Skip to main content
Boston Computer Forensics
← All insights

Incident Response

BEC wire-fraud recovery: a 96-hour playbook

By Incident Response · October 28, 2025 · 2 min read

Business Email Compromise is the most expensive cybercrime in America by total dollar volume — larger than ransomware — and its recovery rate is the single biggest variable in the financial impact. The window is short, and what you do in the first 96 hours matters more than anything you will do in the next 96 days.

Hour 0–4: the only four phone calls that matter

  1. Your bank’s wire-recall desk. Not the local branch. The wire-recall desk. Insist on an indemnification hold being placed on the receiving account today.
  2. The receiving bank. If the sending bank drags, call the receiving bank yourself. They will usually freeze on a credible fraud claim.
  3. FBI IC3 (ic3.gov) + local FBI field office. IC3 routes into the FBI’s Financial Fraud Kill Chain ("FFKC"); the field office can escalate faster for domestic wires under $50k and international wires at any amount.
  4. Your insurance carrier. Social-engineering coverage has strict notification clocks. Miss them and you lose the argument before you make it.

Hour 4–24: preserve before you remediate

  • Preserve mailbox audit logs from Microsoft 365 / Google Workspace before you change passwords (which rotates session tokens and masks prior activity).
  • Export inbox rules and message traces for the 90 days preceding the fraud. The threat actor almost always built forwarding or hiding rules.
  • Snapshot the device used to send the final authorization email. In BEC, the internal social-engineering victim is almost never the original compromised account.

Hour 24–96: the narrative

Your carrier will ask for a root-cause timeline with evidence. Your counsel will ask for the facts in a form that can become a complaint. The FBI will ask for exhibits suitable for a Mutual Legal Assistance Treaty request. One forensic timeline satisfies all three.

What we find most often

  • Legacy IMAP / POP still allowed on an otherwise MFA-protected tenant.
  • Shared mailbox without licensing — often a finance distribution list.
  • Token-theft malware on a single endpoint rather than a classic phish.
  • A single third party (vendor, law firm, real-estate escrow) that routinely emails invoices and whose domain has been spoofed.

The good news: when these are documented clearly in the first four days, insurance recoveries and even bank reversals are far more likely than the industry averages suggest.

Call the hotline if you are mid-incident: (617) 848-5962.