Wire Transfer Fraud in SMEs: The Anti-Fraud Protocol Every Leader Must Deploy in 2026
CEO fraud, supplier IBAN spoofing, social engineering: wire transfer fraud costs French companies hundreds of millions of euros every year. The operational protocol to roll out tomorrow.
Expert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
A Tuesday afternoon. The accountant receives an email signed by the CEO, on the road, requesting an urgent and confidential transfer to a new account. The signature looks right, the tone is credible, the IBAN well formatted. 47 minutes later, EUR 284,000 has left the cash account. No technical breach: just a control chain too soft. According to the Banque de France's Payment Security Observatory, transfer-related frauds (including FOVI — false transfer orders) remain one of the costliest categories for French companies, with cumulative losses estimated in hundreds of millions of euros each year.
This article lays out an operational anti-fraud protocol for SMEs (10 to 250 employees), structured around nine internal controls, the legal framework of the French Monetary and Financial Code, and the right reflexes in case of an incident.
This article is a pedagogical summary and does not replace specialised banking, legal or cyber advice. If an incident occurs, contact your bank, your counsel and file a criminal complaint immediately.
Executive summary#
- Three fraud patterns dominate: CEO fraud (impersonation of the executive), supplier fraud (IBAN spoofing), and bogus banking technician fraud (remote takeover).
- The risk is not solved by tools: it is solved by an internal control protocol combining segregation of duties, dual approval and an independent verification channel.
- Reaction time is critical: within 24 to 48 hours, a SEPA recall procedure can limit the loss; beyond that, recovery becomes unlikely.
- Article L. 133-18 of the French Monetary and Financial Code requires the bank to reimburse unauthorised transactions, but case law is strict where gross negligence by the payer is established.
1. The three dominant fraud patterns#
CEO fraud (FOVI)#
The attacker impersonates the executive, usually by email (sometimes backed up by a phone call or AI-cloned voicemail). They reach out to an accountant, executive assistant or treasurer for a transfer presented as urgent, confidential and exceptional: imminent acquisition, tax adjustment to settle, payment to a new strategic partner. The target is typically isolated; the scenario plays on hierarchical authority.
Supplier fraud (IBAN switch)#
A real, recurring supplier appears to send a letter or email requesting an update of their banking details. The fraudulent IBAN is substituted in the supplier master data. The fraud only surfaces at the next genuine reminder from the real supplier — one to three months later, when recovery is virtually impossible.
Bogus banking technician fraud#
The attacker poses as a bank technician or as the payment software vendor. They request the installation of remote-assistance software or the disclosure of a one-time code "for testing". Once they control the workstation, they trigger transfers from the employee's legitimate environment.
2. Legal framework: what the French Monetary Code says#
Article L. 133-18 requires the payment service provider to immediately refund the amount of an unauthorised transaction reported without delay. But Article L. 133-19 allows the payer's liability to be engaged in case of gross negligence in safeguarding the security devices, or of intentional breach of obligations.
French Cour de cassation case law regularly holds that disclosure of a 3-D Secure code or password to a third party amounts to gross negligence and excludes reimbursement. Conversely, where the employee was deceived by a sophisticated scheme (cloned website, advanced social engineering), banks have been ordered to refund.
Practical consequence: a robust internal protocol is not just a prevention tool; it is also key evidence in a dispute with your bank or cyber insurer.
3. The 9 internal controls of the anti-fraud protocol#
| # | Control | Implementation |
|---|---|---|
| 1 | Systematic dual approval | Any transfer above a defined threshold (e.g. EUR 5,000) requires two distinct electronic signatures. |
| 2 | Segregation of duties | The person creating a beneficiary in the banking tool cannot also approve a transfer to that beneficiary alone. |
| 3 | IBAN verification on an independent channel | Any change of supplier banking details triggers a phone call to the supplier's historical number (never the one in the email received). |
| 4 | Cooling-off period for new beneficiaries | No transfer to a newly created IBAN can be executed within 24 to 48 hours of its creation. |
| 5 | Daily caps and whitelists | Strict daily limits, international transfers subject to express authorisation, non-EU IBANs whitelisted only. |
| 6 | "Presidential urgency" protocol | No urgent transfer can be triggered solely on the basis of an email or a call. Approval through a pre-established control channel (codeword, call to a memorised number). |
| 7 | Quarterly awareness training | Short sessions for accountants, assistants and treasurers: real cases, simulations, quizzes. |
| 8 | Workstation security | MFA mandatory for the banking portal, up-to-date antivirus, no shared sessions, no unauthorised remote-assistance tools. |
| 9 | Daily bank reconciliation | Automated reconciliation between accounting and bank statements: a fraudulent transfer must be detected within 24 hours. |
Pedagogical example#
A 60-employee industrial SME deploys controls 1, 3 and 4. Three months later, an email requests an IBAN update for a recurring supplier (EUR 45,000 monthly). Control 3 triggers a call to the supplier's historical number: the fraud is detected before the first transfer. Loss avoided: EUR 45,000 in the current month alone, leaving aside the open-ended duration of the fraud had it gone through.
4. Emergency procedure when fraud is detected#
- Hour 0 — Immediately alert the bank's fraud unit (dedicated number, posted in the finance room) to trigger a SEPA recall or block if the transfer has not yet been executed.
- Hour +1 — Preserve all digital evidence: emails, access logs, statements, screenshots. Do not power off potentially compromised workstations before forensic intervention.
- Hour +4 — File a criminal complaint (citing Article 313-1 of the French Criminal Code on fraud and Article 323-1 on unlawful access to an automated data processing system, where applicable).
- Hour +24 — Notify the CNIL if personal data has leaked (Article 33 GDPR), the cyber insurer, and report the case on cybermalveillance.gouv.fr.
- Day +1 to +5 — Internal audit: where did the chain break? Update the protocol; communicate internally without stigmatising the deceived employee.
Our chartered accountant's analysis#
Across our internal control reviews for SMEs, we observe that the weakest link is rarely the banking tool — which is generally excellent — but the organisational chain: a single accountant, with no trained back-up, validating under hierarchical pressure in tight timeframes. Fraud exploits this human and organisational vulnerability, not a technical flaw. The 9-point protocol above is not theoretical; it is what we deploy with our clients after every incident, and what has prevented several of them from suffering repeat fraud.
The underestimated risk#
Beyond the direct loss, transfer fraud generates three secondary risks:
- Internal reputation risk: the deceived employee often resigns within six months, out of shame or loss of confidence.
- Insurance risk: if the insurer considers the protocol has not been followed, indemnity may be reduced or refused.
- Tax and social risk: in some setups, diverted amounts can be reclassified by tax authorities if not properly booked as exceptional losses.
What the leader must decide#
- Appoint a fraud officer in the organisation, distinct from the accountant.
- Embed the anti-fraud protocol in delegations of authority and the internal regulations.
- Check that the cyber insurance policy explicitly covers transfer fraud (FOVI clause).
- Audit the procure-to-pay chain at least once a year by an independent third party (chartered accountant, statutory auditor, specialist provider).
2026 watchpoints#
- AI-cloned voice: attackers now use snippets from public videoconferences to clone the executive's voice. A phone call alone is no longer sufficient authentication.
- SEPA Instant Credit Transfer: generalised in 2025 (EU Regulation 2024/886), it makes fraud nearly irreversible. Keep thresholds and whitelists in instant mode too.
- Verification of Payee: progressively rolled out by European banks; activate in your settings as soon as available.
- Multi-channel phishing: SMS, WhatsApp, LinkedIn and even Teams calls are now common vectors. Awareness must cover every channel.
Frequently asked questions
1. Must our bank always reimburse us in case of transfer fraud?+
No. Article L. 133-18 of the Monetary and Financial Code requires reimbursement of unauthorised transactions, but Article L. 133-19 allows the bank to refuse reimbursement in case of gross negligence by the payer. Case law often considers that disclosing a code to a third party or the manifest absence of internal controls amounts to such negligence.
2. What is the difference between an "unauthorised" transfer and an "authorised but deceived" transfer?+
Legally, the difference is decisive. An unauthorised transfer is executed without the payer's consent and gives a right to reimbursement. An authorised-but-deceived transfer (the accountant did approve it, believing it was legitimate) is far harder to challenge: the bank takes the view that formal consent was given.
3. Is a cyber insurance policy enough to cover transfer fraud?+
No — and this is a frequent mistake. Standard cyber policies cover IT incidents (ransomware, data breaches) but not always social-engineering fraud without technical intrusion. An explicit FOVI / CEO-fraud extension must be subscribed, with a sum insured matching your exposure.
4. Should we report fraud even when the bank managed to block the transfer?+
Yes. Reporting to cybermalveillance.gouv.fr and to the PHAROS platform feeds national databases and helps identify organised networks. It is also useful for your insurance file and, where applicable, for the statutory auditor's report.
5. Does remote work make wire transfer fraud worse?+
Yes, mechanically. Remote work isolates employees, removes informal cross-checks ("hey, did you see that weird IBAN?") and increases the use of digital channels (email, chat) over face-to-face. The protocol must explicitly address remote work: no solo transfer above a defined threshold validated from home.
Conclusion#
Wire transfer fraud is a permanent, fast-mutating risk, accelerated by generative AI and instant payments. No tool replaces a rigorous, formalised, audited and reviewed organisational protocol. It can be implemented in a few weeks; its absence can destroy months of margin in 47 minutes.
Up to date as of 28 April 2026.
Article written by Hayot Expertise
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
- Légifrance — Code monétaire et financier art. L. 133-18 (opérations non autorisées)
- Banque de France — Observatoire de la sécurité des moyens de paiement
- Cybermalveillance.gouv.fr — Faux ordres de virement (FOVI)
- Service-public.fr — Escroquerie et fraude aux moyens de paiement
- ACPR — Recommandations sur la sécurité des paiements
- CNIL — Sécurité des données et incidents de paiement
- Plateforme PHAROS — Signalement (signal-arnaques.com)
This topic is part of our service Bookkeeping in France | Review, close & tax filing
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.