Wire fraud at a dental practice moves fast. One call — a voice clone of the dentist, a DSO executive, or a trusted supplier — and a staff member authorizes a transfer to an account the attacker controls. Within minutes, funds are in transit. Within hours, they may be across a border. What a dental practice does in the first 72 hours after discovering the fraud determines whether any money comes back, whether HIPAA obligations apply, and whether the insurer pays. This guide covers the exact sequence: bank call, FBI filing, HIPAA assessment, insurance notification, and structural prevention. For context on how these voice-clone attacks are constructed before the wire request is made, see the Vicall guide to voice clone attack response for dental practices.
What Should a Dental Practice Do in the First Hour After a Wire Fraud?
The first hour after discovering wire fraud determines recovery odds. Call your bank's wire transfer fraud line — not general customer service — and request an immediate recall or freeze. For wires sent via SWIFT, your bank can issue a gpi recall that reaches correspondent banks globally within minutes. Every additional hour of delay allows funds to move further through layered intermediary accounts and reduces the probability of recovery significantly.
Call the bank's wire fraud line — get a case number
Do not call general customer service. Every major bank has a dedicated wire fraud or financial crimes operations line available 24/7. Call it immediately, identify yourself as a business fraud victim, state that a fraudulent wire was sent, and request an emergency recall or freeze. Provide the exact wire amount, the date and time it was sent, the destination bank name, the ABA routing number, and the account number. Before you hang up, get the bank's internal case number in writing. This number is required for every subsequent step: IC3 filing, insurance notification, and police report.
Do not use a compromised email or phone channel
If the fraud was executed through a compromised email account or a phone number that was spoofed, do not use those same channels to coordinate your response. An attacker with email access will see your response communications in real time and may take counter-actions — withdrawing funds faster, changing the destination account, or sending additional fraudulent instructions that look like legitimate recovery steps. Use a personal mobile device and a verified, out-of-band communication channel for all response coordination until your IT team confirms the compromised access has been cut off.
Screenshot and print all wire confirmation emails immediately
Before any system access is changed or email accounts are locked, screenshot or print: the wire confirmation email showing the amount, timestamp, destination bank, and account number; the original email or communication that initiated the wire request; and any email thread showing the approval chain. If the fraudulent email is still in an inbox, do not delete it — it is evidence. If your IT team needs to lock down the email account, export the relevant emails to a PDF first.
Do not contact the receiving account directly
It may be tempting to call the bank listed as the wire recipient and ask them to freeze the account or return the funds. Do not do this without coordinating through your bank's fraud team first. Direct contact with the receiving institution bypasses the structured bank-to-bank recall protocol and may alert the attacker if they are monitoring the account. Your bank's wire fraud team has established relationships and procedures for contacting correspondent banks — let them drive that process while you focus on the IC3 filing.
Alert your office manager and DSO executive if applicable
Notify the practice owner, office manager, and — if your practice is DSO-affiliated — the DSO's corporate finance or security team within the first hour. DSO notification matters because an attacker who successfully impersonated your dentist or a DSO executive to execute one wire will almost certainly attempt the same attack at other affiliated practices or at the DSO's central AP team. The DSO needs to issue an alert across the network before the next call lands. Internal escalation also ensures that a second employee cannot be tricked into authorizing a follow-on transfer while the first is being recovered.
Do not delete any emails, voicemails, or call logs — these are evidence for law enforcement and your insurance carrier. An IC3 agent, your bank's fraud team, and your insurer will all request raw documentation of the attack. Evidence that is deleted before it is collected cannot be reconstructed, and its absence can weaken both the criminal investigation and your insurance claim.
How Do You File an FBI IC3 Report for Wire Fraud at a Dental Practice?
The FBI's Internet Crime Complaint Center (IC3) at ic3.gov triggers the Financial Fraud Kill Chain — a coordinated notice to domestic and foreign banks to freeze funds in transit. IC3 reports must be filed by the victim organization, not the bank. Include the exact wire amount, destination account, date and time, and the name of any person who authorized the wire. Omitting any of these details delays FFKC activation.
Go to ic3.gov/Home/FileComplaint
Navigate directly to the IC3 complaint portal at ic3.gov/Home/FileComplaint. Do not use a third-party site or a link from an email — go directly to the FBI's official domain. The complaint form is self-guided and takes approximately 15-20 minutes to complete. You do not need legal representation to file, and there is no minimum loss threshold for filing. However, Financial Fraud Kill Chain activation requires a minimum loss of $50,000 and must be initiated within 72 hours of the fraudulent transfer.
Select "Financial/Wire Fraud" as the crime type
When prompted to select the type of crime, choose Business Email Compromise or Financial/Wire Fraud. If the fraud involved a voice call impersonating your dentist or a DSO executive, note this explicitly in the narrative section — this classifies the attack as a voice phishing (vishing) or voice clone fraud incident, which routes the complaint to the FBI's cyber division and increases the probability of coordinated multi-agency response.
Enter all wire transaction details
Provide every field with precision: the exact dollar amount wired, the name and address of the receiving bank, the ABA routing number, the destination account number, the date and time the wire was sent, and your bank's name and the sending account number. If you know the name on the receiving account, include it. Incomplete transaction details are the most common reason FFKC activation is delayed or denied. Pull the wire confirmation document before starting the form so you can copy numbers directly rather than recalling them from memory.
Describe how the fraud occurred — voice call, email, or both
In the narrative section, describe the exact sequence of events: who the attacker impersonated, what channel was used (phone call, email, or a combination), what was said or written, what action was taken, and when the practice discovered the fraud was not legitimate. If the attack involved a voice clone — a call that sounded like the dentist or a known executive — state this explicitly. Write: "The caller's voice appeared to be an AI-generated clone of [name/role]. We are requesting Financial Fraud Kill Chain activation." This exact language ensures your complaint is correctly routed.
Save the IC3 confirmation number before closing the browser
After submission, IC3 generates a complaint confirmation number. Screenshot it and save it immediately — you cannot retrieve it later without this number. This confirmation number is required when filing your insurance claim, your local police report, and any subsequent communications with the FBI field office that contacts you. Share the confirmation number with your office manager, DSO compliance team, and your attorney if one is engaged. Do not rely on an email confirmation — copy the number directly from the screen.
Does a Wire Fraud Attack Trigger a HIPAA Breach Notification Obligation for Dental Practices?
A wire fraud event at a dental practice triggers HIPAA breach assessment only if protected health information was accessed or used to execute the fraud. If the attacker impersonated a vendor using patient insurance data, or if the fraudulent communication accessed patient billing records, HIPAA 45 CFR § 164.400 breach notification rules apply. Assessment cannot be skipped — the default is to treat the event as a potential breach until the four-factor test demonstrates otherwise.
The HIPAA Breach Notification Rule requires dental practices to conduct a documented risk assessment any time there is a potential unauthorized access to, use of, or disclosure of protected health information. A wire fraud attack does not automatically trigger HIPAA breach notification — but it requires the practice to affirmatively determine whether PHI was involved before concluding that no breach occurred. The four-factor breach risk assessment under 45 CFR § 164.402 examines:
- The nature and extent of the PHI involved — What types of patient information could have been accessed or disclosed? Insurance IDs, dates of birth, treatment codes, billing amounts, Social Security numbers, and Delta Dental or Cigna EOBs all qualify as PHI.
- Who accessed or could have accessed the PHI — Was the attacker impersonating an authorized party in a way that gave them apparent access to systems or records containing PHI? Did the fraudulent call involve any discussion of specific patient accounts or payment details?
- Whether PHI was actually acquired or viewed — Did the social engineering script require the staff member to look up a patient record, confirm an insurance payment, or read account details aloud? If yes, PHI was disclosed to an unauthorized recipient.
- The extent to which the risk to PHI has been mitigated — Has the compromised access been cut off? Has the attacker been denied any further system access?
Dental-specific PHI to assess in the context of wire fraud: patient insurance EOBs used to verify payment amounts, Delta Dental and Cigna online payment portal access credentials, practice management software billing modules, and patient account details referenced during the fraudulent call. If any of these were accessed, disclosed, or used to construct the impersonation, HIPAA breach assessment is mandatory and notification is presumed required unless the four-factor test affirmatively demonstrates low probability of PHI compromise.
Assume breach unless all four HIPAA risk factors clearly indicate low probability of PHI compromise. The 60-day notification clock starts at the date of discovery — not the date the assessment concludes. If your assessment takes three weeks, you have 39 days remaining to notify affected patients, the HHS Office for Civil Rights, and — if 500 or more individuals are affected — prominent local media. Do not make the final notification determination without HIPAA legal counsel.
What Insurance Claims Should a Dental Practice File After Wire Fraud?
A dental practice hit by wire fraud should immediately notify its cyber liability insurer, crime/fidelity bond insurer, and dental malpractice carrier. Cyber policies often include social engineering endorsements — sometimes called "funds transfer fraud" coverage — that cover losses from voice or email impersonation, subject to sublimits that are typically lower than the main policy limit. Filing late is one of the most common reasons dental practices receive reduced or denied wire fraud insurance recoveries.
Four insurance lines apply to wire fraud at a dental practice, and each covers different components of the loss:
Crime and fidelity bond coverage is the primary instrument for fraudulent funds transfer losses. A commercial crime policy covers wire transfers made by an employee under false pretenses — including those induced by a voice clone impersonation. File within 30 to 60 days of discovery; the exact reporting window is specified in your policy and varies by carrier. Provide the IC3 confirmation number, the bank fraud case number, and a complete incident timeline. Common dental practice crime carriers include The Hartford, CNA, and Travelers.
Cyber liability coverage often includes a social engineering or funds transfer fraud endorsement that covers losses caused by impersonation — whether by email or voice. This endorsement typically carries a sublimit separate from the main cyber policy limit. Sublimits for social engineering fraud on dental practice cyber policies commonly range from $100,000 to $500,000 even when the main policy limit is $1 million or more. Document the attack vector precisely: if the impersonation was voice-based, note that the attacker used an AI-generated voice clone. Common dental cyber carriers include Markel Dental, CNA NetProtect, and Chubb Cyber Enterprise Risk Management.
Business interruption coverage applies if the wire fraud disrupted practice operations — for example, if the theft of operating funds prevented payroll, delayed equipment purchases, or required the practice to suspend services. Business interruption claims require documentation of the specific operational impact and the revenue or cost consequences.
Directors and officers coverage may apply if your practice is DSO-affiliated and the attack involved impersonation of a DSO executive. D&O coverage protects against claims alleging management failed to maintain adequate financial controls. If the DSO's central AP team processed a fraudulent wire based on an impersonated practice dentist, both the practice and the DSO may have D&O exposure.
Documentation required by all insurers: IC3 complaint confirmation number, bank fraud case number and bank's written incident summary, local police report number, a written internal incident timeline (who authorized what, when, and based on what communication), and copies of all wire documentation. For cyber claims involving a voice clone attack, also provide: any recordings or logs of the fraudulent call, and documentation of what systems or credentials may have been accessed.
How Should a Dental Practice Prevent Wire Fraud After an Incident?
After recovering from wire fraud, a dental practice must implement four structural controls that eliminate the attack surface used. The most common attack vectors — vendor payment redirect calls, fake DSO executive wire approvals, and insurance reimbursement account changes — are all preventable with callback verification, written authorization requirements, and voice authentication tools. Controls implemented after an incident must be structural, not procedural — verbal reminders to staff do not survive staff turnover or the next sophisticated attack.
Implement a verbal passphrase system for all wire and ACH approvals
Establish a random, nonsensical passphrase — agreed upon in person, never communicated digitally — between the practice owner and every staff member authorized to approve wire or ACH payments. Any inbound call requesting a wire, an ACH, or a banking change must supply this passphrase before any action is taken. If the passphrase is absent, staff decline the request and call back the dentist independently. This single control stops voice clone attacks because no AI system can know a phrase that was never digitally shared — it exists only in the memory of two people who established it face to face.
Require written confirmation from a known address before acting on any banking change
No wire transfer and no banking detail change — vendor account updates, insurance reimbursement deposit changes, payroll routing changes — should be processed based solely on a phone call. Require written confirmation from an email address in the practice's established contact directory before taking any action. The written confirmation must come from an address the practice has previously used with the person or organization — not from an address provided during the suspicious call. If the email address is new or slightly different from a previous one, verify by calling back on a known number.
Establish a no-action-on-inbound-call rule for payment changes
Implement a standing practice policy: no financial action — wire, ACH, vendor payment redirect, banking detail update — is ever taken based solely on an inbound phone call, regardless of how the caller sounds or what number is displayed on the caller ID. Any request received by phone is acknowledged but not acted upon until the staff member hangs up, looks up the requester's number independently, and calls back to confirm. This rule eliminates the entire inbound voice clone attack surface in one clear, enforceable instruction that can be taught to new billing staff in under five minutes.
Deploy Vicall to flag AI-generated voice on incoming calls
Vicall provides an on-screen verdict — REAL VOICE or SYNTHETIC DETECTED — in under one second on incoming calls. For the dentist's mobile phone, Vicall runs as an iOS or Android app. For analog front desk multi-line systems, Vicall's on-premises Mac mini deploys alongside existing hardware without replacement. Unlike human listeners — who correctly identify AI-generated audio approximately 48% of the time, roughly a coin flip — Vicall catches synthetic voices at machine speed before an employee can be socially engineered into authorizing a payment. Learn more about how voice clone fraud works and what detection requires.
Run annual vishing drills with front-desk and billing staff
Once per year, conduct a simulated vishing drill: have a trusted third party call the front desk or billing department impersonating the dentist or a known vendor and request a payment or banking detail change. Measure whether staff follow the callback protocol and written authorization requirement. Staff who experience a simulated attack — and are debriefed on what they did correctly or incorrectly — are significantly more resistant to real attacks than staff who receive only verbal or written training. Document the drill results for your insurer, who may offer premium credits for organizations with active fraud training programs.
Frequently Asked Questions
Yes — but recovery depends almost entirely on speed. The FBI's Financial Fraud Kill Chain (FFKC) achieves a 66% success rate for losses over $50,000 when initiated within 72 hours of the fraudulent transfer. Domestic wires are more recoverable than international transfers because US-based correspondent banks respond to FFKC notices directly. For international wires, SWIFT gpi recall allows your sending bank to reach the receiving bank within minutes, but success rates drop sharply once funds reach a foreign jurisdiction. Every hour you delay reduces recovery odds as attackers move funds through layered intermediary accounts designed to frustrate tracing. Call your bank first, then file at ic3.gov the same day.
Filing at ic3.gov does not open a traditional investigation timeline — it activates the Financial Fraud Kill Chain if the criteria are met, and routes your complaint to the appropriate FBI field office. If the FFKC successfully freezes funds, civil asset forfeiture proceedings may return money within weeks to months. Full DOJ criminal investigation and prosecution timelines are much longer — typically 6 to 24 months from complaint to charges, and longer still before any restitution order. For a dental practice, the practical goal of IC3 filing is FFKC activation and insurance documentation, not expecting rapid prosecution. Coordinate with your bank and insurer in parallel rather than waiting on law enforcement timelines.
Employee authorization of a fraudulent wire generally does not eliminate the practice's ability to recover from its insurer — but it does affect how the claim is structured. A crime or fidelity bond policy covers fraudulent funds transfers including those authorized by employees under false pretenses. The practice's duty-of-care question arises if the employee bypassed written authorization procedures that were established policy — in that case, the insurer may seek to reduce the claim. If no written authorization policy existed, the insurer may scrutinize whether reasonable controls were in place. In either scenario, the employee acting under a voice-clone impersonation is typically treated as a defrauded party rather than a negligent one, provided the impersonation was sophisticated and the employee had no reason to doubt its authenticity.
Wire fraud losses for dental practices vary significantly by practice size and attack vector. Individual practices targeted through vendor payment redirect scams typically lose between $5,000 and $40,000 — amounts consistent with a single supply order from Henry Schein, Patterson, or Benco. DSO-affiliated practices and group practices face higher exposure: equipment financing wires and DSO-level AP fraud routinely reach $50,000 to $200,000 per incident. The ADA has not published practice-specific wire fraud loss statistics, but FBI IC3 data shows the healthcare sector — which includes dental — reported $1.8 billion in BEC and wire fraud losses in 2023, with a median individual incident loss of approximately $50,000 for business victims in professional services.
Patient notification after wire fraud is only required under HIPAA if protected health information was involved in the attack. If the fraudster impersonated a vendor or executive and no PHI was accessed, disclosed, or used to execute the fraud, HIPAA breach notification is not triggered. However, if the attacker used patient insurance data, EOBs, billing records, or any other PHI to make the impersonation convincing — or if the attack involved access to a system containing PHI — a HIPAA breach risk assessment is mandatory. If that assessment cannot demonstrate a low probability of PHI compromise using the four-factor test under 45 CFR § 164.402, patients must be notified within 60 days of discovery. Do not make a final notification determination without consulting a HIPAA attorney. For more detail on the HIPAA implications of voice-based attacks, see the voice clone attack response guide for dental practices.
Know if the Voice is Real
Before You Wire a Dollar.
Real-Time Voice Detection.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone, including analog front desk lines. Stop a voice-clone wire fraud before it starts.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.