What Should a Medical Practice Do in the First Hour After a Wire Fraud?
The first 60 minutes after discovery are the highest-leverage window for fund recovery. Wire transfers are not instantaneous in terms of final settlement — domestic wires can be recalled if you move before funds are swept to a secondary account. Every action in the first hour must be taken in parallel, not sequentially. Do not wait to finish documenting before calling the bank, and do not wait for bank confirmation before alerting leadership.
Medical practices that discover wire fraud often lose critical time in the first hour to internal discussions, attempting to verify whether fraud actually occurred, or routing the issue through administrative channels before reaching decision-makers. This is exactly the wrong response. The moment you have reasonable suspicion that a fraudulent wire has been processed, begin the steps below simultaneously — not in sequence.
Stop and freeze — call your bank's wire fraud line now
Call your sending bank's dedicated wire fraud or financial crimes unit — not the general customer service line, which lacks authority to initiate a recall. Request an immediate wire recall. Provide the full transaction details: exact date and time of transfer, dollar amount, sending account number, and the destination account number and bank routing number. Wire recalls require authorization from the sending bank to contact the receiving bank — your call starts this clock. Every minute of delay reduces the probability that funds are still in the receiving account and have not been forwarded onward.
Document everything before touching any systems
Before logging into, modifying, or resetting any account or system, document and preserve all evidence in place. Take screenshots of any emails, text messages, or online banking notifications. Write down the exact call time, the number shown on caller ID, the name of the staff member who authorized the wire, what was said or requested, and any voicemails related to the transfer. Place a preservation hold on call logs with your phone system administrator. Do not delete any recordings, log entries, or message threads — these are evidence for law enforcement, your insurer, and any subsequent HIPAA documentation.
Alert physician partners and the practice administrator
Notify practice leadership immediately — the physician owner, managing partner, and practice administrator. Do not investigate privately and do not delay escalation until you are certain fraud occurred. Leadership authorization is required to engage legal counsel, file law enforcement reports, and make statements to insurers. Early leadership involvement also ensures that all staff are informed and that a second fraudulent request — attackers frequently attempt a follow-up call in the same 24-hour window — is not acted upon.
Do not use potentially compromised communication channels
If the fraud was enabled by a compromised email account, VOIP system, or messaging platform, do not use those channels to coordinate your response. Attackers who have access to your email can intercept your communications in real time, learn that you have discovered the fraud, and accelerate the movement of funds before a recall can be initiated. Use personal cell phones and out-of-band communication methods — direct calls to personal numbers, not office extensions — for all internal coordination related to the incident.
File a local police report on the same day
File a police report with your city or county law enforcement agency on the same day as discovery. Many cyber liability and crime insurance policies require a contemporaneous police report as a condition of claim processing. The police report also creates a documented chain of custody for the evidence you have preserved and may be required by your state attorney general's office if an investigation is opened. Bring your documented evidence — call logs, wire confirmation details, and any emails or voicemails — when you file.
Do not notify staff through a group email or practice-wide message before you have secured communication channels. If your email system was compromised as part of the attack — which is common in business email compromise scenarios that precede wire fraud — an all-staff email announcing that you have discovered the fraud alerts the attacker in real time. Conduct all notifications through out-of-band channels until your IT team or MSP has assessed and cleared the communication systems.
How Does the FBI Financial Fraud Kill Chain Work for Medical Practice Wire Fraud?
The FBI Financial Fraud Kill Chain is not a passive investigative process — it is an active fund-recovery mechanism triggered by an IC3 complaint. When a qualifying domestic wire fraud complaint is filed within 72 hours, the FBI Cyber Division contacts the receiving bank's correspondent directly to request a freeze or recall of the fraudulent wire. Filing the IC3 report as early as possible is the single highest-leverage action a medical practice can take after calling the bank.
Most medical practices are unaware that the FBI operates a dedicated rapid-response mechanism for wire fraud — the Financial Fraud Kill Chain (FFKC) — that is distinct from and faster than a standard criminal investigation. The FFKC was developed specifically to address the gap between the speed at which fraudulent wires move and the speed at which law enforcement traditionally responds. Understanding how it works changes the urgency of your IC3 filing.
When the FFKC is activated, the FBI's Cyber Division sends a Financial Fraud Kill Chain notification directly to the receiving bank's compliance or financial crimes team, requesting that the fraudulent wire be frozen pending a recall. For domestic transactions, this notification can reach the receiving bank within hours of the IC3 complaint being filed. If funds are still in the destination account — which is most likely in the first 24 to 48 hours — the receiving bank freezes the balance and initiates a return transfer to the sending institution. This is not a guarantee of recovery, but it is the mechanism that makes recovery possible.
International wire transfers face significantly lower recovery rates. Once funds have moved through a foreign correspondent bank — particularly in jurisdictions with limited U.S. law enforcement cooperation — the FBI's options are constrained to SWIFT recall requests through your sending bank and, in some cases, mutual legal assistance treaty (MLAT) procedures that can take months. For international transfers, your sending bank's SWIFT recall request and your IC3 filing must happen simultaneously and as fast as possible after discovery.
Navigate to ic3.gov and begin a new complaint
Go to ic3.gov and select "File a Complaint." Create an account or log in. Select "Business" as the victim type and "Wire Transfer Fraud" as the crime type. The complaint form takes approximately 20 to 30 minutes to complete if you have your documentation prepared. Do not rush the form — accuracy in the transaction details is more important than speed of submission once you are past the initial bank call.
Enter the complete wire transaction details
Provide: the exact date and time of the fraudulent wire, the dollar amount, your sending bank name and account number, the destination bank name and routing number, the destination account number, and the name on the destination account if known. The more precisely you document the transaction details, the more efficiently the FFKC notification can be routed to the correct receiving institution. Incomplete or approximate transaction details create delays.
Describe the attack method — include voice cloning or impersonation details
Describe the attack in the narrative section: who was impersonated, what was said, what communication channel was used (phone call, email, or both), and what made the impersonation convincing. If a physician, practice administrator, or vendor was voice-cloned, state this explicitly. The FBI uses this information to route your complaint to the Cyber Division — voice cloning and business email compromise complaints receive different handling than generic fraud complaints and may qualify for enhanced FFKC priority.
Record your IC3 complaint reference number immediately
After submitting, note your IC3 complaint reference number. You will need this number for every subsequent interaction: your bank callback, your insurance claims, your police report supplement, and any follow-up contact with the FBI. Save the confirmation email. If you do not receive a confirmation within a few minutes of submitting, check your spam folder before re-filing — duplicate complaints can complicate the FFKC activation.
Contact your nearest FBI field office to confirm FFKC activation
After filing at ic3.gov, call your nearest FBI field office and inform them that you have filed an IC3 complaint and are requesting confirmation that the Financial Fraud Kill Chain has been activated for the transaction. Provide your complaint reference number and the full wire transaction details. This step is not required by the process, but it adds a direct human contact point that can expedite the receiving bank notification — particularly for high-value transactions where the FFKC is most likely to succeed.
Does Wire Fraud at a Medical Practice Trigger a HIPAA Breach Notification?
Wire fraud is a financial crime, but when it targets a medical practice it frequently involves protected health information — either because the attacker accessed PHI to make the attack convincing, or because the same system access that enabled the fraud also exposed patient data. The HIPAA four-factor breach risk assessment under 45 CFR § 164.402 is not optional when there is a plausible connection between the fraud and PHI. The 60-day notification clock runs from the date of discovery.
Medical practices consistently underestimate the HIPAA dimension of wire fraud incidents. A fraudulent wire is a financial event — but the attack that caused it may have required the attacker to access your EHR system, medical billing platform, or patient payment portal to gather the information needed to make the impersonation convincing. If the attacker knew which vendor invoices were pending, which insurance payer owed a large reimbursement, or which physician was expected to be traveling — details that would only be available from internal systems — that system access constitutes a potential HIPAA breach independent of the financial loss.
Under HIPAA's Breach Notification Rule at 45 CFR § 164.402, a covered entity must conduct a four-factor risk assessment for any impermissible use or disclosure of protected health information. The four factors are:
- The nature and extent of the PHI involved — including types of identifiers and the likelihood of re-identification
- The unauthorized person who accessed or received the PHI — and whether that person is subject to HIPAA obligations
- Whether the PHI was actually acquired or viewed — or whether there is low probability that it was accessed despite the impermissible disclosure
- The extent to which the risk of harm has been mitigated — through containment actions taken after discovery
If your EHR vendor is Epic or athenahealth, contact their security team immediately after you have secured your bank recall and filed the IC3 report. Both maintain dedicated security incident response teams that can conduct access log reviews to determine whether unauthorized access occurred within your instance. This audit log is the primary evidence you need for the third factor in the breach risk assessment — whether PHI was actually acquired or viewed. Do not attempt to review access logs yourself before preserving them in their original state.
Medical billing platforms and patient payment portals are equally important. If the attacker impersonated an insurance representative and your billing staff provided patient account details, claim numbers, or balances — even for "verification" purposes — that disclosure constitutes PHI exposure under HIPAA. Patient payment portal access logs should be reviewed for unauthorized sessions in the 30 days preceding the fraudulent wire.
Assume a potential breach until the four-factor analysis clears it — not the other way around. Practices that conduct no breach risk assessment and later discover that PHI was accessed face dual liability: the original breach, and the failure to conduct a timely assessment. HHS Office for Civil Rights investigations are triggered by late, incomplete, or absent breach assessments as frequently as by the underlying PHI exposure. Begin documentation immediately, engage your privacy officer on day one, and let the four-factor analysis determine whether notification is required — not your initial assumption that the fraud was "only financial."
If the four-factor analysis concludes that PHI was accessed and the breach is reportable, affected patients must be notified without unreasonable delay and no later than 60 days from the date of discovery. HHS must also be notified within 60 days. If more than 500 individuals in a single state are affected, prominent media notification in that state is additionally required. Engage legal counsel to draft HIPAA-compliant patient notifications before sending — the content, format, and delivery method are all prescribed by the Breach Notification Rule.
What Insurance Claims Should a Medical Practice File After Wire Fraud?
Medical practices typically carry multiple insurance policies that may each respond to a wire fraud event. Filing with one insurer does not eliminate claims under others, and failing to notify an insurer within the policy's reporting window — typically 24 to 72 hours — can void coverage. File with all potentially applicable policies on the day of discovery, before bank confirmation of whether the recall succeeded.
Wire fraud at a medical practice can trigger claims under three distinct policy types, and most practices underestimate which of their existing policies apply. The coverage landscape has changed significantly in the past three years as insurers have responded to the surge in business email compromise and voice clone fraud — social engineering endorsements and funds transfer fraud riders are now standard in well-structured cyber liability policies, but sublimits and exclusions vary substantially by insurer and policy year.
Crime and Fidelity Bond
A crime insurance policy or fidelity bond typically covers losses resulting from fraudulent instructions to transfer funds — including wire fraud conducted via social engineering or impersonation. This is often the primary policy to claim against for direct wire losses. Review your crime policy for a "funds transfer fraud" coverage grant and note any sublimit that applies specifically to electronic funds transfer or social engineering events. The Doctors Company, ProAssurance, and Coverys — three of the largest medical professional liability insurers — offer crime coverage endorsements as part of practice protection packages; verify whether your existing relationship with these insurers includes a crime component.
Cyber Liability with Social Engineering Endorsement
Cyber liability policies increasingly include a social engineering endorsement or funds transfer fraud coverage rider. However, these endorsements frequently carry sublimits — often $100,000 to $250,000 — that are lower than the base cyber liability limit. The endorsement may require that the practice followed specific authorization procedures (such as dual approval or written confirmation) before any transfer in order for coverage to apply. If your staff processed the wire based solely on a phone call — the most common attack scenario — and your policy requires documented multi-step authorization as a coverage condition, you may face a coverage dispute. Document your existing authorization procedures in writing before engaging the insurer on the merits of the claim.
Professional Liability if Patient Care Was Disrupted
If the wire fraud event resulted in disrupted cash flow that affected patient care — delayed payroll preventing staff availability, inability to pay medical supply vendors resulting in supply shortages, or system downtime during the incident response — your professional liability insurer should be notified. While direct wire fraud losses are not typically covered under professional liability, the downstream patient care impact may trigger coverage for claims arising from care disruptions. Insurers in the medical professional liability space, including The Doctors Company, ProAssurance, and Coverys, have specific protocols for practice-level financial disruption incidents. Notify them on day one with a brief incident summary and your IC3 complaint reference number.
For every insurance claim, provide the same documentation package: your IC3 complaint reference number, your bank case or recall reference number, the police report number, and a written internal incident timeline covering the sequence of events from the initial contact through the point of discovery. Insurers use this documentation to assess coverage applicability and to set reserves — incomplete documentation delays claim processing and may affect the final coverage determination.
Watch for sublimits on social engineering coverage. Many cyber liability policies that list social engineering or funds transfer fraud on their coverage summary apply a sublimit of $100,000 to $250,000 to these specific events — even if the base policy limit is $1 million or higher. Confirm your social engineering sublimit before assuming full base-limit coverage applies to a wire fraud loss. If your policy was written more than two years ago, review it with your broker — sublimit amounts have shifted significantly in recent renewals, and underinsurance is common in the current market.
How Should a Medical Practice Prevent Wire Fraud After an Attack?
A practice that has been successfully targeted once is at substantially elevated risk of a second attack — attackers know your financial workflows, your staff names, your vendor relationships, and which impersonation was convincing enough to work. The controls below must be implemented before normal operations resume. Each one independently removes the primary attack vector used in the vast majority of medical practice wire fraud incidents.
Returning to normal operations without implementing procedural controls after a wire fraud incident is not a risk tolerance decision — it is an unprotected exposure. Attackers who have successfully defrauded a practice once have invested time learning its specific workflows. If the same workflow is still in place when they return — and they frequently do within days to weeks — the probability of a second successful fraud is high.
Establish a verbal passphrase for all wire transfer approvals
Create a pre-agreed, random passphrase between all physicians and all staff authorized to process financial transactions. The passphrase must be agreed on in person — never over the phone or by email — and must be rotated after any incident. Any inbound call requesting a wire transfer, vendor payment, or banking change that does not include the passphrase must be treated as unverified and escalated. The FBI specifically recommends passphrase-based verification as the primary defense against voice clone fraud in financial authorization scenarios. A cloned voice cannot provide a passphrase it has never heard.
Require written confirmation for all banking account changes
Implement a written authorization requirement for every banking account change — vendor EFT updates, payroll direct deposit changes, insurance reimbursement deposit account modifications, and any change to an outgoing wire destination. Require a physical or digitally signed authorization form separate from the phone or email request. This creates a processing delay and a paper trail, and it means that a successful voice clone attack on this vector also requires the attacker to have compromised the practice's email or document systems — a meaningfully harder attack to execute.
Implement a no-action-on-inbound-call policy
Establish a hard, no-exceptions policy: no wire transfer, no banking detail change, no payroll update, and no vendor payment modification is ever processed based solely on an inbound phone call. Any request received by inbound call is acknowledged, terminated, and then independently verified by an outbound callback to the requestor's number from your internal verified directory — not a number provided during the call. This single policy removes the primary attack vector used in virtually every voice clone fraud incident targeting medical practices and costs nothing to implement.
Deploy Vicall for real-time voice authentication on practice phone lines
Vicall detects synthetic and voice-cloned audio on live calls in under one second — on-device, no cloud processing, no audio transmitted externally. This satisfies HIPAA's technical safeguard requirements because voice audio never leaves the device. Deploy on physician smartphones via the Vicall mobile app and on the main practice phone line via the on-premises Mac mini deployment. When a call arrives and Vicall shows SYNTHETIC DETECTED, staff have a definitive, objective signal that the call is fraudulent — not a judgment call based on whether the voice "sounds right." Learn more at vicallapp.com/voice-clone-fraud.html.
Conduct annual vishing simulation training for front desk and billing staff
Run a structured vishing simulation at least once per year — and immediately after any incident. The simulation should use a realistic impersonation of a physician or known vendor requesting a financial action, and should test whether front desk and billing staff follow the callback verification protocol or comply with the inbound request. Passive training — presentations and policy documents — is significantly less effective than active role-play exercises where staff practice ending an inbound call and initiating an outbound verification. The voice clone attack response guide covers the specific attack patterns most commonly used against medical practice billing and front desk staff.
Frequently Asked Questions
Yes, recovery is possible but depends critically on speed. The FBI's Financial Fraud Kill Chain (FFKC) achieves a 66% recovery rate for domestic wire fraud losses of $50,000 or more when an IC3 report is filed within 72 hours of the fraudulent transfer. Domestic wires have meaningfully higher recovery rates than international transfers, where funds often move through multiple correspondent banks in jurisdictions with limited U.S. cooperation. For international transfers, contact your bank immediately to attempt a SWIFT recall, file with IC3, and engage legal counsel about civil asset forfeiture options. Every hour beyond the 72-hour window reduces recovery probability substantially — the highest-priority action after discovery is calling your bank's wire fraud line, not completing an internal investigation.
Liability generally rests with the practice entity rather than the individual employee when the employee followed reasonable procedures in good faith and was deceived by a sophisticated attack such as voice cloning. However, if the employee bypassed established authorization protocols — for example, processing a wire without required dual approval or written authorization — the practice may have limited grounds to claim insurance coverage and the employee's individual liability exposure increases. A fidelity bond or crime insurance policy typically covers losses from employee acts performed under fraudulent instruction, subject to policy sublimits on social engineering events. Engage legal counsel on the same day as the incident to assess liability positioning before making any statements to insurers or third parties.
It depends on whether protected health information was involved in the attack. Wire fraud that was enabled by an attacker accessing, reviewing, or using PHI — such as patient billing records, EHR entries, or insurance claim data — to make the attack convincing triggers a HIPAA four-factor breach risk assessment under 45 CFR § 164.402. If the attacker accessed your EHR system, medical billing platform, or patient payment portal as part of the attack, assume a potential breach until the four-factor analysis clears it. The 60-day HIPAA notification clock runs from the date of discovery, not the date of the fraudulent transfer. Engage your privacy officer and legal counsel the same day you confirm the fraud occurred.
Medical practice wire fraud losses vary widely based on practice size and the attack vector. Vendor payment redirect schemes — where an attacker diverts a single large accounts payable wire to a fraudulent account — typically range from $15,000 to $150,000 per incident. Insurance reimbursement EFT redirect attacks, where a practice's payer deposit account is changed to a fraudulent account, can accumulate losses of $50,000 to $400,000 over several billing cycles before discovery. Physician impersonation attacks requesting emergency wire transfers typically target amounts between $25,000 and $200,000. Medical billing companies managing multiple practices have reported single-incident losses exceeding $500,000. The FFKC's $50,000 minimum threshold covers the majority of single-incident losses reported by group practices and multi-physician offices.
FBI IC3 investigations for wire fraud typically take 6 to 24 months from initial report to any prosecution or civil asset forfeiture outcome. The Financial Fraud Kill Chain operates much faster — within 24 to 72 hours of filing — but this is a fund-freezing mechanism rather than a full investigation. Criminal prosecution of wire fraud across jurisdictions, particularly international cases, requires coordination between the FBI Cyber Division, Department of Justice, and foreign law enforcement agencies. Civil asset forfeiture proceedings, which can be initiated separately from criminal prosecution, may move somewhat faster but still require 6 to 18 months in most cases. Maintain your IC3 complaint reference number, respond promptly to any FBI follow-up requests, and do not assume that absence of contact means the investigation is inactive — IC3 reports are aggregated across incidents to build pattern-based enforcement cases.
Know Your Voice Clone Risk Before the Next Call.
Real-Time Detection, On-Device.
Vicall detects synthetic voices in under one second — on-device, no cloud, HIPAA-compliant. Find out where your practice stands before the next transfer request arrives.
Take the Voice Clone Risk Quiz →Related Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.