Recovering From a Fraudulent Payment: An Incident-Response Playbook for AP

Most fraud-prevention writing is about stopping the bad payment before it goes out. This post is about the moment after it already has. A controller opens an email, or a vendor calls asking where their money is, and the realization lands: a payment that looked routine went to a criminal. The wire cleared yesterday. The check was cashed. The ACH settled overnight. Whatever happened, the money is gone — and what you do in the next three days will determine whether you get most of it back or none of it.

Construction AP is a rich target. Payments are large, vendors are numerous, and the people who approve disbursements are often on jobsites rather than at a desk verifying bank details. When a fraudulent payment lands, the instinct is to investigate quietly first and act once you understand what happened. That instinct is wrong. Recovery is governed by hard deadlines set by banks and payment networks, not by how quickly you finish your investigation. This is an incident-response playbook: what to do, in what order, starting the minute you suspect a payment was fraudulent.

Why the First 24 to 72 Hours Decide Everything

Recovering stolen funds is a chase. The criminal's goal is to move the money out of the receiving account before anyone notices — into a second account, a money-mule network, cryptocurrency, or cash. Once it has moved, tracing it becomes a law-enforcement problem with a low success rate. While the money is still sitting in the first receiving account, banks have tools to freeze and claw it back. That window is short, and it closes whether or not you are ready.

The practical consequence: you act first and investigate in parallel. You do not need to know how the fraud happened, who is responsible internally, or the full dollar exposure before you call the bank. You need two facts — which payment, and roughly how much — and those you have within minutes. Everything else can be reconstructed later. Treat the first calls as triage in an emergency room, not as the conclusion of an audit.

Step One: Contact the Bank Immediately

Your first call is to your bank's fraud or treasury-management department — not the general customer-service line, and not your relationship manager's voicemail. Ask explicitly for the fraud desk and state plainly that you are reporting a fraudulent payment and requesting a recall. What happens next depends on how the money left.

Wire transfers: recall and the SWIFT process

Wires are the hardest case because they settle fast and are designed to be final. Your bank can initiate a recall request to the receiving bank, and for international payments can send a SWIFT message flagging the transfer as fraud and asking the beneficiary bank to freeze the funds. Recovery depends entirely on whether the money is still in the receiving account. This is also when the FBI's Financial Fraud Kill Chain can help: if a domestic-to-international wire of significant value is reported through IC3 quickly enough, the FBI can work with the receiving country's financial system to freeze it. Speed is the only lever you control.

ACH payments: return reason codes and timing

ACH gives you more room than a wire, but still not much. The originating bank can attempt a reversal, and ACH network rules provide return windows that depend on the return reason. The practical takeaway is that ACH reversals are time-boxed and measured in a small number of business days, so the request has to go in immediately — do not let an ACH fraud sit over a weekend. Ask your bank specifically which return path applies and what the deadline is for your transaction.

Checks: stop payments and forged-endorsement claims

If a fraudulent check has not cleared, place a stop payment immediately. If it has cleared, the path is a forged-endorsement or altered-item claim against the bank, which has its own filing deadline — generally a tight one. Construction AP still runs meaningful check volume, so check fraud is not a legacy concern; positive pay is the preventive control, but once a bad check clears, the claim clock is already running.

Step Two: File With the FBI's IC3

File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov as soon as the bank calls are placed — not days later. IC3 is the federal intake point for cyber-enabled financial crime, including business email compromise, and a fast, detailed complaint is what activates the FBI's recovery assistance. The complaint should include the transaction date, amount, originating and receiving account information, and any fraudulent emails or documents involved. If the loss is significant, also contact your local FBI field office directly rather than relying on the online filing alone.

The IC3 complaint matters beyond your own case. It feeds the pattern data the FBI uses to map money-mule networks, and your filing may be the link that lets investigators freeze funds across multiple victims. File even if you expect to recover the money — and file even if you do not. Underreporting is why these schemes remain profitable.

Step Three: Notify Your Insurance Carrier

Two policies may respond to a fraudulent payment, and they are not the same. A crime policy (sometimes called fidelity or commercial crime coverage) typically addresses theft, employee dishonesty, and forgery. A cyber policy may include social-engineering or fraudulent-instruction coverage that responds when an employee was deceived into sending money — the classic business email compromise pattern. Many contractors discover, only at claim time, that their crime policy excludes voluntary transfers induced by deception and that they never bought the social-engineering endorsement.

Loop in your broker early — they can interpret the policy language, tell you which coverage part to claim under, and manage the carrier relationship. Do not let an internal debate about who is at fault delay the notice. Sorting out fault is exactly the carrier's job; missing the notice window is your risk alone.

Step Four: Preserve the Evidence

Banks, the FBI, and your insurer will all ask for documentation, and the quality of your evidence affects both recovery and the claim. Preservation has to start immediately, because email and system data can be altered, auto-deleted, or overwritten. The single most important rule: do not delete the fraudulent emails, and do not let anyone reply to them. Replying tips off the criminal and can taint headers; deleting destroys evidence.

If the fraud involved a compromised mailbox or any sign of system intrusion, treat it as a security incident as well as a payment incident: change credentials, review mailbox forwarding rules, and consider engaging IT or a forensics firm before doing anything that could overwrite logs. A criminal who got into a mailbox once will use it again.

Step Five: The Internal Review — How Did It Get Through?

Once the time-critical external steps are underway, turn to the question that prevents the next loss: how did this payment clear your controls? The goal is a control diagnosis, not a search for someone to blame. Fraud almost never succeeds because one person was careless — it succeeds because a process gap let a single point of failure become a payment.

“The hardest part of the post-incident review was admitting our verification step was real but optional. The procedure existed; under a pay-app deadline, people skipped it. A control you can skip is not a control.”

— Controller, regional general contractor

Communicating With the Real Vendor

If the fraud diverted a payment intended for a legitimate subcontractor or supplier, that vendor still has not been paid — and on a construction project, an unpaid sub is a schedule risk and a lien risk. Contact them directly, by phone, using a number you already have on file rather than any number from the suspect correspondence. Confirm their actual bank details through your verification procedure, explain that a fraudulent diversion occurred, and agree on how the legitimate payment will be made. The vendor may also have been targeted — comparing notes can reveal a compromised mailbox on either side. Handle it as a partnership, not a dispute; the criminal is the adversary, not the sub.

Post-Incident: Close the Gap for Good

An incident that produces no lasting control change is a loss with no return on it. The review will usually point at the same handful of fixes: make bank-detail changes a hard gate that requires callback verification to an independently sourced number; require genuine dual authorization on payments above a threshold, where the second approver verifies rather than rubber-stamps; tighten new-vendor onboarding so a vendor is confirmed real before the first payment; and add positive pay on checks. The common thread is removing single points of failure so no one person — deceived, pressured, or dishonest — can move money alone.

Technology should make the safe path the default path. An AP platform that flags bank-account changes, surfaces brand-new payees for extra scrutiny, enforces approval thresholds, and keeps a complete audit trail turns verification from an optional step into a structural one. Covinly builds those checks into the payment workflow so the controls hold even when the team is busy and the deadline is close — which is precisely when fraud gets through. You cannot guarantee you will never be targeted again. You can guarantee that the gap this incident exposed is closed before the next attempt finds it.

A fraudulent payment is a bad day. A fraudulent payment with no recall attempt, no IC3 filing, no insurance notice, and no control change afterward is a bad decision. Move fast, act in parallel, preserve everything, and convert the loss into a system that is harder to beat.