Trending Scam

How to Trace a Business-Email-Compromise Scam

A business email compromise scam does not look like a scam. It looks like a routine invoice from a vendor you have paid for years, or a quick request from your CEO, with one quiet change: the bank account the money goes to. By the time the real vendor calls asking where their payment is, the wire is already gone, sitting in a mule account that has likely emptied again within minutes. If that just happened to your company, the next few hours decide far more than the next few weeks. This guide walks through exactly how BEC payment diversion works, the immediate response that gives your bank a real shot at recalling the funds, every agency that needs to hear from you, and how the mule account, the spoofed domain, and the person behind the email actually get traced, lawfully.

Recall in Hours Report the Right Way Since 2004
First HoursWhen a Recall Is Possible
Bank + IC3Report in Parallel
The MuleThe Account That Received It
Since 2004Lawful Skip Tracing

The Short Version

If your company just wired money to a fraudulent account after a fake invoice or a spoofed payment-change email, move in this order and move now. Call your bank’s fraud or wire department immediately and ask them to attempt a recall and to request the receiving bank freeze the funds; ask for the indemnification paperwork they need to do it. In parallel, file at the FBI Internet Crime Complaint Center at ic3.gov, ideally within hours, because its Recovery Asset Team can trigger the Financial Fraud Kill Chain to flag the receiving account before the mule drains it. Then secure the compromised mailbox: change passwords, turn on multi-factor authentication, and delete any hidden forwarding or auto-delete rules the intruder set. Also report to the FTC. Preserve everything, including the full email headers. Recovery is never guaranteed and the odds fall sharply with every hour, but a fast, detailed report gives the banks and investigators something to act on. People Locator Skip Tracing works the lane most responders skip: lawfully tracing the mule account holder, the lookalike domain, and the person behind the fraud so your report and any civil claim carry real weight. And be ready for the second scam, the “recovery agent” who contacts you promising to get it all back for a fee.

Watch: Tracing a BEC Scam

What to do in the first hours, and the lawful path to tracing it.

▶ Video Overview

What a Business Email Compromise Scam Actually Is

It is not a virus on your network. It is a payment redirected by an email.

Business email compromise, or BEC, is fraud that moves your money by manipulating a normal-looking email instead of breaking anything technical. The core trick is payment diversion: a criminal arranges for a legitimate-seeming payment to be sent to an account they control. The most common form is the fake or altered invoice. A long-standing vendor appears to email new banking details “for this quarter,” or your accounts-payable team receives an invoice that matches a real, expected one in everything but the wire instructions. The money goes out the door looking entirely routine, and the loss is only discovered when the genuine supplier asks why they were not paid.

There are several flavors, but they share one engine. In vendor email compromise, the attacker has gotten into a supplier’s mailbox, watched real invoice threads, and then sent a payment-change request from inside an account everyone trusts. In CEO or executive fraud, an email that appears to come from a senior leader pressures a finance employee to push an urgent wire, often framed as confidential and time-sensitive so nobody calls to verify. In thread hijacking, the scammer slips into an existing email conversation and replies as if they belong there. The newest wrinkle is that generative AI has made these messages far cleaner and more convincing, removing the clumsy grammar that used to give them away. Whatever the variant, the goal is identical: change where the money lands, and stay invisible until it is too late to stop the transfer.

How to Know It Was BEC

The pattern is consistent. If several of these fit, treat it as fraud.

The Bank Details Changed

An invoice or email asked you to update a vendor’s account or routing number “for this payment,” and the change arrived by email rather than a verified call.

A Look-Alike Domain

The sender address is one character off from the real one, a swapped letter or an added word, easy to miss at a glance in a busy inbox.

Urgency and Secrecy

A “CEO” or “CFO” demanded a fast, confidential wire and discouraged the usual verification steps, often while supposedly traveling or in a meeting.

The Real Vendor Calls

The legitimate supplier contacts you asking where their payment is, the moment the fraud usually becomes visible.

Strange Mailbox Behavior

Emails are missing, marked read on their own, or auto-forwarding to an outside address, signs an inbox was compromised and is being watched.

A Brand-New Account

The receiving account is at a different bank than the vendor has ever used, frequently a regional or online bank where a mule account was just opened.

The First Few Hours

Speed is the single biggest factor in whether the wire can be recalled.

BEC funds do not sit still. They land in a mule account and are very often moved again within minutes, broken into smaller transfers, cashed out, or converted, which is exactly why recovery odds collapse as the clock runs. The single most useful thing you can do is trigger a recall before the money is layered away. File the federal complaint right away at the FBI Internet Crime Complaint Center; its Recovery Asset Team uses the Financial Fraud Kill Chain to ask the receiving bank to freeze a fraudulent domestic wire, and it works best when the report comes in fast. Do this in parallel with calling your own bank, not after.

1

Call Your Bank, Demand a Recall

Reach the wire or fraud department by phone, not email. Ask them to attempt a SWIFT or wire recall and to contact the receiving bank to freeze the funds. Ask what indemnification paperwork they need and sign it immediately.

2

File With IC3 Fast

Submit a detailed complaint at ic3.gov so the Recovery Asset Team can act on the receiving account. Include the exact amount, date, your account, and the fraudulent destination account and routing numbers.

3

Secure the Mailbox

Change passwords, enable multi-factor authentication, and hunt for hidden forwarding rules, auto-delete rules, or unknown sign-ins. If an inbox was compromised, the intruder may still be watching and able to redirect more payments.

4

Preserve Every Piece

Save the emails with full headers, the fraudulent invoice, the wire confirmation, the destination account details, and any phone numbers used. Do not delete the malicious email; it carries the evidence investigators and tracers need.

What to Gather Before You File

A complete report is the one that triggers action. Assemble this first.

The difference between a complaint that stalls and one that feeds a freeze is detail. Before you file, pull the money trail and the email trail into one place. On the money side, collect the exact amount and date of the wire, your originating account, the fraudulent destination account number and routing number, the receiving bank’s name, your own wire confirmation or reference number, and any second hop you were able to see. That destination account is the single most important identifier in the whole case, because it is what the bank and the Recovery Asset Team chase first. On the email side, export the full message headers, not just the visible body, since the headers expose the true sending server and the look-alike domain. Save the fraudulent invoice, the payment-change request, the exact spoofed sender address, any reply-to address, and the timeline of when each message arrived against when the real invoice was expected. Keep one clean, dated folder, because you will hand the same package to your bank, to IC3, to the FTC, to any cyber-insurance carrier, and to an attorney. The more precisely the account numbers, domains, and headers are documented, the better the odds that a freeze succeeds and that the people behind the email can later be identified.

Where to Report Every Channel

File with all of these. Each one does something the others cannot.

WhereWhat It DoesHow to Reach
Your BankThe fastest lever. Can attempt a wire recall and ask the receiving bank to freeze the funds before they move again.Wire or fraud department, by phone
FBI IC3Central federal intake. Its Recovery Asset Team can trigger the Financial Fraud Kill Chain on the receiving account.ic3.gov
FTCLogs the fraud for enforcement and provides a recovery plan if business or personal data was exposed.reportfraud.ftc.gov
Receiving BankHolds the mule account. With a law-enforcement or sending-bank request, it can freeze and preserve records.Via your bank or law enforcement
Cyber InsurerIf you carry crime or cyber coverage, fast notice protects a potential claim for the loss.Your policy’s incident hotline
State Attorney GeneralAdds your case to state-level fraud actions and consumer and business protection efforts.Your state AG consumer or fraud division

Do not skip a channel because you assume the amount is too small or the trail too cold. Freezes and seizures are built from detailed complaints filed quickly, and the same destination account in your report may already appear in someone else’s. For broader context on building a fraud case the right way, see our guide on how to investigate fraud. Your report may be the one that links a mule account to a network law enforcement can reach.

What Happens After You File

Set realistic expectations so you keep moving instead of waiting.

Filing does not trigger a phone call the next morning. The FBI Internet Crime Complaint Center takes in enormous volumes of reports, and while the Recovery Asset Team prioritizes time-sensitive BEC wires for a possible freeze, most complaints become data that analysts aggregate to connect accounts, domains, and suspects across many victims. Save your IC3 complaint number and every confirmation you receive. When recovery comes, it usually arrives through that back end: a bank freezes the receiving account, funds are held, and identified victims are notified and invited to petition for their return, sometimes months later. In the meantime, treat your case as active. Keep your evidence folder current, watch for official notices, and be sharply skeptical of anyone who contacts you first claiming to have located your money. Pursue the parallel tracks below rather than waiting on any single report to resolve, because the businesses that recover the most are the ones that kept building the file instead of going quiet.

How the Money and the People Get Traced

Two separate trails. Most responders only chase one.

The money trail. This is the bank-and-law-enforcement lane. When you report fast, your bank and the IC3 Recovery Asset Team work to identify the receiving account, ask the receiving bank to freeze it, and follow the funds if they have already hopped to a second or third account. Where a freeze succeeds, the held money becomes recoverable through the bank or a later seizure. This part runs on financial institutions, subpoenas, and the Financial Fraud Kill Chain, and it is exactly why speed and a precise destination-account number matter so much. Our role on this side is supportive: documenting and organizing the account numbers, wire references, domains, and timeline so your report is one an institution can actually act on.

The human trail. This is the lane almost no incident-response service works, and it is where People Locator Skip Tracing fits. Behind the fraudulent account and the spoofed email are real people with real footprints. There is the money mule whose name is on the receiving account, often a person recruited through a job or romance scam who can be identified and located. There is whoever registered the look-alike domain, sometimes traceable through registration and hosting records. There is the individual tied to a phone number, a reply-to email, or a name used in the thread. Those identifiers, even when the display name was fake, can be researched lawfully through public records and skip tracing to surface a real name, address, and associates, which is the same work behind our guides on finding someone who scammed you and on tracing a person from an email address. A named, located individual changes the case: it strengthens your IC3 report, gives a prosecutor or an attorney something concrete, and opens the door to a civil claim that a frozen-or-not bank trail alone cannot support. We never confront anyone and never encourage you to; our job ends at lawful identification so you and the authorities can act on it.

What Recovery Realistically Looks Like

Honest odds, and the legitimate paths that exist.

It would be dishonest to promise the money back, and anyone who guarantees it is lying. The truth sits between hopeless and easy, and it hinges almost entirely on speed. The most hopeful path is a fast bank recall or freeze: when a fraudulent domestic wire is reported within the first hours, the IC3 Recovery Asset Team and the banks have a genuine, documented record of freezing funds before the mule empties the account. That window is short, often counted in hours and rarely surviving past the first couple of days, which is why everything above is built around acting now.

A second path is a civil claim against an identified mule, facilitator, or recipient, which depends entirely on being able to name and locate a real person and any assets in their name. That is where lawful skip tracing and a thorough search for hidden assets do the heavy lifting, turning a frozen-or-vanished account into a person you can actually pursue. A third avenue is a cyber-insurance or crime-policy claim, if your business carries coverage; prompt notice and a clean evidence file are what keep that option open. None of these is guaranteed, all of them improve with speed and documentation, and several can run at the same time.

Closing the Door It Came Through

Once you have responded, harden the process so it cannot repeat.

BEC succeeds because a payment change felt routine and nobody verified it out of band. The fix is a habit, not software. Make it policy that any change to vendor banking details, and any urgent or unusual wire, is confirmed by a phone call to a number you already have on file, never a number or link from the email itself. Treat “the CEO needs this wired right now, quietly” as a red flag by default, because real executives expect verification. Watch for look-alike domains by hovering over the actual sender address rather than the display name, and have IT review mailboxes for the hidden forwarding and auto-delete rules intruders leave behind. If you discovered a mailbox was compromised, assume the attacker read your vendor and invoicing history, and warn the customers or suppliers in those threads so the same fraud is not run against them next. The same discipline that protects a business inbox is closely related to how individuals can identify a scammer behind a phone number and verify who is really contacting them. None of this undoes the loss, but it removes the gap the next attempt will look for.

Don’t Get Hit Twice

The recovery scam targets businesses that already lost money. Watch for these.

An Upfront Fee

Any “fund recovery” service that wants payment before it returns a cent is a scam. Legitimate help is not pay-to-unlock.

A Guarantee

“We will get one hundred percent back” is impossible to promise. Real outcomes depend on bank freezes and the law.

They Found You

Unsolicited contact from a “recovery agent,” especially one who already knows your company was hit, is a major red flag.

Banking Logins or Access

No legitimate firm needs your online banking credentials or remote control of your finance computers. Ever.

Fake Government Ties

Claims of being “approved by” or “working with” the FBI to recover your funds for a fee are not how agencies operate.

Another Wire to “Release” It

Being asked to send a further payment to “unlock” or “convert” your frozen funds is the original scam, repeated.

How People Locator Skip Tracing Helps

We trace the people behind the account and the domain, lawfully, so your case has teeth.

Businesses

Identify the account holder behind the wire

Attorneys

Locate an identified mule or facilitator

Finance Teams

Tie a destination account to a real person

Insurers

Add public-records depth to a claim

Vendors Hit

Trace who hijacked your invoicing

Anyone Owed

Find a person before pursuing them

BEC frequently runs on the same rails as other frauds, so the people behind it surface through the same lawful research that powers our broader work on phone-scam caller investigation and full-spectrum skip tracing. Send us what you have, even if it feels like nothing: the destination account name, a phone number, an email or reply-to address, a look-alike domain, or the names used in the thread. We work strictly for lawful, permissible purposes, we never confront anyone on your behalf, we never promise a recovery we cannot control, and we tell you honestly what the records can and cannot show. For a legitimate matter, an initial locate typically comes back within 24 hours.

Our Commitment

We do not sell false hope or “guaranteed recovery.” We do the lawful research most responders skip: tracing the real people behind the accounts, domains, and emails, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — our investigators have conducted skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal, financial, or tax advice.

Frequently Asked Questions

Can I get the money back after a business email compromise scam?

Sometimes, but never by guarantee. The best chance is a fast bank recall or a freeze through the IC3 Recovery Asset Team while the funds are still in the receiving account. A civil claim against an identified mule and a cyber-insurance claim are other paths. Recovery improves dramatically with speed, detailed reporting, and the ability to name a real person behind the fraud.

How fast do I need to act?

As fast as possible, ideally within hours. BEC funds land in a mule account and are often moved again within minutes, so the window to freeze them is short and the odds drop sharply after the first day or two. Call your bank’s wire or fraud department and file at ic3.gov in parallel, not one after the other.

What is the IC3 Recovery Asset Team?

It is the FBI Internet Crime Complaint Center unit that focuses on freezing fraudulent transfers. When a BEC wire is reported quickly, it can trigger the Financial Fraud Kill Chain, working with the banks to flag and freeze the receiving account before the money is layered away. It works best on fast, detailed, domestic-wire reports.

Where exactly should I report it?

Call your bank first to attempt a recall, then file with the FBI Internet Crime Complaint Center at ic3.gov and report to the FTC at reportfraud.ftc.gov. Also notify your cyber-insurance carrier and your state attorney general. Each channel does something the others cannot.

The sender’s email looked legitimate. Can anyone still be identified?

Often, yes. Even a spoofed email and a fake display name leave identifiers: the destination account name, the look-alike domain’s registration records, phone numbers, reply-to addresses, and the real people who open the bank accounts used to receive the wire. Those can be researched lawfully through public records and skip tracing to surface a real name and location.

A company offered to recover our funds for a fee. Is that legitimate?

Treat it as a second scam. Recovery operations that demand an upfront fee, guarantee results, contact you out of the blue, ask for your banking logins, or want another wire to “release” the funds are preying on victims. Legitimate help does not require pay-to-unlock.

What does People Locator Skip Tracing actually do on a case like this?

We work the human trail, not the bank’s internal process. Using lawful public-records research and skip tracing, we help identify and locate the real people behind the receiving account, the look-alike domain, and the spoofed emails, producing a named, located individual that strengthens your report and any civil claim. We do not take custody of funds, confront anyone, or promise recovery.

Is it too late if it happened weeks ago?

The freeze window is likely closed, but reporting and tracing are still worthwhile. Identifying the mule, the domain registrant, or a facilitator can support a civil claim, a cyber-insurance claim, or an active investigation, and your complaint may connect to a wider case. Acting sooner is always better, but an older matter is far from worthless.

Hit by a BEC Wire Scam? Start Tracing.

We trace the real people behind the accounts, domains, and emails, lawfully, so your reports and any civil case carry weight, typically with an initial locate within 24 hours. Contact us to get started.

Start Your Request →