Stopping Wire-Transfer Fraud in a Family Office: A Controls Checklist

Prevention is a process problem, not a software problem

Almost every large fraudulent wire that leaves a family office is authorized by a real person who believed a false instruction. The fix, therefore, is not a product — it is a small set of controls applied consistently to the moment money moves. This piece is about prevention; if a wire has already gone out, the response is a different exercise, and the first-24-hours recovery steps matter more than this checklist. The mechanics that make these attacks work are covered in how business email compromise targets a family. This is general information, not legal advice, and not a substitute for retained counsel or a tailored controls review.

The controls that earn their place

• Out-of-band callback, every time.Verify each wire instruction — and every change to a payee's bank details — by calling a number you already hold on file, never a number supplied in the request. The FBI's long-standing guidance is to use secondary channels or two-factor verification before acting on a payment change.
• Dual approval over a threshold. Above a set amount, require two named approvers, each verifying independently. The second signature only adds safety if the second person actually re-checks rather than trusting the first.
• Vendor and counterparty bank-change holds.Treat any “our banking details have changed” message as suspect by default. Hold the change, call the known contact, and confirm before a single payment routes to the new account.
• No wire on email alone. Email is a notification, not an authorization. A payment instruction that exists only in an inbox does not move money until it has cleared the callback.
• A cooling-off pause on the unusual.New payee, first-time international transfer, urgency, secrecy, or an amount outside the normal pattern — any of these triggers a deliberate delay. Urgency is the fraudster's tool; a pause is yours.
• A written approver matrix.Decide in advance who may authorize what, up to which limits, and who verifies. Ambiguity about “who can say yes” is what an impersonator exploits.

Why the callback beats everything else

The reason an out-of-band callback is so effective is that it breaks the channel the attacker controls. A compromised mailbox, a lookalike domain, or a spoofed sender can produce a perfect instruction — but it cannot answer the principal's actual phone. The control costs a two-minute call and stops the scenario that accounts for the largest losses. The FBI puts cumulative exposed losses from business email compromise in the tens of billions of dollars over the past decade, with roughly US$2.77 billion in adjusted losses reported in 2024 alone.

Account for the synthetic-voice problem

A callback assumes the voice on the other end is genuine. That assumption is now worth testing: the FBI has warned that criminals use generative AI to clone a familiar voice and that families should agree on a private code word to confirm identity, then hang up and call back a known number if anything feels off. Build that code word into the callback so the control survives a convincing impersonation. The deeper version of this scenario is covered in can a deepfake voice approve a wire.

Make the controls real, not aspirational

A checklist in a binder stops nothing. The controls that hold up are the ones written down, assigned to named people, and rehearsed — including with the bank, so the family office knows how a recall request actually works before it needs one. Most engagements begin with a quiet review of how money moves today and where a single deception could carry it out the door; the changes that follow are usually few, specific, and quietly decisive.

Related services

• Family Office Services