Wire Transfer Fraud Warning

Uptick in Fraudulent Wire Transfers Resulting From Account Compromises

The NJCCIC continues to receive reports of compromised accounts of public and private sector New Jersey organizations resulting from compromised credentials and phishing emails. Consequently, the NJCCIC also observed an uptick in fraudulent wire transfers from these compromised accounts. Account compromises enable threat actors to access sensitive data and conduct further malicious activity, including financial fraud.

Once threat actors compromise an account, they create forwarding rules with certain keywords and perform reconnaissance by searching the inbox or sent folder for previous wire transfer instructions to update them. By impersonating legitimate users, threat actors identify and target existing customers or clients who may not question the email’s legitimacy. To appear authentic, they use previous email threads to update their targets on changes to the wire transfer instructions. The threat actors send modified invoices and updated wire instructions to trick or demand payment for goods or services. If payment is made, funds are redirected to threat actor-controlled accounts, causing significant financial losses.

The reported losses ranged from approximately $10,000 to $150,000. In one report, an email from the compromised vendor account was sent to a customer with updated wire instructions containing the vendor’s letterhead. The customer did not verify the request and later discovered that their payment had not been received by the vendor. In another report, a vendor discovered that one of its accounts had been compromised after several clients reported receiving suspicious emails. The threat actors set up rules in the compromised vendor’s account to forward all new emails to a hidden folder. They then sent various phishing emails with attachments to the vendor’s contacts, including updated wire instructions.

Recommendations

Confirm the source and instructions of any monetary transaction received via email through a separate means of communication, such as a phone call. Email replies are not an effective verification method, as they could be sent to the threat actors.
While an email may appear to come from a known and trusted account, that account may have been compromised. Verify all requests for money transfers.
Navigate directly to legitimate websites and verify them before providing sensitive information or wiring funds.
If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, the banking institution, the FBI, and the US Secret Service to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds.
If personally identifiable information (PII) has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.

Report phishing emails and other malicious cyber activity to the NJCCIC and the FBI’s IC3.

Published in NJCCIC THE WEEKLY BULLETIN March 26, 2026