Voice Clone Attack Response for Dental Practices

A voice clone attack lands without warning. One call — sounding exactly like the dentist, the DSO finance executive, or a trusted supplier — and an employee authorizes a wire transfer, discloses patient billing information, or changes a vendor's banking details. The attacker hangs up. The fraud starts immediately. What you do in the next 72 hours determines whether funds can be recovered, whether HIPAA breach obligations apply, and whether the same attacker calls again.

This guide covers the exact response sequence for dental practices — from the moment you suspect the call was synthetic through law enforcement reporting, HIPAA assessment, and hardening your defenses against the next attempt. For context on how these attacks are constructed in the first place, see the Vicall guide to voice clone fraud targeting dental practices.

What Are the Immediate Steps After Suspecting a Voice Clone Call?

Speed and documentation in the first hour determine what options you have for every step that follows. These five actions — taken in order, within 60 minutes of the suspected call — preserve your financial recovery options, your evidence chain, and your HIPAA compliance posture before any details fade or systems get cleared.

End or do not complete the call

If the call is still in progress when suspicion arises, end it. Do not authorize any payment, banking change, credential access, or PHI disclosure. You can always verify any legitimate request by calling back on a known number you look up independently. A real dentist, supplier, or DSO executive will not be offended by a callback — an attacker will push back hard against one.

Document everything immediately

Before doing anything else, write down: the exact time of the call, the caller ID number displayed, the name and identity the caller claimed, every request made during the call, and everything said or agreed to. Include the name of every staff member who participated in or overheard the call. Handwritten notes taken immediately are legally more useful than a typed summary written an hour later.

Alert the practice owner and office manager within one hour

Escalate immediately — even if you are not certain the call was fraudulent. The practice owner and office manager need to know within the hour so that response decisions can be made by the appropriate people. Waiting until you are sure costs you time that may be irreversible if a wire was sent or a banking detail was changed.

Preserve call logs and voicemails — do not delete

Do not clear, archive, overwrite, or delete any call records or voicemails connected to the incident. These are evidence. Screenshot or export the call log entry showing the caller ID, date, and duration. If a voicemail was left, do not delete it — export or screenshot it. Notify every staff member who handled the call not to delete anything from their phones or workstations.

If any financial action was taken, go to wire fraud recovery immediately

If a wire transfer was authorized, a bank account was changed, or a payment was made based on the call, do not wait to finish internal documentation first. Call your bank's wire fraud operations team right now and request an emergency recall. Provide the full transaction details: amount, date and time, destination bank name, account number, and routing number. Time is the only variable you can still control at this point.

The single most common mistake after a voice clone attack is internal documentation before the bank call. Internal documentation is important — but it takes 20 minutes. In those 20 minutes, a fraudulent wire may cross to a second intermediary account, making recovery significantly harder. Call the bank first. Document second.

How Do You Determine What Was Compromised?

Before you can report, remediate, or assess HIPAA obligations, you need to know exactly what the attacker obtained or changed during the call. Different types of compromise require different immediate responses — some with hours-level urgency, some with days-level urgency. Work through this checklist methodically with the office manager and any staff who handled the call.

Was a wire transfer authorized?

This is the highest-urgency item. If yes: call your bank immediately, request emergency wire recall, and file at ic3.gov the same day. Do not wait for any other step. Wire recovery probability drops with every passing hour as funds move through intermediary accounts. Ask the bank specifically about activating the Financial Fraud Kill Chain if the amount is $50,000 or more and the transfer occurred within the past 72 hours.

Was patient data disclosed?

Review the call notes for any patient-identifiable information that was provided: patient names, dates of birth, insurance ID numbers, policy group numbers, treatment codes, appointment dates, billing amounts, or Social Security numbers used for insurance. If any PHI was disclosed — intentionally or because the attacker asked for it as part of a plausible cover story — a HIPAA risk assessment is required before you can determine whether breach notification obligations apply.

Were banking or vendor details changed?

Dental-specific accounts to check immediately: insurance reimbursement direct deposit accounts (Delta Dental, Cigna, MetLife, Guardian), dental supply vendor payment accounts (Henry Schein, Patterson, Benco, DENTSPLY), payroll direct deposit settings, and lab fee accounts. If any were changed: reverse them immediately by calling the bank or vendor on a number from a prior invoice or your directory — not a number provided during the suspicious call. Confirm the reversal in writing.

Were credentials or system access provided?

If the attacker extracted login credentials, multi-factor authentication codes, or remote access details for any practice system — practice management software, billing portals, insurance carrier portals, or banking portals — reset those credentials immediately and review access logs for unauthorized activity. If your practice management system contains PHI and the attacker may have obtained access, this becomes part of the HIPAA assessment.

72 hrs

The FBI Financial Fraud Kill Chain window. Wire fraud losses of $50,000+ filed at ic3.gov within 72 hours of transfer are eligible for coordinated bank-level fund freezing. After 72 hours, the FFKC cannot be activated regardless of loss amount.

Does a Voice Clone Attack Trigger HIPAA Reporting?

HIPAA breach is triggered by unauthorized disclosure of protected health information — not by the practice's intent or fault. A voice clone call that extracted patient billing data, insurance identifiers, or treatment information may create a breach notification obligation even though the practice was the victim of fraud. Understanding this distinction within the first 24 hours determines your compliance timeline.

The HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities — including dental practices — to notify affected individuals, the HHS Office for Civil Rights, and in some cases local media when a breach of unsecured PHI is discovered. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA's Privacy Rule — and a voice clone attacker who extracted patient data from a staff member during a social engineering call satisfies that definition.

The key questions for HIPAA assessment after a voice clone attack:

Was any PHI disclosed during the call? — Patient name + insurance ID, patient name + date of birth, billing amounts linked to treatment, appointment records. If yes, a risk assessment is required.
Was the disclosure to an unauthorized recipient? — An attacker impersonating a dentist or carrier representative is not an authorized recipient under HIPAA. The answer is yes.
Can the practice demonstrate low probability of compromise? — HIPAA provides a low-probability-of-compromise exception (four-factor test) that, if documented and met, eliminates the notification requirement. A voice clone call that directly extracted PHI will typically not meet this exception.

HIPAA notification timelines: patients must be notified within 60 calendar days of discovery. If 500 or more individuals are affected, HHS must be notified within 60 days and prominent media in the affected state must also be notified. Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually.

Document the incident as a potential breach from the moment it is discovered. Do not wait for the HIPAA assessment to conclude before beginning documentation. Consult a HIPAA attorney before making final breach notification determinations — the legal and regulatory consequences of incorrect determinations in either direction (under-reporting and over-reporting) are both material.

Document the incident as a potential breach from day one — even if you believe no PHI was disclosed. If you later determine notification was required and you cannot show a contemporaneous record of your assessment process, the absence of documentation compounds the compliance exposure. The record should include: what was disclosed, to whom, when you discovered it, and the analysis you used to reach your notification determination.

What Needs to Be Reported to Law Enforcement?

Voice clone fraud is a federal crime. Reporting to law enforcement is not optional when financial loss occurred — and even when it did not, a documented report creates the legal record that supports insurance claims, HIPAA documentation, and potential civil recovery. File in this order, with the FBI IC3 report first because it is the one with time-sensitive consequences.

FBI Internet Crime Complaint Center — ic3.gov

File at ic3.gov the same day you discover the incident. This is the primary federal reporting mechanism for wire fraud and business email/voice compromise. If your wire loss was $50,000 or more and occurred within the past 72 hours: in the complaint narrative, explicitly write "I am requesting Financial Fraud Kill Chain activation." The FFKC is a coordinated effort between the FBI and the receiving financial institution to freeze funds before the attacker can withdraw or transfer them further. In 2024, the FFKC achieved a 66% success rate when activated within the 72-hour window.

FTC — reportfraud.ftc.gov

File a separate report at reportfraud.ftc.gov. FTC reports create a public fraud record that supports pattern analysis used to identify and pursue repeat attackers. Include the spoofed caller ID, the impersonated identity, and the specific financial mechanism used (wire, ACH, banking change).

Local police report

File a local police report for the record. This creates a law enforcement document that your insurance carrier, bank, and legal counsel will require for any claim or recovery process. Even if local police cannot investigate a voice clone fraud case directly, the report number is essential documentation.

Dental professional liability insurer

Contact your professional liability and business insurance carriers immediately after filing with law enforcement. Most business insurance policies that cover cyber fraud or wire fraud have strict reporting windows — often 30 to 60 days, sometimes shorter. Delayed reporting can void coverage. Provide your IC3 complaint number and local police report number when you file the insurance claim.

If DSO-affiliated: notify DSO corporate security immediately

If your practice is affiliated with a Dental Service Organization, notify the DSO's corporate security or compliance team on the same day. The attacker who successfully compromised one affiliated practice will almost certainly attempt the same call at other affiliated practices — either impersonating the same dentist at the DSO level, or escalating to impersonate a DSO executive across the network. The DSO's security team needs to alert all affiliated practices and the central AP team before the next call lands.

How Do You Prevent the Next Voice Clone Attack?

An attacker who successfully extracted money or data from a dental practice will attempt a follow-on call — either from the same impersonated identity or a new one. The 48 hours after a voice clone attack are the period of highest re-attack risk. These five controls, implemented immediately, close the attack surface that made the first call possible.

Implement a pre-agreed passphrase with all authorized callers

Establish a random, nonsensical passphrase — face to face, never digitally — between the dentist and every staff member authorized to act on financial requests. Example: "blue marble seventeen." Any inbound call requesting a payment, banking change, or unusual financial action must supply this passphrase. If it is absent, the staff member does not act and calls the dentist back independently. This single control stops the vast majority of voice clone attacks because no AI can know a phrase that was never digitally shared.

Callback protocol: never act on inbound call requests

Implement a standing policy: no financial action is taken based solely on an inbound call, regardless of how the caller sounds or what number is displayed. For any request received by phone, staff hang up and call back on a number they independently look up — from a prior invoice, the supplier's main website, or a directory number they have used before. This eliminates the entire inbound voice clone attack surface in one rule.

Written authorization required for all financial changes

Establish a written policy: no wire transfer, no banking detail change, and no vendor account update is processed based solely on a phone call — including calls that appear to come from the dentist's own number. Every such request requires a written confirmation through an independent channel: an email from the dentist's verified address, a message in the practice management system, or in-person sign-off. This eliminates the verbal-only attack chain and creates a paper trail for every financial action.

Deploy Vicall for real-time on-device synthetic voice detection

Vicall provides an on-screen verdict — REAL VOICE or SYNTHETIC DETECTED — in under one second on incoming calls from known contacts. For the dentist's mobile phone, Vicall runs as an iOS or Android app. For the front desk analog multi-line system, Vicall's on-premises Mac mini deploys alongside existing hardware without replacement and without sending audio to the cloud. Vicall catches synthetic voices that humans cannot — because humans detect AI audio correctly only about 48% of the time, roughly a coin flip.

Brief all staff on the attack pattern within 48 hours

Within 48 hours of the incident, conduct a brief all-staff session — 15 minutes is sufficient — covering what happened, how the call was constructed, what the attacker requested, and what the new response protocols are. Staff who understand the specific attack pattern that was used against their practice are significantly more resistant to follow-on attempts. Provide the passphrase and callback protocols in writing. Do not rely on verbal briefings alone.

// FAQ

Frequently Asked Questions

What if the dental practice already sent a wire transfer before realizing it was a clone?

Call your bank's wire fraud operations team immediately — this is a time-critical action. Request a wire recall or reversal as an emergency. Provide the exact amount, date and time, destination bank name, account number, and routing number. Then file at ic3.gov the same day. If the wire was $50,000 or more and occurred within the past 72 hours, explicitly request Financial Fraud Kill Chain (FFKC) activation when filing the IC3 report. The FFKC is a coordinated effort between the FBI and the receiving bank to freeze funds before the attacker can move them, and had a 66% success rate in 2024. Every hour you delay reduces the recovery probability significantly.

Does our dental practice have a HIPAA reporting obligation after a voice clone attack?

It depends on whether protected health information was disclosed during the call. If the attacker extracted patient billing information, insurance ID numbers, treatment codes, appointment records, or any other PHI, the practice likely has a HIPAA breach reporting obligation — even as the fraud victim. HIPAA breach is triggered by unauthorized disclosure of PHI, not by fault. You must conduct a documented risk assessment before concluding no notification is required. If notification is required, patients must be notified within 60 days of discovery. If 500 or more individuals were affected, HHS and local media must also be notified. Consult HIPAA legal counsel before making a final determination.

How long do we have to report to the FBI?

File at ic3.gov immediately — there is no minimum threshold and no deadline, but speed is everything. If funds were wired, the Financial Fraud Kill Chain can only be activated within 72 hours of the fraudulent transfer and requires a minimum loss of $50,000. After 72 hours, the probability of fund recovery drops sharply because attackers typically move funds across multiple accounts within that window. File the IC3 report the same day you discover the incident, not after you have finished internal documentation.

What documentation should we preserve from the voice clone call?

Preserve everything and delete nothing. Specifically: (1) the call log entry showing the caller ID number, date, and time; (2) any voicemail left by the attacker — do not listen and delete, export or screenshot the entry; (3) the name of every staff member who participated in or was aware of the call; (4) written notes taken immediately after the call describing what was said, what was requested, and what was agreed to or provided; (5) any bank records, wire confirmation numbers, or transaction receipts related to actions taken during or after the call; (6) any email or text messages referencing the call. Law enforcement will need all of this. Store copies in a location separate from your primary systems in case the attacker also has network access.

Can the DSO's central finance team also be targeted?

Yes — and a DSO central finance team is a higher-value target than an individual practice. Attackers can impersonate a DSO executive to instruct the AP team to process unusual payments, or impersonate individual practice dentists to request banking changes at the DSO level. Because DSO central finance staff may handle dozens of affiliated practices, they are less likely to recognize each dentist's voice individually — making voice clone attacks particularly effective against this target. If your practice is DSO-affiliated, notify the DSO's corporate security or compliance team immediately after any suspected attack. The DSO should assess whether the same attacker has attempted or will attempt the same call across other affiliated practices.

// Vicall

Stop the Next Call Before It Lands.
Real-Time Voice Detection.

Vicall detects synthetic voices in under one second — on-device, no cloud, any phone, including analog front desk lines. Deploy for your practice through the MSP portal.

Get Started

Related Resources

Learn more about phone-based social engineering, voice fraud, and how to protect your organization.

Voice Fraud Guide → Prevention Protocols → Social Engineering Guide → Voice Fraud Statistics → MSP Partner Program →