Wire Transfer Fraud in SMEs: The Anti-Fraud Protocol Every Leader Must Deploy in 2026

A Tuesday afternoon. The accountant receives an email signed by the CEO, on the road, requesting an urgent and confidential transfer to a new account. The signature looks right, the tone is credible, the IBAN well formatted. 47 minutes later, EUR 284,000 has left the cash account. No technical breach: just a control chain too soft. According to the Banque de France's Payment Security Observatory, transfer-related frauds (including FOVI — false transfer orders) remain one of the costliest categories for French companies, with cumulative losses estimated in hundreds of millions of euros each year.

This article lays out an operational anti-fraud protocol for SMEs (10 to 250 employees), structured around nine internal controls, the legal framework of the French Monetary and Financial Code, and the right reflexes in case of an incident.

This article is a pedagogical summary and does not replace specialised banking, legal or cyber advice. If an incident occurs, contact your bank, your counsel and file a criminal complaint immediately.

• Three fraud patterns dominate: CEO fraud (impersonation of the executive), supplier fraud (IBAN spoofing), and bogus banking technician fraud (remote takeover).
• The risk is not solved by tools: it is solved by an internal control protocol combining segregation of duties, dual approval and an independent verification channel.
• Reaction time is critical: within 24 to 48 hours, a SEPA recall procedure can limit the loss; beyond that, recovery becomes unlikely.
• Article L. 133-18 of the French Monetary and Financial Code requires the bank to reimburse unauthorised transactions, but case law is strict where gross negligence by the payer is established.

CEO fraud (FOVI)#

The attacker impersonates the executive, usually by email (sometimes backed up by a phone call or AI-cloned voicemail). They reach out to an accountant, executive assistant or treasurer for a transfer presented as urgent, confidential and exceptional: imminent acquisition, tax adjustment to settle, payment to a new strategic partner. The target is typically isolated; the scenario plays on hierarchical authority.

Supplier fraud (IBAN switch)#

A real, recurring supplier appears to send a letter or email requesting an update of their banking details. The fraudulent IBAN is substituted in the supplier master data. The fraud only surfaces at the next genuine reminder from the real supplier — one to three months later, when recovery is virtually impossible.

Bogus banking technician fraud#

The attacker poses as a bank technician or as the payment software vendor. They request the installation of remote-assistance software or the disclosure of a one-time code "for testing". Once they control the workstation, they trigger transfers from the employee's legitimate environment.

Article L. 133-18 requires the payment service provider to immediately refund the amount of an unauthorised transaction reported without delay. But Article L. 133-19 allows the payer's liability to be engaged in case of gross negligence in safeguarding the security devices, or of intentional breach of obligations.

French Cour de cassation case law regularly holds that disclosure of a 3-D Secure code or password to a third party amounts to gross negligence and excludes reimbursement. Conversely, where the employee was deceived by a sophisticated scheme (cloned website, advanced social engineering), banks have been ordered to refund.

Practical consequence: a robust internal protocol is not just a prevention tool; it is also key evidence in a dispute with your bank or cyber insurer.

Pedagogical example#

A 60-employee industrial SME deploys controls 1, 3 and 4. Three months later, an email requests an IBAN update for a recurring supplier (EUR 45,000 monthly). Control 3 triggers a call to the supplier's historical number: the fraud is detected before the first transfer. Loss avoided: EUR 45,000 in the current month alone, leaving aside the open-ended duration of the fraud had it gone through.

1. Hour 0 — Immediately alert the bank's fraud unit (dedicated number, posted in the finance room) to trigger a SEPA recall or block if the transfer has not yet been executed.
2. Hour +1 — Preserve all digital evidence: emails, access logs, statements, screenshots. Do not power off potentially compromised workstations before forensic intervention.
3. Hour +4 — File a criminal complaint (citing Article 313-1 of the French Criminal Code on fraud and Article 323-1 on unlawful access to an automated data processing system, where applicable).
4. Hour +24 — Notify the CNIL if personal data has leaked (Article 33 GDPR), the cyber insurer, and report the case on cybermalveillance.gouv.fr.
5. Day +1 to +5 — Internal audit: where did the chain break? Update the protocol; communicate internally without stigmatising the deceived employee.

Across our internal control reviews for SMEs, we observe that the weakest link is rarely the banking tool — which is generally excellent — but the organisational chain: a single accountant, with no trained back-up, validating under hierarchical pressure in tight timeframes. Fraud exploits this human and organisational vulnerability, not a technical flaw. The 9-point protocol above is not theoretical; it is what we deploy with our clients after every incident, and what has prevented several of them from suffering repeat fraud.

Beyond the direct loss, transfer fraud generates three secondary risks:

• Internal reputation risk: the deceived employee often resigns within six months, out of shame or loss of confidence.
• Insurance risk: if the insurer considers the protocol has not been followed, indemnity may be reduced or refused.
• Tax and social risk: in some setups, diverted amounts can be reclassified by tax authorities if not properly booked as exceptional losses.

• Appoint a fraud officer in the organisation, distinct from the accountant.
• Embed the anti-fraud protocol in delegations of authority and the internal regulations.
• Check that the cyber insurance policy explicitly covers transfer fraud (FOVI clause).
• Audit the procure-to-pay chain at least once a year by an independent third party (chartered accountant, statutory auditor, specialist provider).

• AI-cloned voice: attackers now use snippets from public videoconferences to clone the executive's voice. A phone call alone is no longer sufficient authentication.
• SEPA Instant Credit Transfer: generalised in 2025 (EU Regulation 2024/886), it makes fraud nearly irreversible. Keep thresholds and whitelists in instant mode too.
• Verification of Payee: progressively rolled out by European banks; activate in your settings as soon as available.
• Multi-channel phishing: SMS, WhatsApp, LinkedIn and even Teams calls are now common vectors. Awareness must cover every channel.

Wire transfer fraud is a permanent, fast-mutating risk, accelerated by generative AI and instant payments. No tool replaces a rigorous, formalised, audited and reviewed organisational protocol. It can be implemented in a few weeks; its absence can destroy months of margin in 47 minutes.

Up to date as of 28 April 2026.