For Small & Mid-Market Business

Your Business Just Got Scammed. Now What? A 2026 Incident Response Playbook

Published May 15, 2026 · 10 min read · By the ScamDrill Team
Editorial cover with the headline ‘Your business just got scammed’ over a 72-hour countdown ring and three stat blocks: $3.05B in BEC losses, $123K average hit, 58% RAT recovery rate

The first phone call is always the same one. A controller, voice flat, asks the bank if the $187,000 wire that left at 3:12 — the one the CFO supposedly approved over text — can come back. By the time they’re asking, the answer is almost always no.

The FBI’s 2025 IC3 report attributes $3.05 billion in losses to business email compromise alone last year across 24,768 incidents — roughly $123,000 per case, with 86% of dollars walking out as a fraudulent wire. BEC is the second-largest fraud category overall, and it almost never hits the businesses you’d expect. The losses cluster at small and mid-market companies with thin AP teams, no formal callback policy, and a CEO who still approves invoices over email.

This is the playbook for the moment you realize it just happened to you.

72 hours The recovery window. The FBI’s Recovery Asset Team froze $679 million across 3,900 incidents in 2025, with a 58% success rate — but the recoveries happen almost entirely inside the first three days after a wire releases. After that, the money has cycled through money mules and is gone.
Source: FBI IC3 2025 Annual Report; IC3 Recovery Asset Team.

The first 60 minutes — the wire is everything

If your incident involves money already moving (BEC, vendor-email compromise, payroll diversion, fake-invoice fraud), there is only one priority and it is not technical: get the wire stopped. Everything else — legal, communications, even forensics — runs second to that call.

  1. Call your bank’s wire-fraud or treasury desk. Not the branch. Use the number on your wire authorization paperwork or your banker’s direct line. Tell them to initiate a wire recall.
  2. File at ic3.gov in parallel. Have a second person dialing while the controller is on with the bank. The FBI’s Recovery Asset Team needs five fields to run the Financial Fraud Kill Chain: wire amount, send date, receiving bank, receiving account number, and a one-paragraph narrative. Tickets that hit IC3 inside the first 24 hours and meet the dollar threshold get worked the same business day.
  3. Notify your cyber insurer. Most cyber policies require notice within hours, not days. Late notification is the most common reason claims get denied; missing the window can cost you more than the wire did.
  4. Preserve evidence before you touch the inbox. Do not delete the spoof email. Do not change forwarding rules. Do not reset the compromised user’s password until the forensics path is captured. The CISA-FBI #StopRansomware Guide details what to grab; the short version: full mailbox export, sign-in logs, mailbox rule history, and an image of any affected endpoint.

One important nuance: BEC is rarely isolated. Roughly half of 2025 BEC incidents involved a real vendor whose email had been hijacked — meaning the request came from a legitimate inbox, on a legitimate thread, with a legitimate signature block. The fix is procedural, not technical: call back to a number you already had on file before any payment change. If your only verification channel is the email thread the attacker is on, you have no verification.

Figure 01 — The 72-hour incident response clock

FIG. 01 / THE 72-HOUR IR CLOCK ScamDrill scamdrill.com Who calls whom, and when. A small business runbook for the three days that decide whether recovery is possible. 0H 1H 4H 24H 72H 0H · CONTAIN Call the bank. File at ic3.gov. Preserve email. Notify your cyber insurer. 4H · INVESTIGATE Scope the breach. Sign-in logs, mailbox rules, lateral movement, exposed data. 24H · NOTIFY Legal, customers, regulators. State breach laws (30–60d). SEC 8-K within 4 business days. REPORTING TREE Money moved Bank → ic3.gov → insurer Data exposed Legal → state AG → customers Systems encrypted CISA → FBI field office → IR Public company SEC 8-K within 4 biz days Healthcare entity HIPAA: 60 days, OCR portal Government contract CIRCIA + agency CISO, 72h Sources: FBI IC3 2025 · CISA #StopRansomware Guide · SEC 17 CFR §229.106 · scamdrill.com

The first 24 hours — scope it before you announce it

By hour four, you should know whether this is a one-account BEC or something deeper. The small indicators are usually the tells: a new mailbox forwarding rule pushing payment mail to RSS-Feeds or Conversation-History, a sign-in from a country your CFO has never been to, an MFA bypass via a stolen session cookie. Capture all of it. If you have managed IT or an MSSP, they get the call now; if you don’t, this is the moment to engage IR — through your cyber-insurance panel, since calling someone off-panel can void coverage.

If the breach extends beyond an inbox — ransomware, data exfiltration, customer database access — follow CISA’s I’ve Been Hit by Ransomware checklist: isolate (disconnect, don’t shut down), preserve evidence, identify the variant if possible, and report to CISA and your local FBI field office.

Common first-day mistakes that make recovery worse

Forensic preservation: what to grab before you touch anything

The most expensive IR mistake is destroying evidence by trying to clean it up before it’s been captured. Most SMBs have no in-house forensics capability — that’s fine. What matters is what you do (and don’t do) between discovery and the moment a DFIR firm picks up the case. They’ll need a clean record of three things: who got in, what they touched, what left the building. Every step before they arrive either helps or destroys that record.

Capture this, immediately, before any “cleanup”

What not to do in the forensic window

If you have cyber insurance, the policy almost certainly names a panel of pre-approved DFIR firms; calling someone off-panel can void the claim. The two calls that matter in hour two are your broker and the breach coach the carrier assigns — usually a privacy attorney who conducts everything that comes next.

The new extortion: double, triple, and pure

The ransomware story most operators carry — files get encrypted, you pay for a decryption key — is about two years out of date. Modern crews monetize the same intrusion in two or three layers, and a backups-only defense no longer covers the threat.

Double extortion — encrypt and leak — has been the default since 2020 and is now near-universal. Attackers exfiltrate data days or weeks before launching the encryptor, then threaten to publish on a leak site if you don’t pay. Restoring from backups solves the encryption half and does nothing about the leak.

Triple extortion — encrypt, leak, harass — adds a third lever. Crews like Akira and RansomHub email or call your customers, patients, or employees directly with their own data, demanding they pressure you to pay. We saw this at scale against US healthcare networks in late 2025; patient calls land in hours, and the social fallout outruns any plan that wasn’t pre-written.

Pure extortion — no encryption at all — is the newest and hardest model to detect. ShinyHunters, the crew behind the May 2026 Canvas breach of 8,809 institutions, built an economy on vishing into SaaS instances (Snowflake, Salesforce, support tools), exfiltrating, and threatening publication. No malware to detect, no decryptor to debate — just a phone call and a deadline.

~80% of ransomware incidents tracked by major DFIR firms in 2025 involved data exfiltration in addition to (or instead of) encryption. The data is the leverage now, not the encryption key — and a backups-only defense no longer covers the threat.
Source: 2025 DFIR practice reports aggregated across Mandiant, Unit 42, and Coveware quarterly updates.

How to handle an extortion demand

The single best decision in the first hour of an extortion event is not made by IT. It’s made by the executive who agrees, before anything else, that outside counsel and (if covered) the breach coach will lead all communications.

Paying does not close the incident; it changes which kind of incident it is. The 2025 DFIR field reports show median time-to-republish for paying victims at 38 days, and roughly half of paying organizations were re-extorted by the same crew within a year.

The first 72 hours — the legal and reputational clock

Once the bleeding has stopped, the notification obligations begin. The rules are not optional and the deadlines are real.

State breach notification. All 50 states have data breach notification laws, most requiring notice within 30 to 60 days of discovering personal information was exposed. Some — California, Colorado, Florida — require parallel notice to the state attorney general above certain thresholds. Have outside counsel run the analysis; the laws differ enough that DIY is a real liability risk.

SEC Form 8-K. If you’re a public company, the SEC’s cybersecurity disclosure rule requires filing Item 1.05 of an 8-K within four business days of determining a cybersecurity incident is material. The clock starts at materiality, not discovery — but boards that drag the materiality call are getting flagged by SEC enforcement.

HIPAA. Healthcare entities have 60 days to notify the HHS Office for Civil Rights and the affected individuals for breaches of 500+ records, and must post on the OCR “wall of shame”. Sub-500-record breaches are reported annually.

Sector and contract obligations. Defense contractors have DFARS reporting. Financial services have state DFS rules (New York’s NYDFS is among the strictest). Many B2B contracts require notice within 24 to 72 hours. Get the contract list on the table now, not next week.

The pattern across our coverage — from ShinyHunters to the 68% of breaches that start with a person, not a system — is that technology rarely fails first. The first failure is almost always procedural.

Technology rarely fails first. The first failure is almost always procedural — a wire approval over text, a callback skipped, a vendor change accepted on faith.

The week after — close the door behind them

The crew that hit you has your org chart, your invoice templates, your vendor list, and now your IR habits. They will be back. A short post-incident punch list that actually moves the needle:

The companies that recover well aren’t the ones with the deepest stack; they’re the ones that already knew the phone number for their bank’s wire desk. The ones that recover badly are the ones that had to find it.

Run BEC and ransomware drills before you need the playbook.

ScamDrill sends safe, realistic phishing, BEC, and vendor-spoof simulations to your team — with an instant teachable moment when someone clicks. Boring, quiet, and roughly four hundred times cheaper than the wire you don’t recover.

Start free →

One more thing

The incident ends with a postmortem the team actually reads and a short list of changes someone is accountable for closing by Friday. That part is unglamorous and is the only part that compounds. The rest — wires, lawyers, press — is the cost of having waited until it happened to write it down.

Frequently asked questions

What is the very first thing to do if your business sends a fraudulent wire?

Call your bank’s wire fraud desk immediately to request a wire recall, and simultaneously file a complaint at ic3.gov with the wire amount, receiving bank, account number, and a short narrative. The FBI’s IC3 Recovery Asset Team triggers what’s called the Financial Fraud Kill Chain to freeze accounts at the receiving institution. In 2025 the team froze $679 million across 3,900 incidents with a 58% success rate — but the recoveries cluster in the first 72 hours. After that, the money has usually been laundered through money mules and is gone.

How much does a business email compromise actually cost?

The FBI’s 2025 IC3 Annual Report logged $3.05 billion in verified BEC losses across 24,768 complaints — roughly $123,000 per reported incident on average. About 86% of BEC losses involve a fraudulent wire transfer; the rest are diverted ACH, payroll, or invoice payments. The losses are concentrated at small and mid-sized businesses with lean accounts payable teams and no formal callback-verification policy.

Do I have to report a cyber incident? To whom?

It depends on the type of incident. All businesses should report cybercrime to ic3.gov; ransomware and significant intrusions should also be reported to CISA. If customer personal data was accessed, state breach notification laws apply — all 50 states have them, with deadlines typically 30 to 60 days. Healthcare entities have HIPAA breach rules. Public companies must file an SEC Form 8-K within four business days of determining a cyber incident is material. Your cyber insurer (if you have a policy) typically requires notice within hours; missing that deadline can void coverage.

Should I pay the ransom?

CISA, the FBI, and most cyber insurers strongly discourage paying. Paying a ransom does not guarantee data recovery, may violate OFAC sanctions if the group is on a sanctioned list (with fines up to seven figures per transaction), and signals to other attackers that your business pays. Roughly half of organizations that pay are hit again within a year. The decision is yours, but CISA’s #StopRansomware Guide is the playbook serious incident responders work from.

What’s a vendor email compromise and why is it so dangerous?

Vendor email compromise is when a real vendor of yours has its email account taken over and the attacker sends a payment-redirect request from inside that real inbox. The signals are perfect — the right person, the right thread, the right signature block. Detection comes only from a callback to a number you already had on file, never from a number in the email itself. Half of all 2025 BEC incidents involved either a spoofed or hijacked vendor account.

Keep reading

The ShinyHunters Canvas Hack

3.65 TB, 275 million records, 8,809 institutions — one phone call at a time. What every business should take from the largest education breach on record.

Social Engineering Targeting SMBs

~68% of breaches involve a person being deceived, not a system being hacked. The pretexting, VEC, and deepfake tactics hitting small businesses — and the defenses that work.

Phishing Simulation for Small Business: 30-Day Rollout

Exactly what to send, when, and how to handle the “why did you trick me?” conversations. From baseline to 40% risk reduction.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.