For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On February 19, 2026, the CFO of a Dallas surgical group received an email from what appeared to be their primary medical supply vendor. The message referenced an upcoming invoice, included accurate account numbers, and requested a routing number update for "our new banking partner following the merger." The email passed all technical authentication checks. The requested change was processed. Three weeks later, a $287,000 payment for surgical supplies disappeared into a criminal account in Eastern Europe.
This is Business Email Compromise (BEC), the single largest financial threat facing healthcare organizations in 2026. The FBI's Internet Crime Complaint Center reported that BEC cost U.S. businesses $2.7 billion in 2025, with healthcare organizations experiencing the highest average loss per incident. Unlike ransomware with its public drama, BEC operates silently, extracting money and sensitive data through carefully crafted deception that technical controls often fail to detect.
Business Email Compromise has evolved from crude impersonation to sophisticated operations that specifically target healthcare financial workflows:
Vendor Email Compromise: Attackers no longer impersonate internal executives exclusively. Modern BEC campaigns compromise actual vendor email accounts, then manipulate ongoing payment conversations from legitimate addresses. A Houston practice's BEC loss resulted from compromised credentials at their medical supply distributor. The attackers had accessed months of legitimate invoice history, enabling perfectly contextual fraudulent requests.
Healthcare-Specific Targeting: BEC operators have developed detailed knowledge of healthcare payment cycles, insurance remittance patterns, and vendor relationships. An Austin cardiology practice received a BEC attempt timed precisely with their quarterly equipment lease payment, referencing accurate lease terms and payment history. The timing and accuracy made the fraud nearly indistinguishable from legitimate vendor communication.
Dual-Channel Deception: Sophisticated BEC now coordinates email compromise with phone verification calls. After sending fraudulent payment change requests, attackers follow up with calls to finance staff, confirming the change and creating verbal verification that staff remember as legitimate. A San Antonio practice's BEC incident involved three separate phone calls that reinforced the fraudulent email request.
The BEC targeting of Texas medical practices follows specific reconnaissance and execution patterns:
Public Information Harvesting: BEC operators scrape practice websites, professional directories, and LinkedIn to map organizational structure. They identify accounts payable personnel, CFOs, and practice administrators. They gather vendor names, service types, and timing patterns. A Fort Worth practice BEC investigation revealed the attackers had compiled a complete organizational chart including reporting relationships and vacation schedules from public sources.
Credential Acquisition: BEC often begins with credential compromise through phishing or password spraying. Compromised email accounts provide access to legitimate communication patterns, enabling highly convincing future impersonation. A McAllen practice discovered their billing coordinator's account had been compromised for six months, providing attackers with complete visibility into payment workflows and vendor relationships.
Vendor Infrastructure Targeting: Rather than attacking practices directly, BEC operators increasingly compromise vendor systems, then exploit trusted vendor relationships. A multi-practice BEC campaign in early 2026 originated from a compromised medical billing service. The attackers sent payment redirection requests from the billing service's legitimate domain to over 40 client practices.
A detailed examination of a February 2026 BEC incident illustrates the full attack chain and response requirements. The San Marcos Orthodontic Group, a three-location practice with 28 staff members, experienced a BEC attack that began with reconnaissance in November 2025 and concluded with financial loss in February 2026.
The attackers identified the practice through public directories and conducted extensive reconnaissance via the practice website and social media. They identified the office manager as the primary accounts payable contact and mapped the practice's relationship with their primary orthodontic supplies vendor. They noted that the practice processed vendor payments on the 15th and 30th of each month.
In January 2026, the attackers registered a domain visually similar to the vendor's legitimate domain, changing only one character in the domain name. They established email hosting and SPF records that would pass basic authentication checks. On February 12, they initiated their attack with an email that referenced a legitimate invoice number from the previous month and requested an updated ACH routing number for "a banking transition following our regional restructuring."
The office manager, processing invoices during a busy Monday morning, verified the invoice number against the practice management system and confirmed the vendor relationship. The email contained no obvious red flags - no urgency, no grammatical errors, no suspicious links. She processed the routing change. On February 15, the practice's automatic payment of $127,400 for supplies was diverted to a criminal account.
The fraud was discovered on February 28 when the legitimate vendor contacted the practice regarding an overdue balance. The practice's initial response focused on recovering the funds, which proved impossible as the money had moved through multiple mule accounts and cryptocurrency exchanges within 72 hours. The incident then required breach assessment (whether patient data was accessed), OCR notification evaluation, and cyber insurance claim processing.
Healthcare organizations deploy email security solutions that prove inadequate against modern BEC:
Authentication Technology Gaps: SPF, DKIM, and DMARC can detect some domain spoofing but fail against compromised legitimate accounts and carefully registered lookalike domains. The San Marcos attackers' domain passed DMARC checks because they had properly configured authentication records. The email appeared technically legitimate.
Content Filter Limitations: BEC emails often contain no malicious attachments, no suspicious links, and no threatening language. They read as ordinary business communication because they are designed to read as ordinary business communication. Content filters tuned to detect malware and phishing miss BEC entirely.
Process Vulnerabilities: The fundamental BEC vulnerability is organizational process, not technical infrastructure. Practices that verify payment changes via the same email channel where requests arrive remain vulnerable regardless of security technology. The San Marcos practice had email security but lacked out-of-band verification procedures.
Effective BEC defense requires technical, procedural, and human layers:
Out-of-Band Verification: Every request for payment information changes must be verified through a separate communication channel initiated by the practice. Verification via phone call to known numbers, not numbers provided in the email. A Dallas practice implemented mandatory callback verification and stopped five BEC attempts in Q1 2026, including one that had compromised their primary vendor's actual email system.
Domain Monitoring: Deploy services that monitor for domain registrations similar to your vendors' domains. Early detection of lookalike domains enables proactive blocking before attacks launch. A Houston practice's domain monitoring identified 12 lookalike domains registered targeting their vendors in the first quarter of 2026.
Payment Delay Policies: Implement mandatory waiting periods for payment information changes. A 48-72 hour delay provides time for anomaly detection and verification. An Austin practice's 72-hour delay policy enabled discovery of a BEC attempt when the legitimate vendor responded to a confirmation email during the waiting period.
Financial Process Segregation: Separate payment change authorization from payment execution. The staff member who can authorize routing changes should not be the staff member who executes payments. This segregation prevents unilateral fraudulent action even when one individual is compromised.
When BEC occurs, response actions in the first 24 hours determine financial and regulatory outcomes:
Financial Recovery Attempts: Immediately contact your bank to attempt payment reversal. Simultaneously contact the receiving bank if identified. Recovery rates drop precipitously after 24 hours but remain possible for 72 hours in some cases. A Fort Worth practice recovered $89,000 of a $156,000 BEC loss through immediate bank coordination.
Forensic Investigation: Determine whether the BEC involved credential compromise, patient data access, or malware deployment. The San Marcos practice's forensic investigation revealed no patient data access, limiting their notification obligations. A different BEC incident at a Corpus Christi practice involved credential compromise that required full breach assessment.
Regulatory Notification Evaluation: BEC incidents require careful assessment of whether patient data was accessed, triggering HIPAA and Texas breach notification requirements. Legal counsel familiar with healthcare breach law should evaluate every BEC incident regardless of initial financial loss assessment.
We assess your financial workflows and implement multi-layer BEC defenses including out-of-band verification protocols, domain monitoring, and staff training. Our assessments include simulated BEC attacks tailored to your vendor relationships and payment patterns.
Call 469-235-4144 or schedule online. We help Texas medical practices stop business email compromise before funds disappear.