Wire Transfer & ACH Fraud

Wire fraud and ACH fraud are the two most damaging payment-rail attacks against U.S. businesses, almost always preceded by a compromised email account or social engineering call. Wire transfers settle in hours and cannot be reversed; ACH has a one to three day window but limited return rights. The attacker's job is to insert a fraudulent payment instruction that fits the victim's normal business and clears before anyone notices.

1. The Story

Keisha pulled up the case. Retired accountant, 72 years old. $34,000 gone over three weeks.

It started with a phone call. Caller ID showed the bank's fraud department. The voice on the line said they'd detected suspicious activity, someone inside the branch might be involved, and they needed the victim's help with a confidential investigation.

They told him not to mention it to anyone at the bank. That would tip off the suspects.

Over the next three weeks, he made four transfers. $8,500 each time, each to a different account. The caller explained they were moving his money to secure government-protected accounts while the investigation continued.

The caller checked in daily. Thanked him for his patience. Reminded him the investigation was almost over. Sent him official-looking letters on what appeared to be government letterhead.

When his daughter noticed the missing money and called the bank herself, the fraud department had no record of any investigation. The phone number on his caller ID had been spoofed. The "official letters" were printed from a template.

Keisha reviewed the transfer records. Four online banking sessions. Four payments to accounts the victim had never sent money to before. Each time, he'd logged in himself, entered the details himself, clicked confirm himself.

From the bank's perspective, a customer had simply moved his own money.

He'd been trying to protect his savings. That's what made it work.

This story is fictional, but the patterns are real.

---

2. Why This Matters

In Payment Systems 101, you learned that wire transfers are instant and irreversible. ACH has a 1-3 day settlement window but limited return rights. Real-time payments like Zelle settle in seconds with no reversal mechanism.

Understanding the mechanics of how criminals exploit each of these payment rails helps you recognize fraud patterns, not just after the fact, but while they're developing.

Keisha's case illustrates a critical point: payment fraud isn't a single event. It's the final step in a longer operation. By the time money moves, criminals have typically spent weeks or months building toward that moment.

---

3. How Wire Fraud Works

Wire transfers were the payment method most often targeted by BEC scams in 2024, reported by 63% of organizations in the AFP survey, up from 39% the prior year.^[5]

How does a wire fraud attack work?

Wire fraud almost always involves impersonation. Someone pretends to be a person with authority to request large payments. The most common impersonation targets:

Executive impersonation: Criminals pose as the CEO, CFO, or other senior executive. They request urgent wires for acquisitions, legal settlements, or vendor payments. This works because employees are conditioned to follow executive requests quickly.

Vendor impersonation: Criminals compromise a legitimate vendor's email or create a convincing lookalike. They send "updated payment instructions" for real invoices. The victim pays a real invoice to a fake account.

Attorney impersonation: Criminals research ongoing legal matters through public court filings. They pose as outside counsel requesting wire payments for settlements, escrow, or closing costs.

Why does wire fraud succeed so often?

Wire fraud attacks succeed for predictable reasons:

Legitimate access. In many cases, criminals control the actual email account they're impersonating. They don't need to spoof anything because they're sending from the real address.

Contextual awareness. When criminals compromise email accounts, they read everything. They learn communication patterns, ongoing projects, and approval processes. Their requests fit naturally into ongoing business.

Urgency and confidentiality. Attackers create pressure that discourages verification. A "confidential acquisition" or "time-sensitive legal matter" explains why the victim shouldn't ask questions. The tight deadline prevents careful review.

Process exploitation. Attackers study approval processes and work within them. If wire approval requires executive authorization, they send requests from executive accounts.

The Money Movement Phase

Once a fraudulent wire is sent, the clock starts. Wire transfers settle in hours, not days. Criminal infrastructure is typically ready in advance, and a layering chain often looks something like this:

First hop (hours 0-4): A receiving bank in another jurisdiction accepts the incoming wire. The account holder is usually a shell company established months earlier with forged documents.

Second hop (hours 4-12): Before the end of the business day, funds move to a correspondent bank relationship in a third country. The transfer is structured to look like a normal business payment.

Third hop (hours 12-24): The receiving account converts the funds to cryptocurrency through an exchange with weak verification requirements.

Final layering (days 1-7): The cryptocurrency moves through multiple wallets, mixes with other funds, and eventually converts back to cash in jurisdictions with weak banking oversight. The accounts that receive the first hop are typically run by money mules recruited through criminal infrastructure, one of the reasons recovery rarely succeeds beyond the first 24 hours.

By the time victims discover wire fraud, money has typically crossed multiple jurisdictions and changed form. Recovery is rarely possible.

---

4. How ACH Fraud Works

ACH fraud operates differently than wire fraud. The settlement window (1-3 business days) creates both opportunities and constraints for criminals. ACH credits ranked second behind wires as the BEC payment vector most often targeted in 2024 (50% of AFP survey respondents, up from 47% the prior year), while ACH debits and checks tied at 26% of BEC targeting.^[5]

Payroll Redirect Attacks

In a payroll redirect attack, criminals change where employee paychecks go:

Step 1: Credential theft. The attacker obtains login credentials for an HR system or employee self-service portal. This might come from a phishing email, a data breach, or malware on an employee's computer.

Step 2: Account change. The attacker logs in and changes the direct deposit information for one or more employees. They might change their own account (if they're an insider) or multiple employees' accounts (if they have admin access).

Step 3: Extraction. When payroll runs, the funds route to accounts the attacker controls. Because individual paychecks are typically under $10,000, they often don't trigger high-value alerts.

Step 4: Discovery. Employees notice missing paychecks and complain to HR. This can take days or weeks, especially if the attack targets employees who don't check their accounts frequently.

The per-employee amounts are small, but attackers often hit multiple employees simultaneously. A hundred compromised paychecks averaging $3,000 each produces $300,000 in fraud.

How do vendor payment redirect attacks work?

Vendor payment redirects work similarly to wire fraud impersonation, but target ACH payments instead. They typically begin with a compromised vendor email account rather than a wholly external impersonator.

Step 1: Compromise or impersonate. The attacker either compromises a vendor's email account or creates a convincing lookalike domain (suppliercompany.com vs supplier-company.com).

Step 2: Send new payment instructions. The attacker sends an email explaining that the vendor has changed banks. They provide new ACH routing and account numbers.

Step 3: Accounts payable updates records. If the AP team doesn't verify through a known phone number or other out-of-band method, they update the vendor record in their system.

Step 4: Normal payments redirect. Every subsequent payment to that vendor goes to the attacker's account until someone notices. This can continue for months if the real vendor isn't actively following up on missing payments.

What is an ACH return code?

Unlike wire transfers, ACH transactions can be returned under certain conditions. The NACHA Operating Rules define specific return codes:

NACHA repurposed R11 effective April 1, 2020 to separate the two claims; the existing Unauthorized Entry Fee was extended to R11 returns starting April 1, 2021.^[3] Before the split, R10 covered both "unauthorized" and "not in accordance with the authorization" claims. The split moved many fraud-adjacent disputes (such as debit amounts or dates that didn't match what the customer authorized) into R11, leaving R10 strictly for entries the customer says they never authorized at all.

The catch: Returns are processed, not guaranteed. The receiving bank initiates a return, but if the account has been emptied, there's nothing to return. Criminals withdraw funds quickly precisely because they know the return window exists.

Effective October 1, 2024, NACHA codified a new use of return code R17 that lets a receiving bank return an entry it believes was originated under false pretenses (with "QUESTIONABLE" in the addenda).^[4] Use is optional, not required, and many fraud accounts are emptied before any return is initiated.

---

5. Real-Time Payment Fraud

Zelle, FedNow, and the RTP network share a critical characteristic: payments settle in seconds and cannot be reversed. This creates the highest-risk environment for consumers.

Why do real-time payments attract scammers?

Real-time payments combine characteristics that make them attractive to fraudsters:

Instant settlement means no detection window. With ACH, you have hours or days to spot problems before funds actually move. With real-time payments, the money is gone before you can react.

Consumer access means individual accounts are targets. Wire fraud typically requires compromising business processes. Real-time payment fraud can target any person with a smartphone.

Low friction means victims can send money quickly without the verification steps that slow down wire transfers. A scammer on the phone can walk someone through a Zelle payment in minutes.

Common Real-Time Payment Scam Patterns

Tech support scams. The victim receives a call or popup warning that their computer is infected. The "Microsoft technician" walks them through "fixing" the problem, which includes sending money via Zelle to "secure their account."

Imposter scams. The scammer poses as a bank employee, government agent, or utility company representative. They create urgency (your account will be closed, you'll be arrested, your power will be shut off) and demand immediate payment.

Purchase scams. The victim tries to buy something from a fake seller on a marketplace. The seller insists on Zelle payment. The product never arrives.

Romance scams. After weeks or months of building an online relationship, the scammer requests emergency funds via Zelle. Medical bills, travel emergencies, or business problems provide pretexts.

---

6. Authorized Push Payment (APP) Fraud

Many attacks in this article share a common pattern: the victim authorizes the payment themselves. The retired accountant in Keisha's case made the transfers himself. The accounts payable clerk updated vendor payment details. The romance scam victim pressed "send" on Zelle. This pattern has a name: Authorized Push Payment (APP) fraud.

APP fraud describes any fraud where the victim initiates the payment, even though they've been deceived. It's the opposite of unauthorized fraud, where someone steals your credentials and moves money without your knowledge.

Not every attack fits this pattern. Payroll redirect attacks, for example, involve credential theft: the attacker compromises an HR system and changes where paychecks go. The employees whose pay is stolen never authorized anything. That's unauthorized fraud, and different liability rules apply.

Why does the authorized vs. unauthorized distinction matter?

Fraud liability rules treat authorized and unauthorized transactions very differently.

Unauthorized fraud (someone steals your card, hacks your account): Banks must reimburse you. Regulation E covers debit transactions. Regulation Z covers credit. The bank processed something you didn't approve, so the bank bears the loss.

Authorized fraud (you send money after being tricked): You pressed "send." The bank processed exactly what you asked for. Many fraud protections don't apply because, technically, no unauthorized access occurred.

This creates a strange situation: the more sophisticated the scam, the less protection the victim has. A crude attack that steals your password triggers reimbursement requirements. A clever attack that convinces you to send money yourself may not.

APP Fraud Across Payment Rails

APP fraud happens on every payment type covered in this article:

Wire transfers: BEC victims who wire millions to fraudulent accounts are experiencing APP fraud. They authorized the wire after being deceived. The bank executed their instructions correctly.

ACH payments: When an accounts payable team updates vendor payment information based on a fraudulent email, the subsequent ACH payments are APP fraud. The company authorized every transaction.

Real-time payments: Zelle scams are almost entirely APP fraud. The victim sends money to a scammer after being convinced by a tech support call, romance scheme, or fake marketplace listing.

The payment rail affects speed and reversibility, but the liability problem is the same. If you authorized it, recovering the funds is difficult regardless of how the money moved.

The Reimbursement Gap

A 2024 Senate investigation found that the three largest banks on the Zelle network reimbursed only 12% of scam victims in 2023.^[1] This means 88% of people who lost money to APP scams received nothing back.

The UK addressed this differently. In October 2024, UK regulators made APP fraud reimbursement mandatory for most cases.^[2] Banks must reimburse victims up to £85,000 within five business days unless the victim acted with "gross negligence." The US has no equivalent requirement for any payment rail.

---

7. The Business Email Compromise Connection

Wire fraud and BEC aren't separate problems. They're two phases of the same attack.

Business Email Compromise refers to the initial compromise of email accounts. Wire fraud is what criminals do with that access. The pattern:

Weeks 1-3: Access. Criminals gain access to email accounts through phishing, credential stuffing, or malware. They might target executives directly or compromise someone with access to executive communications.

Weeks 4-6: Reconnaissance. With email access, criminals read everything. They learn communication patterns, ongoing projects, vendor relationships, and approval processes. They identify the right person to target and the right pretext to use.

Week 7: Attack. The criminals send a wire request that fits naturally into ongoing business. Because they've read the real communications, they know exactly how to phrase requests to avoid suspicion.

This is why email security and payment security can't be separated. A wire fraud investigation often leads back to an email compromise that happened weeks or months earlier.

For detailed coverage of email compromise techniques and email header analysis, see the Email Security module.

---

8. Key Takeaways

• Wire transfers settle in hours and can't be reversed. Recovery depends on acting within the first 24-48 hours, before funds move through correspondent banks.
• ACH fraud exploits the gap between initiation and settlement. Criminals target payroll systems and vendor payment processes where changes might not be noticed immediately.
• Real-time payments combine instant settlement with consumer accessibility, making them attractive for scammers targeting individuals.
• APP fraud (Authorized Push Payment) spans many of these attacks. Wire fraud, vendor ACH redirects, and Zelle scams are APP fraud because the victim authorizes the transaction. Payroll redirect is different: it's unauthorized fraud via credential theft.
• Most wire fraud starts with email compromise. By the time a fraudulent wire request arrives, criminals have typically been inside the organization's email for weeks.
• The US and UK handle APP fraud differently. The UK now requires mandatory reimbursement up to £85,000. The US has no equivalent, leaving 88% of scam victims without recourse.

---

9. Key Terms

---

References

1. U.S. Senate Permanent Subcommittee on Investigations (2024). Zelle Fraud Investigation Report.↗ Banks reimbursed only 12% of scam victims in 2023.

2. UK Payment Systems Regulator (2024). APP Fraud Mandatory Reimbursement.↗ £85,000 cap, 5 business day requirement, effective October 7, 2024.

3. Nacha — Differentiating Unauthorized Return Reasons↗ — R11 was repurposed to separate "not in accordance with the authorization" from R10's "unauthorized" claim, effective April 1, 2020; the existing Unauthorized Entry Fee was applied to R11 returns starting April 1, 2021.

4. Nacha — Return for Questionable Transaction (R17)↗ — Effective October 1, 2024, R17 may be used by an RDFI to return an entry it suspects was originated under false pretenses, with "QUESTIONABLE" in the addenda. Use is optional.

5. 2025 AFP Payments Fraud and Control Survey Report — Key Highlights↗ (April 2025) — In 2024, 63% of organizations reported wire transfers as the BEC-targeted payment method (up from 39%); ACH credits 50% (up from 47%); ACH debits and checks tied at 26%.