HackFirstAidMunicipal
Playbook

Treasurer / finance department BEC

Fraudulent wire instructions on a vendor payment or payroll change.

All playbooks

The scenario

Your treasurer authorized a wire to a vendor after an email request from the CFO — but the CFO never sent it. Or a payroll change request looked legitimate and an employee's pay went to a new account.

Who this is for: Treasurer, CFO, CAO, IT lead, payroll administrator.

First steps

  1. 1. Call the receiving bank's fraud line within minutes
    First hour

    Wire reversals are sometimes possible within the first 24–72 hours. Have the wire details ready: amount, date, originating account, destination account, routing number.

  2. 2. File an IC3 complaint (US) or report to CAFC (Canada) immediately
    First hour

    FBI's IC3 has a Recovery Asset Team that can freeze funds at the destination bank if reported fast. CAFC (Canadian Anti-Fraud Centre) coordinates similarly.

  3. 3. Notify your municipal insurance carrier
    First hour

    Crime / social-engineering coverage usually has notice-of-loss within 24–48 hours. Cyber policy may also apply — file both.

  4. 4. Preserve the email thread, headers, and authentication chain
    First day

    Do not delete or forward the fraudulent email. Export the .eml file with full headers. IT or your IR firm needs SPF/DKIM/DMARC results.

  5. 5. Check for inbox rules and mailbox forwarding on the impersonated account
    First day

    BEC almost always involves a compromised inbox somewhere in the chain — often a vendor's, sometimes your CFO's. Look for hidden forwarding rules and recent OAuth grants.

  6. 6. Reset credentials and enable MFA on all finance roles
    First day

    Treasurer, CFO, CAO, payroll, AP clerk. Phishing-resistant MFA (FIDO2 or number-matching) where possible.

Continuity of service

  • Pause all outbound wires for 48 hours; require in-person verbal confirmation for any wire over a council-set threshold.
  • Notify the vendor whose payment was misdirected — they may also be a victim, and you may owe them the payment regardless.
  • Brief the audit committee at the next regular meeting; this will appear in the annual audit.

Communication

Council

Closed-session briefing. Loss may be material. Open-meeting disclosure follows once law-enforcement and insurance allow.

Auditor

Notify external auditor in writing. They will require this in management representation letters.

Vendor

Direct call from the treasurer to the vendor's AP contact, confirming the legitimate wire instructions on file.

Regulator hand-off

  • US: IC3 (ic3.gov), state AG if employee or vendor PII was exposed in the underlying compromise, FBI field office if loss exceeds local threshold.
  • Canada: CAFC (antifraudcentre.ca), local police service for the formal report, provincial privacy commissioner if PII was exposed.

FAQ

How fast can the bank reverse the wire?

Reversals are most likely in the first 24 hours and very rare after 72. The faster the receiving bank's fraud team is called — by your bank, by IC3/CAFC, or by your counsel — the better the odds.

Does our insurance actually cover this?

Crime policies cover funds transfer fraud but often require dual-control or callback verification procedures to be in place. Cyber policies may cover the underlying email compromise but not the wire loss itself. Read both policies and notify both carriers.

Other playbooks
Ransomware affecting core servicesPublic-records system compromisePolice, fire, or court data exposureElection infrastructure incidentCouncil or mayor social-media account takeoverVendor / SaaS supply-chain breach