13.8 Law Enforcement and Banking Coordination

Law Enforcement and Banking Coordination

BEC is one of the few cybersecurity incidents where law enforcement engagement and financial institution coordination are standard procedures — not exceptional escalations. This subsection covers the when, who, and how.

When to engage the bank

Immediately upon confirming a fraudulent payment was sent. Do not wait for the investigation to complete. Do not wait for management approval to contact the bank. The recovery window is 24-72 hours — every hour of delay reduces recovery probability.

Contact: Your company’s bank fraud team (not the general customer service line). Provide: the payment date, amount, recipient bank details (name, sort code, account number), a statement that the payment was made based on fraudulent instructions, and a request for immediate payment recall or hold.

If the payment is domestic (UK to UK): The sending bank can initiate a recall through the Faster Payments scheme or CHAPS. Recovery probability within 24 hours: high. Within 48 hours: moderate. Beyond 72 hours: low.

If the payment is international: The sending bank contacts the receiving bank through SWIFT messaging. Recovery is slower and less certain. Engaging the bank immediately is even more critical for international transfers.

When to engage law enforcement

UK reporting thresholds:

Action Fraud (actionfraud.police.uk): Report all BEC incidents involving financial loss. Action Fraud is the UK’s central fraud reporting centre. Reporting creates a crime reference number needed for insurance claims and bank recovery processes. Report online or call 0300 123 2040.

National Cyber Security Centre (NCSC): Report significant incidents to report.ncsc.gov.uk. The NCSC triages reports and may provide technical assistance for large-scale or sophisticated campaigns.

ICO (Information Commissioner’s Office): If personal data was accessed during the mailbox compromise (the attacker read emails containing employee PII, customer data, or health information), GDPR breach notification to the ICO within 72 hours may be required. Assess the data accessed (subsection 13.4 MailItemsAccessed analysis) and consult legal counsel on notification obligations.

What law enforcement needs from you

The evidence package:

Timeline of events: from first compromise indicator to containment. Include timestamps (UTC) for each action.

The fraudulent email: full headers, body content, and sender analysis. Export from the eDiscovery search (subsection 13.7 Action 3).

Financial details: payment amount, date, sender bank details, recipient bank details (the fraudulent account).

Attacker infrastructure: IP addresses, domains, email addresses used by the attacker. From the investigation in subsections 12.3-12.5.

Scope: number of accounts compromised, number of fraudulent emails sent, total financial exposure.

Format: Most UK law enforcement accepts a PDF report with the above sections. The IR report template from Module 12 (adapted for BEC in subsection 13.11 of this module) serves as the format.

Vendor notification

If the investigation reveals the attacker impersonated or compromised a vendor (Meridian Precision in this scenario):

Contact the vendor through a verified channel (phone number from your records or their public website — NOT from any email in the compromised thread). Inform them: “We received an email appearing to come from your accounts department requesting a change to bank details. We believe this may be fraudulent. Has your email been compromised?”

If the vendor confirms their email was compromised: they have their own incident to investigate. Share the relevant IOCs (attacker IPs, email headers) to assist their investigation. This is a supply chain incident — your investigation helps them, and their investigation may reveal additional indicators relevant to your case.

If the vendor confirms they did NOT send the email: the attacker used a lookalike domain or spoofed the vendor’s identity. Share the spoofing technique details so the vendor can warn their other customers.

Subsection artifact: The law enforcement evidence package checklist and vendor notification template. These are unique to BEC investigations — not covered in the M11 AiTM module.

Knowledge check

Evidence package preparation

Law enforcement needs a structured evidence package — not a collection of KQL query outputs. Prepare the following before making the report:

1. Incident summary (1 page). What happened, when, who was affected, financial impact, current status. Written in plain English — the fraud officer receiving this is not a cybersecurity specialist.

2. Timeline of events. Chronological list: phishing email received → credentials compromised → attacker read email → inbox rules created → fraudulent email sent → payment processed → incident detected → containment executed. Each entry: date/time, event, evidence source.

3. Financial details. Payment amount, date, sending bank, sending account (last 4 digits), receiving bank, receiving account details (from the fraudulent email), payment reference, and current recovery status.

4. Attacker infrastructure. IP addresses used, email domains (phishing and lookalike), email addresses, and any other IOCs. Format as a simple table — not embedded in KQL output.

5. Email evidence. The fraudulent email with full headers — exported from eDiscovery, not a screenshot. The legitimate email thread showing the original vendor bank details. The inbox rules (if applicable) showing the attacker’s interception mechanism.

Store the evidence package in a dedicated folder with restricted access. Include a chain of custody document listing: who prepared each item, when, and where it is stored.

UK Action Fraud reporting tips. Report online at actionfraud.police.uk for fastest processing. The phone line (0300 123 2040) is for those who cannot report online. You will receive a crime reference number — give this to your bank fraud team and your insurer. Action Fraud triages reports to the relevant police force — you do not need to determine which force handles the case.