A Business Email Compromise Wire Recall Starts With the Bank Call, Not the Insurance File
A business email compromise wire recall checklist helps small businesses move fast after a fraudulent wire, preserve evidence, notify the bank, and file the right reports.

A fraudulent wire does not start with blame; it starts with a clock, a bank recall request, and a clean evidence file before the trail goes cold.
A business email compromise wire recall should start the moment a fraudulent vendor, payroll, or executive-payment instruction is suspected. The direct answer is to call the sending bank immediately, request a recall or fraud hold, preserve emails and payment records, file an IC3 report, and coordinate legal, insurance, and internal notifications.
The expensive mistake is spending the first hour investigating privately while the money keeps moving. You can build the full incident file after the bank has the recall request and the core payment facts.
The FBI's BEC guidance tells victims to report to IC3 and contact the financial institution immediately so it can contact the institution where the transfer was sent. That makes the first action sequence clear: bank first, evidence in parallel, reporting fast.
The Business Email Compromise Wire Recall Kit gives you the first-hour checklist, bank-call script, evidence log, notification map, and prevention worksheet.
What to capture in the first hour
| Record | What to save | Why it matters |
|---|---|---|
| Payment details | Amount, date, sending account, receiving bank, beneficiary, wire reference, and trace number. | The bank needs exact data to request recall or hold action. |
| Email evidence | Original request, changed bank instructions, headers if available, attachments, and reply chain. | Shows how the instruction was changed or spoofed. |
| Account activity | Login alerts, forwarding rules, mailbox changes, MFA changes, and suspicious sessions. | Helps determine whether compromise is ongoing. |
| Notifications | Bank calls, IC3 filing, police report if advised, insurer, counsel, vendor, and leadership notes. | Prevents missed reporting and duplicated stories. |
The four rules after a suspected BEC wire
The team argues in chat, emails the fraudster again, and waits until the next day to ask the bank what can be done.
The controller calls the bank, requests recall support, saves the evidence, files IC3, and starts a controlled internal incident log.
The bank call script you can copy
We believe business email compromise caused an unauthorized or fraudulent transfer from [business name]. The wire or ACH was sent on [date] for [amount] from account ending [digits] to [recipient or bank if known]. We are requesting immediate recall, hold, or fraud escalation support. Please give us the case number, the exact details you need, and the next deadline for follow-up.
Get the free Emergency Triage Sheet
The first three moves for any business emergency, plus one practical fix in your inbox each week.
No spam. Unsubscribe anytime.
Small business example
A contractor pays a $28,400 supplier invoice after receiving a bank-detail change that appeared to come from the vendor's controller. Twenty minutes later, the real vendor calls about the unpaid invoice. The bookkeeper calls the bank before drafting any internal report, requests recall support, saves the email thread, screenshots the payment, files IC3, and uses a known vendor phone number to confirm no future payment changes will be accepted by email alone.
First-hour checklist
- Call the bank's fraud, wire, or treasury desk and request recall or hold help.
- Save the wire confirmation, trace information, recipient details, and timestamp.
- Preserve the email thread, attachments, headers if available, and mailbox security evidence.
- File an IC3 report and save the complaint number.
- Notify counsel, insurer, leadership, and the real vendor using known contact paths.
- Freeze any pending payment changes until callbacks are complete.
FAQ: should you email the suspected fraudster back?
No. Preserve the email as evidence, but do not continue the thread as if it is a normal vendor conversation. Use known phone numbers or verified contacts already on file, and involve your bank, counsel, insurer, and law enforcement reporting channels as appropriate.
Related payment controls
If the scam began with changed vendor bank details, use the vendor ACH change verification checklist to stop the next attempt.
If the bank later restricts your account after unusual transfers, use the business bank account closure continuity plan.
Free version vs. full kit
This article gives you the free version: the first-hour table, bank call script, evidence checklist, and reporting sequence. The full Business Email Compromise Wire Recall Kit adds the incident log, notification scripts, callback policy, insurance packet, and payment-control reset plan.
View the Business Email Compromise Wire Recall Kit
If this incident exposes several weak payment controls, the All-Access membership covers the full kit library while you are a member.
Fix the next one before it starts.
Join the list for the free Emergency Triage Sheet and a new practical fix every week.
No spam. Unsubscribe anytime.