Uncategorized

Wire Transfers: Small Process Gaps, Big Financial Risk for Physician Practices

Posted on by Joseph Rivet

Wire transfers are part of modern medical practice operations. Practices routinely send wires for real estate, equipment purchases, revenue cycle vendors, IT services, and practice acquisitions. Unfortunately, wire transfers are also one of the most common ways physician practices lose six-figure sums to fraud. 

The uncomfortable truth: once a wire goes out, it is usually gone for good. Banks often cannot reverse fraudulent wire transfers, and courts frequently hold that vendors, consultants, or advisors are not automatically responsible for losses unless contracts clearly state otherwise. 

That means practices must protect themselves up front through process, controls, and contracts. 

Below are practical steps every physician practice should take to reduce wire-transfer risk. 

Why Wire Transfers Are So Risky 

Wire fraud often looks boring and routine: 

  • A familiar vendor emails “updated wiring instructions.” 
  • A bookkeeper receives a message that looks like it’s from a physician owner 
  • A transaction is urgent (“we need this paid today to avoid penalties”) 

In many cases, no systems are hacked. Instead, attackers exploit trust, timing, and weak internal controls. 

For physician practices—where clinicians are busy and financial tasks are often delegated—this creates a perfect storm. 

Step 1: Create a Written Wire Transfer Policy (Yes, Really) 

Many practices rely on informal habits instead of written rules. That’s risky. 

Your policy should answer, at a minimum: 

  • Who is authorized to request a wire? 
  • Who approves a wire? 
  • Who actually sends the wire? 
  • What verification is required before sending? 

Even a one-page policy is better than nothing. If something goes wrong, the absence of a policy almost always hurts the practice. 

Key rule: No single person should be able to request, approve, and send a wire. 

Step 2: Require Out-of-Band Verification for All Wiring Changes 

If wiring instructions change, email alone is never enough. 

Practices should require: 

  • A phone call to a known, previously verified number 
  • Or a video call with a known contact 
  • Or written confirmation through a secure portal 

Do not rely on: 

  • Email replies 
  • Email signatures 
  • “We’ve always paid this vendor before” 

Fraudsters frequently spoof real email addresses with subtle changes that are easy to miss. 

Step 3: Set Dollar Thresholds and Cooling-Off Periods 

Not every payment deserves the same scrutiny. 

A good structure: 

  • Under $10,000: standard approval 
  • $10,000–$50,000: second approver required 
  • Over $50,000: second approver plus mandatory waiting period (e.g., 24 hours) 

That cooling-off period is critical. Many frauds succeed because someone feels rushed. 

Urgency is a red flag, not a reason to move faster. 

Step 4: Separate Clinical Authority From Financial Authority 

In many physician-owned practices, doctors understandably have final say. But that doesn’t mean they should be the sole control point for wires. 

Best practice: 

  • Physicians approve business purpose 
  • Finance staff verify process and authenticity 
  • No wire goes out based on a single physician’s email or text 

This protects both the practice and the physician personally. 

Step 5: Lock Down Bank Controls 

Talk to your bank—not just your relationship manager, but the fraud or treasury team. 

Ask about: 

  • Dual authorization requirements 
  • Daily wire limits 
  • IP or device restrictions 
  • Alerts for changes to payees or wiring instructions 

Many practices never activate these features, even though they are often included. 

Step 6: Address Wire Fraud Risk in Vendor Contracts 

Here’s the part many practices miss. 

Contracts with: 

  • Accounting firms 
  • Billing companies 
  • Consultants 
  • Practice management vendors 

often limit their liability for fraud losses—even when they are involved in sending payments. 

Practices should: 

  • Review limitation-of-liability clauses 
  • Clarify who bears loss from fraudulent payment instructions 
  • Require written verification procedures in contracts when vendors send or process wires 

If a vendor is involved in moving your money, that risk allocation should be explicit. 

Step 7: Train Staff Using Real-World Scenarios 

Annual “compliance training” isn’t enough. 

Instead: 

  • Walk staff through actual wire fraud examples 
  • Show how real spoofed emails look 
  • Practice what to do when something feels “off” 

The goal is not perfection—it’s hesitation. A paused wire is a successful control. 

Final Thought: Wire Fraud Is an Operational Risk, Not Just an IT Issue 

Wire fraud losses are rarely covered by insurance, rarely recoverable from banks, and often not recoverable from vendors. 

Courts increasingly treat these losses as business risks that must be managed internally, not mistakes that automatically create legal liability for someone else. 

For physician practices, the takeaway is simple: 

Strong wire-transfer controls are not administrative red tape—they are asset protection. 

If your practice hasn’t reviewed its wire procedures in the last year, now is the right time. 

Avatar of Joseph Rivet
Joseph Rivet

Rivet Health Law specializes in legal and compliance issues associated with medical Coding, Billing, Reimbursement, Third-Party Payor Audits, and provides custom education and training.