What is a wire fraud email scam?

A wire fraud email scam is an attack where a sender impersonates a legitimate party (vendor, executive, attorney, escrow agent, or counterparty) and instructs a target to send a wire transfer to an attacker-controlled bank account. The attack is delivered by email and exploits trust in the sender's identity. The FBI tracks wire fraud and business email compromise as the same broad category.

Which industries lose the most to wire fraud emails?

Real estate is the largest single category by reported losses, with the FBI's Internet Crime Complaint Center citing $446 million in real-estate-related BEC losses in 2022. Legal, accounting, healthcare, manufacturing, and construction all have significant exposure. Any industry that routinely wires large sums on short timelines is a target.

What is the average loss per wire fraud incident?

Industry averages vary substantially. The FBI's IC3 report has cited average BEC losses around $125,000 per incident, with real-estate-specific incidents often higher because the wire amounts are higher. Some single incidents have exceeded $10 million.

Can a small business be a target of wire fraud emails?

Yes. Most coverage focuses on large losses, but small businesses are routinely targeted because they typically lack the verification protocols and sometimes the cyber insurance that larger organizations carry. A five-person construction company losing $80,000 to vendor wire fraud is a survival event for that business.

What is the structural defense against wire fraud emails?

A combination of structural and procedural defenses works better than either alone. Structurally: filtering on sender identity and economic cost reduces the volume of impersonation attempts that reach the inbox. Procedurally: requiring out-of-band verification (a phone call to a known number, not a number from the email) for any wire transfer change is the single most reliable defense.

Wire Fraud Email Scams by Industry

Wire fraud email scams cost billions every year. Real estate, legal, healthcare, and accounting take the worst losses. Here is the industry breakdown.

Wire fraud by email is one of the most costly attack categories in the FBI’s Internet Crime Complaint Center reporting. The mechanism is simple: an attacker convinces a target to send money to the wrong account by impersonating someone the target trusts. The execution varies by industry, but the structure is consistent. This post walks through the worst-affected sectors and the defenses that actually work.

How Wire Fraud Email Works

The attacker’s goal is a wire transfer to an account they control. Achieving that requires three pieces. First, an identity to impersonate that the target trusts. Second, a plausible reason to wire money. Third, urgency that pressures the target to act before verification.

The identity is usually a vendor (for vendor-update fraud), an executive (for CEO fraud), an attorney or escrow agent (for closing fraud), or a counterparty (for invoice fraud). The reason is typically a routine wire that the target was already expecting. The urgency comes from a fabricated deadline.

The attacker does not need to compromise the legitimate sender’s email account, though that does happen and increases the success rate. Many wire fraud emails are sent from lookalike domains that the target does not look at carefully, especially on mobile devices where the sender display truncates the domain. We covered the lookalike domain problem in why .co is not .com (forthcoming).

Real Estate

Real estate is the worst-hit single industry. The FBI’s IC3 has cited real estate BEC losses at approximately $446 million in a single year, with most incidents involving closing-stage wire fraud where the attacker impersonates an attorney, title agent, or escrow officer.

The structural reason is simple: real estate closings involve large wire transfers, on tight deadlines, between parties who often have not met in person. The buyer is sending hundreds of thousands of dollars to an account they have only seen in an email. The window for verification is narrow because the closing is scheduled, and the wire instructions are routinely communicated by email. We have a dedicated post on the structural problem at real estate wire fraud and email protection.

The defense pattern most title companies have adopted is procedural: wire instructions are communicated only by phone using a number the customer was given at contract, not a number from the email. Some firms additionally use encrypted secure-message platforms for closing communications. Both approaches help. Neither solves the problem entirely because customers ignore the protocols when they are stressed by closing-day pressure.

Legal

Legal practices, especially solo and small firms, are routinely targeted with two distinct attack patterns.

Trust account fraud. Attorneys hold client funds in IOLTA or trust accounts. An attacker impersonating a client or a counterparty can attempt to redirect a settlement payment, a real estate closing payment, or a litigation reserve. The attack often arrives during a window when the attorney is actively coordinating wire transfers and is therefore less attentive to the legitimacy of incoming wire change requests.

Vendor and payroll fraud. Like any small business, a law firm can be hit by vendor-update fraud (an attacker impersonating a known vendor and changing the wire destination) or payroll redirection (an attacker impersonating an employee and changing direct deposit).

The American Bar Association has issued repeated warnings about wire fraud targeting law firms, and most professional liability insurers now require specific protocols for wire transfers in their cyber riders. We have an industry-specific post at solo attorney email security.

Healthcare

Healthcare is targeted differently. The wire fraud version is usually vendor-update fraud against a hospital’s accounts payable function or insurance reimbursement redirection. The dollar amounts are large because hospital AP volumes are large.

The other major attack against healthcare is W-2 harvesting, which is technically not wire fraud but uses similar email mechanics: an attacker impersonates a CEO or CFO and asks HR to send all employee W-2 forms by reply email. The forms are then used for tax-refund fraud at scale. The IRS issued public warnings about this attack pattern in 2016 and 2017, and it has continued every year since.

Hospitals and large healthcare systems often have meaningful security operations. Smaller practices, including specialty clinics and independent physician offices, often do not. We have industry-specific posts at healthcare practice email security and email security for dental offices.

Accounting and Tax Preparation

Accounting firms are targeted heavily during tax season. The dominant attack patterns are wire fraud against the firm’s clients (where the attacker impersonates the accountant or the client and redirects an estimated tax payment or a refund), and credential phishing against the firm itself (where the goal is access to client tax data and Social Security numbers).

Tax preparation services have additional exposure during the filing window because the IRS receives a large volume of fraudulent returns filed with stolen credentials, and the firm’s clients are then unable to file legitimately. The Federal Trade Commission has imposed specific safeguarding requirements on tax preparers under the Gramm-Leach-Bliley Act, including written information security plans (the IRS Publication 4557 requirement). We have industry-specific guidance at CPA firm email security.

Construction

Construction is a less-discussed but heavily targeted industry. Most construction wire fraud takes the form of subcontractor and vendor invoice fraud: an attacker impersonates a known subcontractor and changes the wire destination on a routine progress-billing invoice.

The structural vulnerability in construction is that AP volume is high, vendor relationships are numerous, and project managers approve wire transfers under deadline pressure to keep work moving. A single fraudulent vendor change can result in five or six-figure losses before anyone notices. We have a vertical post at construction invoice fraud and email protection.

Manufacturing

Manufacturing is exposed through international wire fraud and supply-chain fraud. International wire fraud targets the routine import/export wires that manufacturers send to overseas suppliers; the attacker impersonates the supplier and changes the wire destination. Supply-chain fraud uses compromised supplier emails to insert fake purchase orders or to redirect legitimate orders to attacker-controlled fulfillment.

Manufacturing also has unique exposure to industrial espionage and IP theft, but those are different attack categories. Pure wire fraud in manufacturing tends to be high-value because the wire amounts are large and the attacker only needs to succeed once.

Insurance

Insurance agencies and brokers face a specific wire fraud variant where the attacker impersonates a client or a claimant and redirects claim payments. Personal lines and commercial lines are both affected, with commercial typically having larger per-incident losses because commercial claims are larger. We have a vertical post at insurance agency email protection.

Why the Pattern Persists

Wire fraud email persists for the same reason most email-based attacks persist: the cost of attempting it is approximately zero, and a small fraction of attempts succeed. An attacker sending 1,000 vendor-update emails at zero cost will hit a small percentage of targets who change the wire destination without verification. The attacker’s only cost is the time to send the emails and the infrastructure to receive the redirected funds. Both are cheap.

This is the structural reason that wire fraud email is not solved by any single defense. The attack is cheap and the defenses are work. Out-of-band verification works but requires discipline. Sender authentication (DKIM, SPF, DMARC) catches some impersonation but not the lookalike-domain version. Content-based filters catch some attacks but not the precision-targeted ones engineered to look legitimate.

Economic filtering changes the input cost. A small cover charge on unknown senders does not stop the attack that is willing to pay the charge to reach the target, but it collapses the mass version that depends on free reach. The single-target high-value attack is still possible. The 1,000-email blast that finds three targets willing to act without verification is not. We covered the broader frame in what is BEC and the anatomy of a modern phishing email.

What Actually Works

A combination of layered defenses works better than any one. The realistic stack for a small business or a solo professional:

Out-of-band verification for wire transfers. Required for any wire over a defined threshold. The phone number must be one the firm or person was given at the start of the relationship, not a number from the email asking for the wire. This single procedural defense prevents most successful attacks.

Sender authentication. Configure DMARC with a reject policy on your own domains so that lookalike spoofing is harder against your firm’s name. We covered this in what is DMARC, DKIM, and SPF.

Native provider filtering. Gmail and Outlook native filters do real work on mass-volume mechanical fraud and known-bad domains. This is your first layer.

Inbox-layer filtering. A structural filter on identity and cost reduces the volume of unknown-sender messages reaching the inbox. The mass-volume version of these attacks does not survive a per-recipient cost. The targeted version still arrives, but the volume is smaller and the attention bandwidth to handle it is greater.

Cyber insurance. Most small businesses now carry a cyber rider. Verify that wire fraud is covered, that the policy limits are appropriate, and that the verification protocols required by the policy are actually being followed.

A Specific Honest Note

Rythm is not a wire-fraud-prevention product. We are an inbox-layer filter that reduces the volume of unsolicited mail reaching individuals and small teams. A wire fraud email from a sender on your guest list (a compromised vendor or a real attorney whose account was breached) walks straight through Rythm, because the bouncer’s job is identity, not content authentication.

What Rythm does is collapse the mass-volume version of the attack. The 1,000-email vendor-impersonation blast that finds three willing targets does not get sent at scale once each recipient costs four cents. The targeted attacker who pays anyway leaves a payment trail and the email arrives marked PAID, which is itself a useful signal: established vendors are on the recipient’s guest list and would not pay a cover charge to reach them. A paid email claiming to be from a known vendor is a visible red flag at the inbox layer. Out-of-band verification handles the targeted survivors. The combination is what works.

For the operational defense playbook, see business email compromise survival guide for small businesses. For where structural filtering fits, see the security architecture overview. Rythm is $1.65 per month, cancel anytime.

Wire Fraud Email Scams: An Industry-by-Industry Breakdown