Wire-Fraud Recovery — First 72 Hours

If you're reading this in the middle of a live incident, skip to the steps below and start making calls — then come back. Wire fraud recovery is a race, and the gap between “reported in the first hour” and “reported next morning” is often the gap between getting the money back and not.

The reason speed matters so much: once funds land in the fraudster's receiving account, they're moved onward — split, withdrawn, or sent abroad — usually within hours to a couple of days. After that, recovery becomes very difficult. Everything below is built around acting before that happens.

The 72-Hour Recovery Playbook

Why the Bank Call Comes Before Everything

The single highest-value action is the immediate recall requestto your bank, asking them to reach the receiving bank and freeze the funds. Banks can sometimes claw back a transfer that hasn't yet been withdrawn — but only if they're told fast. Make this call before you investigate how it happened, before you draft an email to the parties, before anything else.

The IC3 Recovery Asset Team — Your Federal Backstop

Right after the bank, file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. The FBI's Recovery Asset Team works directly with financial institutions and can trigger the Financial Fraud Kill Chain to freeze fraudulently transferred funds — but it depends on a fast, detailed report. The FBI emphasises reporting quickly, ideally within about 72 hours, for the best chance of recovery. Have your amounts, account numbers, dates, and the fraudulent instructions ready.

Don't Forget: This Is Also a Breach

Closing wire fraud almost always begins with a compromised or spoofed email account. That means it's not only a financial loss — it's a security incident. Reset the affected credentials, kill active sessions, and hunt for the forwarding rules attackers use to watch a thread. If non-public personal information was exposed, you may have breach-notification duties too. The general containment steps are in our first-24-hours incident-response guide.

Then Make Sure It Never Happens Again

Recovery is the backstop. The fix is prevention: out-of-band verification of every wire instruction through a known phone number, MFA on every mailbox, email security that catches account compromise, and staff who are trained to distrust last-minute changes to payment details. The full preventive kill chain is in wire fraud at closing — how the scam works and how to stop it, and the underlying attack pattern in our business email compromise guide.

The Bottom Line

If closing funds were redirected, move now: call your bank for a recall, file with IC3 so the Recovery Asset Team can act, treat the email as a breach, and notify every party and your insurer. Recovery is possible — but it's measured in hours, not days. And once the dust settles, close the door the attacker came through so the next closing isn't the next loss.

See how we help real estate and title firms prevent and respond on the cybersecurity for real estate & titlepage, or if you're in an active incident, our need-help-now page.

This article is general information, not legal or financial advice. Recovery outcomes vary and are not guaranteed; reporting procedures change over time, so confirm current details with your bank, the FBI/IC3, and qualified counsel.