The Rise of Business Email Compromise is Crushing Dental Organizations

Dental Service Organizations rely heavily on email to keep their operations running smoothly. From payroll approvals and vendor invoices to M&A due diligence, insurance reimbursements, and patient billing, email is the backbone of daily workflows. As DSOs grow—adding more locations, vendors, and layers of complexity—email becomes the connective tissue that keeps revenue and operations moving. Unfortunately, this reliance on email also makes DSOs prime targets for Business Email Compromise (BEC) attacks.

The Growing Threat of Business Email Compromise

Business Email Compromise (BEC) and other malicious email attacks have surged because they’re brutally efficient: they don’t need to “hack” a firewall if they can hack a human workflow. The FBI’s Internet Crime Complaint Center (IC3) reported total losses across internet crime exceeding $16B in its latest annual report release, with fraud driving much of the damage. And BEC remains one of the highest impact fraud categories because it targets the thing businesses can’t “roll back”: money moving to the wrong account.

BEC scams are alarmingly effective. The 2025 Verizon Data Breach Investigations Report (DBIR) highlights the scale of the problem, citing FBI IC3 data that in 2024 alone, over $6.3 billion was stolen through BEC scams. That’s not a typo: billions of dollars moved through emails that often look completely routine and legitimate.

Why DSOs Are Prime Targets

DSOs are particularly vulnerable to BEC attacks because they combine the “perfect ingredients” for email-driven fraud: high transaction volume, urgency, and distributed operations. Here’s why:

1. High Transaction Volume and Urgency

DSOs handle a constant flow of invoices for supplies, labs, implants, equipment service contracts, marketing vendors, staffing agencies, and more. The sheer volume of legitimate payment requests, combined with the pressure to pay quickly, creates an environment ripe for exploitation.

2. Distributed Operations

With dozens or even hundreds of locations, DSOs often have local managers handling day-to-day operations while centralized finance, accounts payable (AP), and HR teams manage payments. This creates gaps between “who knows the vendor” and “who approves the payment,” which attackers are quick to exploit. A compromised vendor email can easily become a Trojan horse into a DSO’s financial workflows.

3. Constant Change

Growing DSOs face frequent changes—new acquisitions, new bank accounts, new leadership, and new practice managers. In such a dynamic environment, an email saying, “This is our new wiring info” doesn’t raise immediate red flags. Scammers know this and are trained to take advantage of the chaos.

How BEC Attacks Are Launched: Two Common Patterns

BEC attacks often follow predictable patterns. Here are two real-world examples that show how these scams play out inside DSOs:

Attack Pattern #1: Invoice Interceptor (Vendor Email Compromise)

In this scenario, attackers compromise a vendor’s email account (or a DSO employee’s account) and monitor invoice threads. At the perfect moment—just before a payment is made—they insert themselves into the conversation. A U.S. government advisory on “Business Email Compromise & Healthcare” describes a common sequence: an employee’s email account is hacked and then used to request payments on behalf of vendors. The funds end up in attacker-controlled accounts. The same advisory shows how attackers edit legitimate invoice templates and change only the payment details, making the request appear normal to busy finance teams.

How it works:

• An AP specialist receives an email “from” a known supplier: “We’ve updated our remittance instructions. Please use the new ACH details.”
• The email thread looks authentic because the attacker is replying within an existing conversation or spoofing a near-identical domain.
• The DSO updates the payment info, and the next payment goes to the attacker’s account.
• Weeks later, the supplier asks why they haven’t been paid, but by then, the money is long gone.

This method is devastatingly effective because it exploits processes, not technology. No malware, no suspicious links—just social engineering that blends seamlessly into normal business workflows.

Attack Pattern #2: Executive Rush (CEO/CFO Impersonation)

This pattern targets a DSO’s internal chain of command. Attackers impersonate an executive (or compromise their email account) and pressure staff to bypass safeguards.

The second pattern targets your internal chain of command. Attackers impersonate an executive (or compromise their mailbox) and pressure staff to bypass safeguards: wire transfers, gift cards, payroll updates, W-2 data, or banking changes.

A recent HHS advisory explains that BEC is also used to steal sensitive HR/finance data and can be leveraged for future fraud and identity crimes.  In one well-known example included in the advisory, attackers impersonated a CEO to obtain payroll information, showing that BEC isn’t only about wires; it’s about harvesting the identities and financial details that power attacks.

How it works:

• HR receives an email from the “CEO” or “COO”: “Need updated payroll roster + direct deposit details for a review. Send ASAP.”
• Or finance gets: “We’re closing a sensitive deal today. Wire $148,900 to this account. I’m in meetings, so don’t call.”
• The tone (urgent and confidential) is the weapon. The goal is to trigger compliance, not scrutiny.

Why is it so successful? These attacks succeed because they hijack authority and urgency, two forces that normally keep businesses moving.

How Criminals Scale BEC Now

BEC used to be a manual process. One scammer crafting one email. Now it’s increasingly “industrial,” with phishing kits and subscription services lowering the skill barrier. Reuters reported Microsoft seized hundreds of websites tied to a phishing-as-a-service operation that used fake Microsoft login pages, compromising thousands of accounts and targeting multiple industries, including healthcare organizations.

As credential theft becomes cheaper and more accessible, mailbox takeovers—and the BEC scams that follow—become even more prevalent. Microsoft has also documented sustained growth in phishing attacks over recent years, reinforcing that malicious email and credential theft remain foundational to modern cyberattacks.

The Ripple Effects of a BEC Attack

A successful BEC attack can cause far-reaching damage beyond the initial financial loss. Here’s what DSOs face:

• Direct Financial Loss: Misdirected wires/ACH, vendor overpayments, and payroll diversion.
• Operational Disruption: AP freezes, delayed supply shipments, delayed reimbursements and practice-level chaos.
• Data Exposure (Patient & Employee): Compromised mailboxes often include sensitive attachments, HR documents, insurance details, and internal passwords.
• Legal and Compliance Risks: Breached patient or employee data (PHI/PII) triggers notification requirements, investigations, and reputational damage.
• Long-Tail Fraud: Once attackers understand your organization’s processes, they often return with more convincing scams.

Even “near misses” come with costs, including incident response time, banking clawback efforts, legal counsel, and leadership distraction.

The Takeaway: How DSOs Can Protect Themselves

To reduce the risk of BEC, DSOs must treat any change to payment instructions, bank details, or sensitive HR requests as a high-risk transaction requiring additional verification steps. Attackers are counting on your team to treat these requests as “just another email.”

Here’s how to fight back:

1. Cybersecurity Awareness Training: Regular training and simulated phishing exercises can help employees recognize and respond to suspicious emails.
2. Enhanced Email Security: Go beyond basic Microsoft and Google security by implementing advanced email protection tools.
3. Verification Protocols: Require multi-step verification for any changes to payment or banking details.

BEC attacks are devastating not because dental leaders are careless but because DSO workflows are fast, trust-based, and distributed. These attacks are designed to exploit exactly that.

Don’t wait until it’s too late. Reach out to the team at Black Talon Security today to learn how you can quickly and efficiently implement these protective measures.

🚨 Recent notable healthcare cyber incidents:

Tieu Dental Corporation disclosed a data breach on March 5, 2026 after an unauthorized actor accessed its network between July 28 and July 29, 2025 and potentially exfiltrated files containing sensitive patient and employee information. The compromised data may include names along with details such as date of birth, Social Security number, medical records, treatment plans, prescription information and health insurance data.

The breach was reported to the California Attorney General and the Massachusetts Attorney General and posted on the company’s website. While the total number of impacted individuals has not been disclosed, two individuals in Massachusetts have been confirmed.

Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.