BEC Against EMS Billing: The ACH Form That Costs Six Figures

An EMS agency in the Midwest lost $187,000 last year to a business email compromise attack. The attacker sent a single PDF to the billing department. The PDF was an ACH change request form with a hospital letterhead. The billing coordinator processed it and redirected a payment intended for the agency to a bank account controlled by the attacker.

The money moved in three business days. The agency did not recover it.

This is not a CAD attack or a ransomware event. It is a revenue-cycle attack that targets the one part of an EMS agency where trust in email is highest and verification is weakest.

How BEC Targets EMS Revenue Cycle Staff

Business email compromise follows a predictable script. The attacker researches the agency's billing workflow. They identify which clearinghouses the agency uses, which hospital coordinators are active, and who processes ACH changes. Then they pick a target and send a message that looks routine.

The specific pattern against EMS agencies includes three variants.

Fake hospital coordinator requests. The attacker spoofs or compromises an email account from a partner hospital. The message references a real payment or a known patient. It asks for a change to the bank account on file for future reimbursements. The language matches the hospital's usual tone because the attacker has seen the real correspondence.

Fraudulent ACH change forms. Attached to the email is a PDF that looks like the standard vendor change form used across the healthcare industry. The attacker fills in routing and account numbers controlled by them. The form looks legitimate because the attacker downloaded the real form from the hospital's public portal and edited the banking fields.

Spoofed clearinghouse communications. The attacker impersonates the billing clearinghouse the agency uses to submit claims. The email claims a payment was rejected or a remittance is pending. It asks the billing coordinator to update the direct deposit information through an attached form. The domain in the email looks like the clearinghouse domain but substitutes a character or adds a hyphen.

All three variants share a common trait: they arrive during normal business hours and reference real transactions, then request a change that looks like standard process.

Why Billing Staff Are Vulnerable to This Attack

EMS billing generates a high volume of routine requests, and hospital coordinators change frequently, clearinghouse portals get updated, and payer requirements shift. Billing staff are conditioned to process changes quickly to keep cash flow moving.

Speed is the vulnerability.

Most billing departments operate with two or three people. They work under pressure to close batches and reduce days in accounts receivable. A request that looks normal at 3 p.m. on a Friday is more likely to get processed than flagged.

There is another factor. EMS agencies build trust with their hospital partners over years. Billing staff know the coordinators by name and email pattern. An attacker can exploit this trust by sending a message that reads exactly like the real person would write.

This is not a technology problem on its own. SPF and DKIM combined with DMARC help reduce spoofed domains but do not stop compromised accounts. The attacker in the Midwest case used a legitimate hospital email account that had been phished three weeks earlier.

Preventing ACH Fraud in EMS Billing

Stopping this attack requires a procedural control that does not depend on email security. The control is a dual-approval workflow with out-of-band verification.

Here is the workflow.

1. The billing staff member who receives the change request logs it in a tracking system or shared document.

2. That same person does NOT process the change. They initiate a verification step using a phone number already on file for the vendor, not the phone number in the email.

3. A second authorized person, typically the finance director or agency administrator, reviews the verification confirmation before approving the change in the billing system.

This workflow achieves two things. It removes the single point of failure. And it forces a manual pause in the process that lets someone think before clicking.

Out-of-band verification is the critical step. The phone call must go to a number you already know, not a number provided in the suspect email. If the caller asks for a callback number first, that is a red flag.

There is a parallel here to MFA for the Ambulance: Why Just Use a YubiKey Isnt the Answer. The problem is not the technology. It is the assumption that the technology proves identity.

The Dual Approval Workflow for EMS Financial Systems

Setting up a dual-approval workflow takes an afternoon and costs nothing except process discipline. Most billing platforms support role-based approval already. You just need to configure it and enforce it.

Steps to implement today.

• Configure your billing system so that ACH or direct deposit changes require two separate user accounts to approve. No exceptions for urgency.
• Document the out-of-band verification procedure. Write down which phone numbers are trusted for each hospital and clearinghouse. Review this list quarterly.
• Tag all emails from outside your organization with a clear [EXTERNAL] label. This reduces the chance that a spoofed internal-looking message slips past.
• Require MFA on all billing system logins. A compromised email account should not grant access to payment configuration.
• Run tabletop exercises. Send a fake ACH change request to your billing team and see how they handle it. The point is to find the gap before a real attacker does.

Social Engineering the Dispatch Center: Attack Scenarios and Verification Protocols covers similar principles for the operations side. The verification protocols follow the same logic: out-of-band confirmation, escalation paths, and training that goes beyond awareness slides.

Frequently Asked Questions

How can I tell if an ACH change request email is fake?

Look for look-alike domains, unusual urgency, and requests to change banking details. The only reliable verification method is a phone call to a known and trusted number for the requester. Do not use a phone number provided in the email.

Why is a digital signature not enough to verify a change form?

A digital signature proves the document was signed by a particular certificate. It does not prove that the person who signed it is authorized to request an ACH change. The certificate could belong to a compromised account.

What is the most effective way to stop BEC in a small EMS agency?

A strict dual-approval policy where no banking changes are processed without a verified phone call and a second sign-off from a different agency leader. This removes the single point of failure and forces a pause in the process.

What should I do if I suspect my billing team already processed a fraudulent change?

Contact your bank immediately to reverse or freeze the transaction. Then call the real vendor at a trusted number to confirm the change did not originate from them. Report the incident to the FBI through IC3.gov. Document everything for insurance and legal review.

---

The BEC attack against EMS billing follows a simple formula. The attacker finds the gap between trust and verification. Then they send one email.

The dual-approval workflow does not fix every attack, but it fixes this one for nothing more than an afternoon of configuration effort. And it saves an agency from learning the hard way that the PDF looked fine but the account number was wrong.

-- Steven