Wire Fraud Prevention for AP Teams: 12 Controls Every CFO Should Demand

In March 2025, an aerospace manufacturer wired $2.3 million to what it believed was a long-standing supplier. The bank routing details had been "updated" by an attacker who had compromised the vendor's email server six weeks earlier and waited for the next invoice cycle. Forty-seven minutes after the wire was approved, the funds were converted and split across three offshore accounts. The FBI's Recovery Asset Team froze 18% of the loss. The rest is gone.

That story is unremarkable. The FBI's IC3 logged $6.45 billion in losses tied to wire-based fraud in 2024, with business-targeted variants accounting for the largest dollar-weighted slice. AP teams are at the center of it because every fraudulent payment that matters runs through your wire room.

Most fraud-prevention guides treat wires the same as ACH and checks. They are not the same. A wire is the only AP payment method where the money is gone the moment you press send. Your controls have to be built for that asymmetry — heavy on prevention, but also designed to recover funds in the four-hour window before they are gone for good.

Here are the 12 wire-specific controls every CFO should demand, organized into the four categories that map to how wire fraud actually plays out: verification before send, segregation that forces collusion, monitoring that catches anomalies, and response that buys back time.

Why Wires Need Their Own Playbook

ACH transfers can be reversed for up to 60 days under NACHA rules for unauthorized debits, and certain credit recalls are recoverable for two banking days. Checks can be stopped before they clear. Wires have neither of these protections. Once funds settle in the receiving institution — typically within 30 to 90 minutes for domestic wires, four hours for international — your only legal remedy is asking the receiving bank to voluntarily return the money.

That changes the math on controls. With ACH, you can afford a control gap because you have a recovery window. With wires, every control needs to function before the operator clicks "approve."

Three things make wires uniquely attractive to fraudsters:

1. Irreversibility. No clawback path after settlement.
2. Speed. Funds clear faster than internal review cycles in most AP teams.
3. Cross-border reach. International wires can launder through correspondent banks in jurisdictions with weak KYC, making recovery effectively impossible.

This is why the controls below are stricter than what you would apply to ACH or check workflows. A 99% effective control against ACH fraud might be acceptable. A 99% effective control against wire fraud loses you a multi-million-dollar wire every two or three years.

Category 1: Verification Controls

These three controls block the attack at the point of vendor or payment-instruction change — the most common wire-fraud entry point.

Control 1: Out-of-Band Callback for Every Bank Change

Zero exceptions. Any change to vendor banking details — even a single digit in a routing number — triggers a phone call to a known contact at the vendor using a number from your records, not from the email or document requesting the change. The FBI specifically identifies callback verification as the highest-impact single control, blocking an estimated 70% of vendor-impersonation wire fraud. Document the callback: date, time, person spoken to, number dialed.

Control 2: Wire-Specific Vendor Master Validation

Before any wire is initiated, the system re-validates that the vendor's banking details match what was last verified, that the verification is less than 90 days old, and that the receiving country matches what the vendor's W-9 or W-8 declares. A US-based vendor suddenly receiving a wire to a Hong Kong account is an automatic hold. Modern AP automation enforces this as a payment gate. See our broader vendor bank account verification playbook for the full validation pattern.

Control 3: Dual-Channel Confirmation for First-Time Wires

The first wire to any vendor receives extra scrutiny: confirmation through two independent channels before send. Not "email plus same-thread reply" — that is one channel. Email plus phone, or vendor portal plus phone, or DocuSign plus phone. The pattern matters more than the specific channels.

Category 2: Segregation Controls

These three controls ensure no single person can complete a fraudulent wire end-to-end.

Control 4: Three-Person Wire Workflow

Initiator, approver, and releaser must be three different people for any wire above a defined threshold (often $10,000 or $25,000 depending on company size). The initiator builds the wire from an approved invoice. The approver confirms the documentation matches. The releaser executes the bank transmission. Compromising one person is not enough.

Control 5: Separation of Vendor Master and Payment Authority

The person who can edit vendor banking details cannot also approve or release wire payments. This is the single most-violated rule in mid-market AP. Every BEC playbook assumes the AP clerk can both update vendor records and queue payments — separate those, and the most common attack pattern fails. Pair this with a strong delegation of authority matrix so the role boundaries are explicit, and a properly designed segregation of duties framework so they survive personnel changes.

Control 6: Higher Authority Tier Above $100K

Wires above $100,000 require a second-level executive approval (CFO or designated controller) regardless of the requestor's normal authority. This is not redundant with the standard delegation matrix — it is a wire-specific overlay because the recovery window does not exist. Some companies set this threshold lower for international wires given the harder recovery path.

Category 3: Monitoring Controls

These three controls catch anomalies that slip past verification and segregation.

Control 7: Real-Time Payment Pattern Anomaly Detection

The wire system flags any payment that breaks an established pattern: a vendor that has only ever received ACH suddenly requesting a wire, a routine vendor receiving 3x its normal payment size, a payment to a country the vendor has never received from before, or a payment outside business hours in the vendor's home time zone. Any one of these anomalies pauses the wire for human review. AI-based fraud detection for invoices extends this pattern recognition to upstream invoice anomalies, catching fraud before it ever reaches the wire stage.

Control 8: Daily Wire Activity Reconciliation

Every wire sent in the last 24 hours is reconciled against approved invoices and approval logs by someone outside the AP wire workflow — typically a controller or treasury accountant. Discrepancies are investigated within the same business day. This control catches both fraudulent wires and inadvertent errors.

Control 9: Vendor Banking Change Audit Log

Every change to vendor banking details is logged with timestamp, user, before/after values, and verification artifact (callback notes, signed change form). The log is reviewed weekly. Unverified changes that somehow made it into the system are treated as incidents, not corrections.

Category 4: Response Controls

These three controls compress the time between fraud detection and bank intervention. Speed determines recovery.

Control 10: Pre-Built Bank Recall Playbook

Your team has the bank's wire recall fax number, a pre-drafted recall request template, the IC3 reporting URL, and the FBI field office phone number for your region — all in a runbook accessible without VPN, before an incident happens. The IC3 Recovery Asset Team has reported a 66% success rate on freezing fraudulent wires when notified within 48 hours; the rate drops sharply after 72 hours.

Control 11: 24-Hour Detection-to-Bank-Notice SLA

Internal commitment that any suspected fraudulent wire is reported to the originating bank within 24 hours of detection. Most teams burn the recovery window debating internally whether it was actually fraud. The default should be: notify the bank now, retract later if it turns out to be a false alarm.

Control 12: Quarterly Wire Fraud Tabletop Exercise

The team runs a simulated wire-fraud incident every quarter. The exercise tests whether people remember the runbook, whether the IC3 form is fillable on the company's restricted laptops, whether after-hours bank contacts work, and whether the controller can authorize the recall request without waiting for a CFO who is in Europe. Most teams discover their runbook breaks at 3 AM on the first attempt.

What to Do If a Fraudulent Wire Was Sent

If a wire has already gone out and you suspect fraud:

1. Call the originating bank immediately — within minutes, not hours. Request a SWIFT recall and ask them to contact the receiving bank.
2. File an IC3 complaint at ic3.gov with the full wire details, including the originating and receiving bank routing numbers and account numbers. The Recovery Asset Team works directly off these filings.
3. Notify the FBI field office for your region with a phone call. Email follow-ups can wait.
4. Preserve all evidence — the original invoice, every email exchange, vendor master change logs, approval audit trails, callback documentation. Do not delete or overwrite.
5. Notify your insurer if you carry crime or cyber coverage that includes social engineering fraud. Most policies require notification within 30 to 60 days of discovery.
6. Review all bank changes for the past 90 days across the vendor master. If one vendor was compromised, others may be too.

The Wire Fraud Audit Checklist

For your next internal audit or pre-mortem, walk through this list. A "no" or "we are not sure" on any of these is a finding:

• Are bank changes verified by callback to a number from records, not from the request?
• Can a single AP user both edit vendor banking and approve wires?
• Do wires above your threshold require three people to send?
• Does the system flag wires that break established vendor payment patterns?
• Is daily wire activity reconciled by someone outside the wire workflow?
• Is the vendor banking change log reviewed weekly?
• Does your team have a pre-built bank recall runbook accessible offline?
• Is there a documented SLA from fraud detection to bank notification?
• Has the team run a wire-fraud tabletop in the last 90 days?

Practical Takeaways

Wire fraud is not primarily a security problem. It is a payments-design problem disguised as a security problem. Treating wires identically to ACH and checks ignores the irreversibility that makes them attractive to fraudsters in the first place.

The 12 controls above are the minimum bar for any AP team that processes recurring wire transfers. The audit checklist is the version you can hand to a controller or external auditor and say "this is what good looks like."

If your team currently runs wires through the same workflow as everything else, the highest-impact change is splitting the vendor master and payment authority roles (Control 5). It costs nothing, takes a week to implement in any modern AP platform, and breaks the most common BEC playbook. Everything else is layered protection on top of that foundation.

For broader fraud coverage that goes beyond wires, see our AP fraud prevention checklist (25 controls across all payment types) and BEC prevention guide (email-channel attacks specifically). For tooling, the payment fraud detection software comparison covers the platforms that automate several of these controls.

FAQ

Can a fraudulent wire transfer be reversed?

Wire transfers are not reversible the way ACH is, but they can sometimes be recovered if the receiving bank still holds the funds. The FBI's IC3 Recovery Asset Team has a 66% success rate freezing fraudulent BEC-related wires reported within 48 hours, dropping sharply after 72 hours. Once funds are converted, withdrawn, or moved through correspondent banks in weak-KYC jurisdictions, recovery becomes effectively impossible. Speed of detection and bank notification is the single most important variable in recovery.

What is the most common wire fraud attack on AP teams?

Vendor email compromise leading to a vendor banking change request. The attacker compromises a real vendor's email account or creates a lookalike domain, waits for an active invoice, and emails AP requesting that the bank routing details be updated for the upcoming payment. AP processes the change because it appears legitimate, then wires the funds to the attacker's account. Out-of-band callback verification of every bank change blocks roughly 70% of these attacks.

How much wire fraud could be prevented by basic AP controls?

Industry research and FBI Recovery Asset Team analysis suggest that 80 to 90% of wire fraud against AP teams could be blocked by three controls in combination: out-of-band callback verification of bank changes, separation of vendor master and payment authority, and three-person wire workflows above $25,000. None of these require new technology — they require process redesign and discipline.

Should we use ACH instead of wires to reduce fraud risk?

Where vendor terms allow it, yes. ACH offers a recovery window that wires do not, and same-day ACH covers most domestic time-sensitive payments at lower cost and lower risk. Reserve wires for international payments, urgent same-day domestic payments where the receiving bank does not accept ACH, and high-value transactions where the wire's audit trail is required. The goal is to make wires the exception, not the default.