Summary:

• AI has transformed wire‑fraud schemes into highly sophisticated, nearly undetectable attacks.

• Attackers now mimic writing styles, documents, and verification steps with precision.

• Speed is critical for recovering funds; best practices include coordination with banks, law enforcement, and third-party forensic teams.
   

When clients come to our team about a fraudulent wire transfer, the story almost always begins the same way. We receive a panicked email—usually from a colleague at my firm—saying something like:

“I’ve got a client who was supposed to send (or receive) several million dollars, and the money is gone. It looks like the funds were sent to a hacker’s account, and we’re not sure how this happened.”

In other words, the client believes a legitimate wire transaction has occurred, but the wiring instructions were altered—causing the funds to be routed to a threat actor instead of the intended recipient.

That email is immediately followed by a frantic call with the client, who is understandably scared. In every case, the client asks the same two questions:

1. Can we get the money back?

2. Can we sue the party at fault to recoup any lost funds?

This article is designed to give you clarity ahead of a moment like this, when most people feel overwhelmed. My goal is to explain how these scams unfold, what steps matter most in the first hours, and how businesses can position themselves to respond quickly and protect their assets.

How AI Has Transformed the Mechanics of Wire Fraud

The days of the “Nigerian Prince” scam are long gone. AI has industrialized social engineering, allowing attackers—many with little technical skill—to execute sophisticated business email compromise schemes with speed, accuracy, and personalization that would have been unthinkable just a few years ago.

In most cases, the attacker has quietly compromised one or both parties’ email tenants and sits in the mailbox for weeks or months. During this time, they observe how the parties communicate: writing style, approval workflows, deal timelines, and who responds to what. AI supercharges this reconnaissance, enabling attackers to feed harvested emails into language models that instantly map writing patterns, tone, terminology, and communication habits.

While monitoring the account, the attacker also registers a look‑alike domain—different from the real one by a single character—ready to be deployed at the right moment.

Once a payment is imminent, the attacker steps in. Using the look‑alike domain, known as the “spoofed” domain, they send what appears to be a routine update: “We’ve updated our banking information—please use the revised instructions attached.”  Without the use of software aimed to identify spoofed domains, AI makes this message virtually impossible to distinguish from the real thing, generating a copy that mirrors the sender’s tone and formatting, and even recreating attachments or synthesizing a seamless “follow‑up” thread based on prior emails.

To stay hidden, attackers often set up covert mailbox‑forwarding rules that quietly divert payment‑related communications. The legitimate user never sees fraudulent emails, never notices the spoofed domain, and never receives replies confirming the updated instructions.

In some cases, attackers go further, adding a “verification line” staffed by a real person or even an AI‑generated voice clone of the intended recipient—capable of answering simple questions convincingly enough to lull the caller into trusting the fake instructions.

By the time the discrepancy is detected, the wire has typically cleared. And today, AI‑driven money‑movement tools—automated layering, coordinated mule‑account networks, and instantaneous crypto off‑ramps—move funds so rapidly that tracing or freezing assets is far more difficult than in years past.

That is why timing is everything once the fraud surfaces. Much like the Ghostbusters, you need to know exactly ‘who you gonna call’ the moment a wire‑fraud incident emerges.

This is how our fraud-busting teams responds! 

Step One: Let’s Get Your Money Back

The first priority is to freeze the funds sitting in the threat actor’s account. That means two things must happen in parallel—immediately. There is no “wait for business hours” window here; every hour increases the likelihood that the attacker disperses the funds through money‑mule accounts or foreign correspondents, making recovery exponentially more difficult.

First, we direct the originating bank to notify the receiving bank and issue both a freeze request and a recall of the funds. Banks can—and should—take action on these requests at any time, and speed is the single most important factor in whether anything remains to recover.

At the same time, we contact our counterparts at the U.S. Secret Service. In my experience, this is the real force multiplier. Different Secret Service field offices maintain working relationships with specific financial institutions and know the exact point of contact who can put a hold on the threat actor’s account. Getting the incident in front of the right human being—fast—often determines whether substantial funds are frozen or whether we’re dealing with an empty account. And if a particular field office doesn’t have the needed relationship, they don’t stop; they route the request through their internal network until it lands with the team that does.

I cannot overstate this: the Secret Service teams we work with are exceptional—responsive, pragmatic, and laser‑focused on stopping the outflow of funds.

One of the greatest advantages of looping them in early is real‑time visibility. They can often tell us: what remains in the account right now, what has already moved, and whether any outgoing transactions are mid‑stream and eligible for recall.

This visibility immediately lowers the temperature—clients, counterparties, and counsel alike. Once we know whether meaningful funds are frozen or recoverable, the posture shifts from panic to process, and parties are far less likely to sprint into litigation out of uncertainty.

To be candid, however, our ability to recover funds is tied directly to speed. Threat actors know banks may freeze accounts, so they move quickly—fanning out funds through mule networks, prepaid channels, and offshore corridors. The earlier we detect the fraud, and alert the banks and the Secret Service, the higher the likelihood that something remains to be frozen—and the stronger our footing for what comes next.

Step Two: Understanding Each Party’s Role in the Fraud

Once we complete the immediate effort to freeze funds, the next question is how—and whether—any remaining losses can be recovered. Answering that question requires a clear, factual understanding of how the fraud occurred and which parties were involved.

That process begins with engaging a forensic firm to determine whether your email tenant was compromised, the scope of the attacker’s access, and how the fraudulent wiring instructions were introduced into the transaction. The forensic findings form the foundation for assessing responsibility and recovery options.

With that factual record in place, we can evaluate whether litigation is a viable path to recovery or whether alternative avenues are more effective. In most matters, clarity around the facts also clarifies leverage. Frequently, the most efficient and business‑sound outcome is a negotiated allocation of the loss rather than prolonged litigation. And in practice, the party that ultimately bears the loss is not always the one whose system was compromised—it is often the party with greater commercial leverage.

Having guided many clients through these disputes, we are able to quickly assess where that leverage truly lies and help steer the parties toward an efficient, practical resolution—ideally, one that avoids unnecessary escalation and brings the matter to a clean close.

How We Can Help You (Proactively)

The most effective way to handle a fraudulent wire transfer is to prevent one, and that starts long before a threat actor enters the picture. We help clients assess where their real vulnerabilities are—both technical and procedural—and implement practical safeguards that materially reduce the risk of AI‑enabled wire‑fraud schemes. This includes reviewing how your organization transmits and verifies payment instructions, training those employees involved in how to properly authorize and validate wire instructions, and identifying gaps in workflows where attackers most often insert themselves. My goal is to ensure your systems, policies, and people are prepared for a world where AI makes fraudulent communications nearly indistinguishable from legitimate ones.

Just as importantly, we work with businesses to build a tailored response playbook so the right actions happen within minutes if something ever does go wrong. That means identifying who needs to be called, establishing escalation paths with your bank, designating internal decision‑makers, and creating a clear process for communicating with law enforcement and third-party forensic teams. When organizations have these pieces in place, they respond faster, likely freeze and recover more funds, and avoid the chaos and confusion that often make a bad situation worse. Helping clients prepare—so they can act decisively, protect their assets, and avoid unnecessary loss—is one of the most valuable things we can offer on the proactive side.

About the Author:

Ericka Johnson is a Partner at Nelson Mullins, where she advises clients—including boards of directors—on developing comprehensive cybersecurity programs, managing global incident response, and navigating regulatory investigations. She previously served as Global Cybersecurity Counsel for ByteDance and TikTok USDS, leading complex investigations, regulatory responses, and cross border breach management. A U.S. Marine Corps reservist, she also served as Cybersecurity Counsel during a combat deployment to Afghanistan.