Fake wire / ACH recall urgency lure — "your wire is being recalled, click to stop it within 2 hours" BEC targeting businesses moving money; victim authorizes second attacker-controlled transfer (Proofpoint / Abnormal 2024-2025 fast-growing pattern)

Fake "your wire transfer is being recalled for fraud investigation" / "click to stop the recall" / "approve the recall reversal now" BEC variant targeting businesses that move money via wire or ACH. The urgency framing ("act in 2 hours or lose $50,000") exploits the real fact that wire-recall windows exist but are short — victims who click end up authorizing a second, attacker-controlled transfer thinking they are rescuing the first one. Proofpoint and Abnormal Security flagged this as one of the fastest-growing BEC patterns in 2024-2025; the "recall" framing is novel enough to bypass filters trained on classic wire-originating BEC. Distinct from `wire-transfer-no-prior-context-bec` (originates a NEW wire), `wire-fraud-bec` (general wire keywords), and `payroll-diversion-bec` (direct deposit, not wire). Fires when body contains all three of: payment-instrument reference (wire / ACH / outgoing transfer), recall-action language (recall / reverse / rollback / stop / block / cancel + the payment / approve the reversal), and time-pressure urgency (within N hours, immediate action, final notice, expires, permanent loss). Excludes known major banks (Chase, Wells Fargo, Bank of America, Citi, US Bank, Capital One, PNC, TD, Regions, HSBC, Barclays, Lloyds, NatWest, RBS, Nordea, SEB, Swedbank, Handelsbanken, DNB, Danske, OP, Deutsche Bank, BNP Paribas, Santander) and payment processors (Stripe, PayPal, Wise, Revolut). Auto-classified as danger via the `-lure` suffix.