What Are the Immediate Steps After a Voice Clone Call?
The first 60 minutes determine how much of the damage is reversible. Whether the attack succeeded in extracting money, data, or both, the same containment sequence applies. Do not complete any pending action from the call. Preserve all evidence. Alert leadership within one hour. If money moved, call the bank now — not after you've finished investigating.
The moment you suspect a call was AI-generated — or confirm it was — your response window is open and closing. Attackers using voice cloning rely on the gap between the call and discovery to move funds offshore or use extracted data before the practice can respond. Every action in the first hour matters.
Do not complete any action requested during the call
If you are still on the call, end it. If the call just ended and no action has been taken yet, stop. Do not process the wire, change the banking details, or provide the requested information. The attacker's window of opportunity is only open while you are acting on their request.
Document everything immediately
Write down the exact call time, the number that appeared on caller ID, what was requested, what was disclosed or agreed to, and the name of any staff member on the call. Preserve call logs on your phone system or VOIP platform. Do not delete any recordings, voicemails, or log entries — these are evidence.
Alert practice administrator and physician owner within one hour
Do not investigate alone and do not delay escalation until you are certain fraud occurred. Alert practice leadership immediately. Early involvement of the physician owner and administrator expands the options available — particularly for any financial recalls and HIPAA assessment that must begin promptly.
Preserve all call logs — do not delete
Call logs, VOIP records, voicemails, and any audio recordings are evidence for law enforcement, your insurer, and HIPAA documentation purposes. Place a preservation hold on all relevant records. Confirm with your phone system administrator that automatic log rotation or deletion is paused for the relevant timeframe.
If a wire or banking change occurred: contact your bank immediately
Call your sending bank's fraud line — not general customer service — and request a wire recall. Provide the full transaction details: date, time, amount, and destination account. Wire recall success drops significantly after the first hour and approaches zero after 24 hours. Simultaneously, contact the receiving bank with the destination account number and request a hold. Your bank's fraud team will handle this coordination if you cannot reach the receiving bank directly.
Do not assume the attack is over after one call. Attackers who successfully extract funds or data from a medical practice frequently attempt a second call within 24 to 48 hours using a different impersonation scenario. A staff member who processed the first fraudulent request may be targeted again, or a different employee may be called. The emergency staff briefing in the next 48 hours is not optional.
Was Protected Health Information Disclosed?
Voice clone attacks that impersonate insurance representatives or billing managers to extract patient data are HIPAA breach incidents — not just fraud incidents. The 60-day patient notification clock begins on the day you discover the breach, not the day of the call. Start your documentation and risk assessment immediately, regardless of whether you think the breach is reportable.
Medical practices frequently treat voice fraud incidents as financial events and miss the HIPAA dimension entirely. If the attacker impersonated an insurance representative, billing manager, referring physician, or any other party who would legitimately access patient information, you must assess whether protected health information was disclosed during the call.
Under HIPAA, PHI includes any information that can identify a patient in connection with their health status, healthcare, or payment. Specifically, the following information disclosed in a voice fraud call triggers a breach assessment:
- Patient names linked to any health or billing context
- Insurance ID numbers and group plan numbers
- Diagnosis codes, procedure codes, or clinical information
- Appointment dates, times, or visit reasons
- Billing records, outstanding balances, or claim numbers
- Social Security numbers if used for patient identification
The 60-day notification window for affected patients and HHS begins at the date of discovery — meaning the day your practice becomes aware of the incident, not the date the call occurred. If you discover a voice fraud call from three weeks ago today, the 60-day clock started today, not three weeks ago.
Engage your practice's privacy officer and legal counsel the same day you discover potential PHI exposure. Your breach risk assessment must evaluate four factors under HIPAA: the nature and extent of the PHI involved, who received it, whether it was actually acquired or viewed, and the extent to which the risk of re-identification has been mitigated. Document every step of this assessment in writing.
Treating a voice fraud incident as purely financial and failing to assess the PHI exposure creates a second, separate HIPAA compliance liability on top of the financial loss. HHS HIPAA investigations are triggered by late, incomplete, or absent breach assessments just as often as by the breach itself.
What Financial Exposure Should Be Assessed?
Voice clone attacks on medical practices target multiple financial vectors simultaneously or in rapid succession. Contain and assess each one independently. A single call may have affected one category, or an attacker with prior access to your communications may have already staged requests across several accounts. Each confirmed loss triggers its own bank recall and FBI IC3 filing.
Medical practices have more financial attack surfaces than most small businesses. An attacker who has done minimal research on your practice — by reviewing your public website, vendor listings, and staff directory — can identify and target all of the following in a single coordinated attack:
Physician Impersonation Wire Requests
The highest-value and most common attack. A cloned physician voice calls the practice administrator or billing manager requesting an urgent wire transfer — typically framed around equipment, an overdue supplier invoice, or an emergency payment. Assess whether any wire was processed in the past 7 to 30 days following an unusual phone call or voicemail. Check all outgoing wires against invoices, not just the most recent one.
Insurance Reimbursement Account Changes
Attackers impersonating insurance company representatives may request changes to the banking account your practice uses to receive reimbursements. A single change to the EFT deposit account for a major payer can divert weeks of reimbursement payments before the discrepancy is noticed. Review all EFT account changes with payers made in the past 90 days.
Vendor and Supply Banking Redirects
Medical supply vendors, pharma representatives, and lab partners are known attack vectors. An attacker with a cloned voice of your familiar sales representative calls accounts payable to update banking details before a large scheduled payment. Review all vendor banking detail changes made in the past 60 days and verify each one directly with the vendor using a number from your internal directory.
Payroll Changes
If the attacker impersonated an HR manager, practice manager, or physician requesting changes to payroll direct deposit details, assess whether any payroll banking changes were processed without in-person or written authorization. This attack is less common in smaller practices but is documented in multi-physician group practices where payroll is managed centrally.
Each financial loss that you confirm triggers two immediate actions in parallel: a bank recall request to your sending institution and a separate FBI IC3 report. Do not aggregate multiple losses into a single filing — file individually for each confirmed fraudulent transaction to ensure each triggers its own bank intervention process.
What Law Enforcement Reports Must Be Filed?
Law enforcement reports are not optional and not purely procedural — the FBI IC3 report is the mechanism that activates fund recovery. For losses of $50,000 or more, filing within 72 hours gives you a 66% probability of the FBI freezing the funds in transit. File the ic3.gov report first, then work through the rest of the reporting sequence below.
FBI IC3 Report — ic3.gov
File immediately at ic3.gov. For fraudulent wires of $50,000 or more reported within 72 hours of the transaction, your report activates the FBI's Financial Fraud Kill Chain — a coordinated rapid-response mechanism that contacts the receiving bank to freeze or recall the funds. The FBI FFKC froze $561.6 million in fraudulent wires in 2024. After filing, note your IC3 complaint reference number and contact your nearest FBI field office to confirm the report has been received and the FFKC has been activated.
FTC Report — reportfraud.ftc.gov
File a report at reportfraud.ftc.gov. The FTC uses fraud reports to identify patterns across incidents and build enforcement cases against organized fraud operations. Filing also creates a timestamped record that supports insurance claims and legal proceedings. This report takes approximately 15 minutes and should be filed on the same day as your IC3 report.
Local Police Report
File a local police report with your city or county police department. In many jurisdictions, this is required by cyber liability and professional liability insurers before a claim can be processed. The local report also creates a documented chain of custody for any evidence you have preserved and may be required if your state attorney general's office investigates.
Notify Professional Liability and Cyber Liability Insurers
Contact your professional liability insurer and your cyber liability insurer on the day of discovery. Many cyber liability policies have a reporting window — typically 24 to 72 hours — that must be met for coverage to apply. Provide your IC3 and police report numbers. Do not wait until you have completed your full investigation before notifying insurers; report what you know now and supplement as you learn more.
Notify Health System or Hospital Network Security Team
If your practice is affiliated with or part of a larger health system or hospital network, notify the system's security team immediately. Attackers who have successfully targeted one practice in a network frequently attempt lateral attacks on affiliated entities using information gathered from the first attack. Your notification may prevent a related incident at another practice in your system.
How Do You Prevent the Next Attack?
Practices targeted once are frequently re-targeted. Attackers know your staff, your vendors, and your financial procedures better after a successful first attack than they did before. The five controls below must be implemented before a second attempt arrives — and the emergency staff briefing that covers exactly what happened is the single highest-impact action you can take in the next 48 hours.
Pre-agreed passphrase for all financial authorizations
Establish a pre-agreed, random, nonsensical passphrase between physicians and all staff who process financial transactions. This passphrase must be agreed on in person, never over the phone or email. Any inbound call requesting a financial action that does not include the passphrase must be treated as unverified and held pending independent callback confirmation. The FBI specifically recommends this control for voice fraud scenarios.
No financial changes processed on an inbound call — ever
Make this a hard rule with no exceptions. No wire transfer, no banking detail change, no payroll update, and no vendor payment modification is ever processed based solely on an inbound phone call — regardless of how convincing the caller sounds, what number appears on caller ID, or how urgent the request is framed. This single rule eliminates the primary attack vector used in virtually every voice clone fraud incident targeting medical practices.
Written authorization required for every wire and banking change
Implement a written authorization requirement for all outgoing wires and banking detail changes. Require the authorizing physician or manager to sign a physical or digitally signed authorization form, separate from the phone request. This creates a paper trail, introduces a processing delay that gives staff time to verify the request, and ensures that any fraudulent authorization requires the attacker to have compromised email as well as voice — a significantly harder attack.
Deploy Vicall for real-time on-device voice clone detection
Vicall detects synthetic voices on live calls in under one second — on-device, no cloud, no audio sent externally. This satisfies HIPAA's technical safeguard requirements because voice audio never leaves the device. Deploy on physician smartphones via the Vicall mobile app and on the main office line via the on-premises Mac mini deployment. When a call arrives that sounds like Dr. Smith and Vicall shows SYNTHETIC DETECTED, staff have a definitive signal — not a judgment call — that the call is fraudulent.
Emergency staff briefing within 48 hours
Brief all staff — front desk, billing, administrative, and clinical — within 48 hours of the incident. Cover the exact attack pattern used in the call: who was impersonated, what was requested, how the call was framed, and what made it convincing. Explain the new verification protocol in plain language. Conduct a brief role-play exercise so staff practice ending an inbound call and initiating a callback. Attackers who are aware that a practice has been alerted sometimes wait 2 to 3 weeks before attempting a follow-up attack using a different impersonation — briefed staff are the only defense against this.
Caller ID spoofing is free and trivial. A call that appears to come from your physician's direct line, your main office number, or a known insurance company's number costs an attacker nothing to produce. Any verification protocol that relies on recognizing a caller ID is not a verification protocol — it is a false sense of security. All verification must use an outbound callback to a number your practice already has on file.
Frequently Asked Questions
Yes, potentially a reportable one. If an attacker impersonating an insurance representative or billing manager extracted patient insurance ID numbers, names, or related billing information during the call, this constitutes unauthorized disclosure of protected health information (PHI) under HIPAA. The practice must conduct a four-factor risk assessment to determine whether the breach is reportable. If it is, affected patients must be notified within 60 days and HHS must be informed. Document everything from the moment you discover the incident — the call time, what was asked, what was disclosed, and by whom.
HIPAA's Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days from the date the breach is discovered. HHS must also be notified within 60 days. If the breach affects 500 or more individuals in a state or jurisdiction, prominent media notification is also required. If fewer than 500 individuals are affected, HHS notification may be submitted on an annual log basis. Begin your risk assessment and documentation on the day you discover the incident, not the day the call occurred.
The FBI's Financial Fraud Kill Chain (FFKC) is a rapid-response mechanism activated when a domestic wire fraud of $50,000 or more is reported to the FBI Internet Crime Complaint Center (ic3.gov) within 72 hours of the transaction. Once activated, the FBI contacts the receiving bank to request a hold or recall of the fraudulent wire. In 2024, the FFKC froze $561.6 million in fraudulent funds. For medical practices that have processed a fraudulent wire above this threshold, filing the IC3 report within 72 hours is the highest-priority action — every hour reduces the probability of recovery.
If your risk assessment determines the disclosure is a reportable breach, HIPAA requires you to notify each affected individual in plain language. The notification must describe what happened, the types of information involved, steps individuals can take to protect themselves (such as monitoring explanation of benefits statements), what you are doing to investigate and mitigate the breach, and your contact information for questions. Do not attempt to downplay or delay notification. Engage your practice's privacy officer and legal counsel to draft compliant patient communications before sending. Patients who receive prompt, transparent notification are significantly more likely to maintain trust in the practice through the incident than those who learn about a breach from a third party.
Train front desk, billing, and administrative staff on three specific attack scenarios: unexpected calls from physicians requesting financial actions, calls from insurance companies requesting patient data verification, and calls from suppliers requesting banking detail changes. Staff should practice the response protocol — ending the inbound call and initiating an outbound callback on a verified directory number — without treating this as rude or disrespectful. Role-play exercises are more effective than passive training. Conduct an emergency briefing within 48 hours of any voice clone incident to walk all staff through the exact attack pattern used, so they recognize it if it recurs. Deploy Vicall for real-time synthetic voice detection so staff have a definitive signal rather than relying on instinct alone.
Stop the Next Call Before It Succeeds.
Real-Time Voice Clone Detection.
Vicall detects synthetic voices in under one second — on-device, no cloud, HIPAA-compliant. Deploy for your practice through the MSP portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.