e.g., $5,000).
Set a dollar threshold above which no single employee can authorize a wire or ACH transfer alone. Two separate employees — one to initiate, one to approve — must both independently confirm the legitimacy of the request before any funds move. For small businesses where the owner typically acts alone on payment decisions, the second person can be a trusted advisor, accountant, or business partner. The threshold should be low enough to catch the most common attack amounts — the median BEC wire for small businesses is well above $5,000 but well below $500,000.
Enforce a no-action-on-inbound-call policy for any payment change request.
Establish a firm, documented policy: no payment instruction, vendor banking detail change, or wire request received on any inbound call — regardless of caller ID, regardless of how familiar the voice sounds, regardless of stated urgency — is acted upon without an independent callback to a verified number from company records. The employee takes note of the request, hangs up, finds the requester's verified number independently, and calls back. Urgency is the primary tool of every wire fraud attack; this policy eliminates its effectiveness entirely.
Deploy Vicall to detect AI-cloned voices on incoming business calls in real time.
Vicall runs on any iOS or Android smartphone and delivers an on-screen verdict — REAL VOICE or SYNTHETIC DETECTED — within one second on any incoming call. It is the only control that operates during the live call itself, before a wire instruction can be completed. Detection runs on-device with no audio transmitted to the cloud. For businesses with analog desk phones, an on-premises Mac mini deployment provides the same detection capability without replacing existing hardware. At $20 per month per line, Vicall costs less than 0.01% of the median small business wire fraud loss. Learn more about how voice clone fraud works and why real-time detection on the call itself is the highest-leverage control available.
Conduct annual phishing and vishing simulation training for all payment-handling staff.
One briefing after an attack is not enough. Attackers adapt their scripts, their impersonation targets, and their delivery methods continuously. Conduct a structured phishing and vishing simulation annually — using a service that tests employees with realistic fake calls and emails, measures who complied with fraudulent requests, and provides targeted remediation training for those who did. Staff who handle payment authority or banking access should be tested at least once per year. The cost of simulation training is a small fraction of the cost of a single successful attack.
Frequently Asked Questions
Yes, but the recovery window is narrow. For domestic wires of $50,000 or more reported to the FBI IC3 within 72 hours, the Financial Fraud Kill Chain achieved a 66% success rate at freezing or recovering funds in 2024. Your sending bank may also be able to recall the wire if the receiving institution has not yet released funds to the account holder — typically a one-to-two business day window after the transfer. International wires are significantly harder: once funds leave a U.S. correspondent bank, recovery depends on foreign financial intelligence treaties and the cooperation of the receiving country's banking regulators, which can take months or may be impossible. For losses under $50,000 or reported outside the 72-hour window, insurance recovery through a business crime or cyber policy becomes the primary path — which is why day-one insurer notification is critical.
According to FBI IC3 data, the median business email compromise and voice-assisted wire fraud loss for small businesses exceeded $125,000 per incident in 2023. The overall BEC category — which includes both email-only and voice-assisted attacks — generated $2.9 billion in reported losses across all business sizes in 2023, making it the highest-dollar cybercrime category in the FBI's annual report. Small businesses account for a disproportionate share of individual incidents because they typically lack the dual-authorization controls, dedicated fraud monitoring, and payment verification procedures that larger enterprises maintain. Many small business losses go unreported entirely, meaning the true median is likely higher than IC3 data reflects.
There is no mandatory federal reporting requirement for most small businesses that experience wire fraud. However, filing with the FBI IC3 at ic3.gov is strongly recommended — it is the only way to trigger the Financial Fraud Kill Chain, which is your best practical chance of recovering funds. Filing with the FTC at reportfraud.ftc.gov is also recommended as a secondary filing that builds the federal enforcement record. Certain regulated industries have additional obligations: financial services firms may have SAR (Suspicious Activity Report) filing requirements, healthcare organizations may have HHS notification obligations if PHI was involved, and some states have their own data breach or fraud notification laws that apply when customer information was part of the incident. If your business holds client funds in a fiduciary capacity and those funds were misdirected, consult an attorney — professional liability and bar/licensing notification requirements may apply depending on your industry.
Recovery timelines vary significantly by method. A bank wire recall initiated within hours of the transfer has the highest probability of success — if the wire is still in a pending state, same-day stops are possible. If the wire has already settled, bank recalls depend on the receiving institution's cooperation and typically take one to three business days to resolve either way. FBI Financial Fraud Kill Chain action, when activated within 72 hours, can freeze funds within days — but completing the full investigation and returning funds to the victim may take weeks to months depending on the complexity of the account chain. Insurance claims under business crime or cyber policies typically take 30 to 90 days to process after a complete documentation package is submitted. Civil litigation against identified perpetrators can take years and may ultimately recover nothing if defendants are located outside U.S. jurisdiction or are judgment-proof.
Coverage depends entirely on which policies you carry and whether they include the specific endorsements applicable to wire fraud. A business crime or fidelity bond with a fraudulent funds transfer rider directly covers wire fraud losses — sublimits commonly range from $25,000 to $250,000 on small business policies. A cyber liability policy with a social engineering or funds transfer fraud endorsement covers losses caused by deception, including voice-clone-assisted attacks — sublimits on these endorsements are commonly $25,000 to $100,000. A standard Business Owners Policy (BOP) without specific crime or cyber endorsements does not cover wire fraud. Regardless of which policies you carry, coverage requires: prompt notification to the carrier (usually within 30 to 60 days of discovery, but check your policy), an IC3 complaint number, a local police report, and a complete documentation package. Late notice is the most common reason wire fraud insurance claims are denied — notify your carrier on day one, even before you know the full scope of the loss.
Know If the Voice on the Call
Is Real Before You Act.
Vicall detects AI-cloned voices in under one second — on-device, no cloud, any phone. Find out your organization's exposure before the next call comes in.
Take the Voice Clone Risk Quiz →Related Resources
More on phone-based social engineering, voice fraud, prevention, and protection for your organization.