BEC attack recovery is possible — but only if your organization acts within the critical first 72 hours. According to the FBI’s 2025 IC3 Annual Report, business email compromise caused $3,046,598,558 in losses from 24,768 complaints. Speed of response is the single most important factor in maximizing fund recovery after a BEC attack.
CRITICAL: If a wire transfer was just sent to a fraudulent account, skip to “Step-by-Step: The First 4 Hours” below. Every minute matters.
According to the FBI’s 2025 IC3 Annual Report, BEC caused $3,046,598,558 in losses across 24,768 complaints — roughly $123,000 per incident. What that number cannot capture is how many losses might have been reduced with faster response. This guide covers exactly what to do, in the right order, starting now.
How Do You Know If You’ve Been Hit by a BEC Attack?
BEC attacks are often discovered indirectly: a legitimate vendor calls asking why they haven’t been paid, a bank flags an unusual transaction, or an employee notices a reply to an email the executive never sent.
- A vendor contacts you to say they haven’t received a payment you already processed
- A real estate closing collapses because funds were wired to the wrong account
- An executive’s email generates login alerts from foreign IP addresses or unknown devices
- IT discovers an inbox forwarding rule sending copies of emails to an external address
- A bank flags an unusual transaction or triggers a callback verification
Can You Recover Money After a BEC Attack?
Yes, recovery is possible — especially within the first 24 to 72 hours. The FBI’s IC3 Recovery Asset Team (RAT) coordinates with financial institutions to freeze fraudulent accounts through the Financial Fraud Kill Chain (FFKC). Speed of response is the single most important factor.
Partial recovery is more common than full recovery, but both happen. Organizations that act within hours have meaningfully better outcomes than those who wait even one day.
Step-by-Step: The First 4 Hours After a BEC Attack
In the first 4 hours: (1) call your bank’s wire fraud department, (2) file an IC3 complaint at ic3.gov, (3) preserve all email evidence without modifying anything, (4) contact a BEC investigation firm. All four steps should happen simultaneously — not one at a time.
Step 1: Call Your Bank’s Wire Fraud Department — Not General Customer Service
Ask for someone in wire fraud or fraud operations with authority to initiate a wire recall. Have ready: the receiving bank’s name and routing number, the fraudulent account number, the exact wire amount, date and time the wire was sent, and your transaction reference number. Request a SWIFT gpi recall for international wires or a Fedwire reversal for domestic. Every minute matters — do this first.
Step 2: File a Complaint at IC3.gov Right Now
The IC3 Recovery Asset Team coordinates with financial institutions through the Financial Fraud Kill Chain to freeze fraudulent accounts — but only when complaints are filed quickly with complete details. Include: wire amount and date, receiving bank and account number, all email addresses involved, and a brief factual narrative of how the fraud occurred.
Step 3: Preserve All Email Evidence — Do Not Touch the Compromised Account
Do not delete any emails. Do not change passwords on a suspected compromised account. Do not modify any email settings or forwarding rules. Changing an account before evidence is preserved destroys the forensic record. Evidence inside Microsoft 365 and Google Workspace — login IP addresses, access timestamps, inbox rules — has retention windows of days for some data types.
Step 4: Contact a BEC Investigation Firm for Emergency Triage
Private investigators can act faster than law enforcement in critical areas: immediate evidence preservation, email header analysis to identify attack infrastructure, financial tracing through banking channels, and coordination with cryptocurrency exchanges if funds have been converted. Rexxfield provides emergency triage for active BEC incidents — rexxfield.com/bec-urgent-next-steps.
Hours 4–24: Evidence Preservation and Containment
Capture Email Server Logs and Account Forensics
In Microsoft 365: capture unified audit logs, mailbox audit logs, Azure AD sign-in logs, and any inbox rules created by the attacker. In Google Workspace: export admin audit logs and login records. Some records have default retention periods of 90 days or less — they must be actively preserved now.
Determine: Impersonation or Account Compromise?
Check the actual sending address — not the display name. If account compromise is confirmed, assume the attacker read everything in that inbox for the duration of access — potentially weeks. Review all emails sent from that account over the prior 30 to 90 days.
How to Solve a BEC Problem: Long-Term Remediation
Solving a BEC vulnerability requires: DMARC enforcement, dual authorization for wire transfers, mandatory out-of-band verification procedures, employee training that treats urgency as a red flag, and a documented incident response plan.
Technical remediation:
- DMARC enforcement (p=reject) with valid SPF and DKIM records
- Multi-factor authentication on all email accounts using phishing-resistant methods
- Review and revoke any OAuth applications or forwarding rules the attacker may have established
- Full email address display enabled by default in all email clients
Procedural remediation:
- Wire transfer policy with mandatory out-of-band verification and dual approval above defined thresholds
- Vendor banking information change protocol requiring independent verification before any payment update
- Regular BEC simulation exercises — realistic scenario practice, not just awareness training
- Documented incident response plan for wire fraud with assigned roles and decision trees
Common Mistakes That Make BEC Recovery Harder
- Waiting to act: Every hour of delay reduces recovery probability
- Changing passwords before preserving evidence: Destroys login records investigators need
- Replying to the attacker: Signals fraud has been discovered, accelerates fund movement
- Delaying insurance notification: Late notification can affect coverage under most policies
- Deleting suspicious emails: These are evidence — preserve everything
Frequently Asked Questions
What is the first step after discovering a BEC attack?
Call your bank’s wire fraud department to initiate a wire recall. While that call is in progress, have someone else begin filing the IC3 complaint at ic3.gov. These two actions must happen simultaneously — the recovery window is measured in hours.
Should I call the police after a BEC attack?
Yes, but also file with the FBI IC3. Local police may not have the expertise or jurisdiction for BEC, but a police report creates a documented record supporting insurance claims. The primary federal channel is the FBI through ic3.gov.
What evidence do I need to preserve after a BEC attack?
Preserve: all fraudulent and related emails in native format with full headers, email server audit logs, login records showing IP addresses and timestamps, inbox rules and forwarding configurations, and all financial documentation related to the fraudulent transaction. Document everything preserved with timestamps and custodian information.
How does Rexxfield help after a BEC attack?
Rexxfield provides immediate BEC incident response: emergency evidence preservation in Microsoft 365 and Google Workspace, email header forensics to trace attack origin, financial tracing through banking and cryptocurrency channels, coordination with bank fraud teams and law enforcement, and expert testimony support for legal proceedings. Operating since 2008 alongside FBI, Homeland Security, and international law enforcement.
For immediate BEC assistance: rexxfield.com/bec-urgent-next-steps | For investigation services: rexxfield.com/business-email-compromise-investigations
Source: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report | File a complaint: ic3.gov
