CEO Fraud and Wire Transfer Recovery for BC Businesses

Business email compromise (BEC), often called CEO fraud, supplier fraud, or invoice fraud, is the single most financially damaging cyber crime in Canada year after year. The Canadian Anti-Fraud Centre tracks hundreds of millions in losses annually, and the bulk of that is BC and Ontario SMBs. The attacker does not need to deploy malware. They just need an inbox, patience, and one plausible email at the right moment.

How the Fraud Usually Works

The pattern we see in BC is consistent. An attacker compromises a mailbox, often at a supplier rather than the victim, by phishing a password and defeating or bypassing weak multi-factor authentication. They live silently in the mailbox for days or weeks, read the invoice thread, and set up hidden forwarding rules. At the right moment they inject an email from a look-alike domain (yoursupplier-ca.com instead of yoursupplier.ca) with "updated banking details" attached. The victim pays the updated details. The money lands in a money-mule account, is withdrawn or moved, and by the next business day it is often out of reach.

The recovery window is hours. Once funds leave the first receiving account, recovery probability drops fast. If you just discovered a fraudulent wire, stop reading and start calling. Come back to this page while you are on hold.

Minutes 0 to 15

Call your bank's fraud line

Call the 24/7 fraud number printed on the back of your business debit card or in your online banking portal. Do not use a regular business banking line. Every major Canadian bank (RBC, TD, BMO, Scotiabank, CIBC, National Bank, HSBC Canada legacy, Desjardins) has a dedicated fraud desk. Ask specifically for a wire recall and a SWIFT GPI trace if the wire went international. Provide the wire reference, amount, sending account, beneficiary name, and beneficiary bank.

The sending bank will contact the receiving bank and request a hold. This only works while the money is still in the beneficiary account. After funds are withdrawn or layered out, no recall is possible.

Minutes 15 to 30

Call the receiving bank directly

Your bank will do this, but if the beneficiary bank is in Canada you should also call their fraud line directly. A parallel call often gets the hold placed faster than one inter-bank message. Identify yourself, the wire, and request the account be frozen pending fraud investigation.

Minutes 30 to 60

File with the Canadian Anti-Fraud Centre and police

Report to the Canadian Anti-Fraud Centre (CAFC) online or by phone at 1-888-495-8501. A CAFC report is the single most useful piece of paper you will have for the insurance claim, bank escalation, and any eventual police investigation. Keep the file number.

File a local police report with the Vancouver Police Department, RCMP detachment, or your municipal force. For cross-border or large-dollar cases, the RCMP cyber unit may become involved, but the entry point is typically local.

Minutes 60 to 120

Notify your cyber insurance carrier

Call the hotline on your cyber policy. Social engineering and funds transfer fraud are covered by some policies and not others, and usually have sublimits lower than the overall policy limit. The insurer will engage breach counsel and may require a specific forensics vendor for the mailbox investigation. Document every call, time, and person you spoke with.

Close the Mailbox Compromise, Fast

In parallel with the money recovery, someone needs to investigate which mailbox was actually compromised. Very often it is not the CEO's account that was hacked; it is a supplier's account, or a finance staff member's account that received the original thread.

The mailbox audit checklist

Sign-in logs for the past 30 days across all finance and executive accounts. Look for foreign IP sign-ins, impossible travel, and non-browser user agents.
Inbox rules in Outlook Web, the Exchange Online PowerShell rule set, and any rules configured in the desktop client. Attackers love rules that auto-forward to personal Gmail addresses, or that move messages with keywords like "wire", "invoice", "banking" straight to Archive or RSS Feeds.
Mail forwarding at the mailbox level and at the transport rule level.
OAuth app consents in Entra ID. Malicious OAuth apps survive password changes.
MFA device list. Revoke anything unrecognised, then force a reset.
Sent items and the Recoverable Items folder, where deleted sent mail hides.

Preserve the evidence before rotating credentials. Forensics vendors will need the log exports and rule snapshots.

Kill-Chain Evidence to Preserve

Your insurer, breach counsel, and the CAFC will all ask for the same evidence. Collecting it early saves you repeat work.

Original fraud email with full internet headers (not just the body).
Look-alike domain WHOIS and registration date.
Wire transfer instructions and any bank confirmation.
Entra ID sign-in logs and audit logs for the affected user and any delegate.
Any chat messages, voicemails, or text messages referencing the transfer.
Screenshot of inbox rules before you delete them.

Reporting and Disclosure

BEC is a cyber incident even if no malware was deployed. If the compromised mailbox contained personal information (employee records, customer details, SIN numbers, health information), it is a breach of security safeguards under PIPEDA and may trigger reporting to the Office of the Privacy Commissioner. BC-jurisdiction organisations should also consider PIPA obligations. See our PIPEDA 72-hour playbook for the decision tree.

Controls That Actually Stop This Next Time

MFA on every mailbox, phishing-resistant where possible (FIDO2 or number-matching push).
Conditional access blocking sign-ins from countries you do not operate in, and blocking legacy auth protocols entirely.
A written verification policy: any change to supplier banking details is verified by phone to a known good number, never to a number in the email. Dual authorization on wires above a threshold.
DMARC, SPF, and DKIM configured and enforced on your own domain, so attackers cannot cleanly spoof your CEO to your staff.
Banner rules that flag external senders and look-alike display names.
Security awareness training that specifically covers invoice and wire fraud scenarios, not just generic phishing.

Civil recovery exists but is expensive. In addition to the criminal and banking tracks, larger losses sometimes justify a civil Mareva-style injunction against the receiving account. This is a call for litigation counsel, not your IT provider, and only makes sense above certain thresholds.

Tighten the Controls Before the Next Attempt

Hexafusion helps Vancouver finance teams harden Microsoft 365 against BEC: conditional access, MFA enforcement, mailbox auditing, DMARC deployment, and wire-verification policy. Request a quote and we will assess your current exposure.

Request a Quote Our security services

← Back to Blog