One Email, S$57.2 Million Lost
In July 2024, a Singapore commodities firm received an email that appeared to come from a known vendor. The message instructed the firm to update the vendor's bank account details. The firm complied, transferred the funds, and later received a late payment notice from the real vendor. The email had been fraudulent. The loss: S$57.2 million. This case — reported in the Singapore Police Force's Annual Scams and Cybercrime Brief for 2024 — is an extreme example of a very common attack type. Business Email Compromise (BEC) and invoice fraud are among the most financially damaging fraud categories targeting Singapore businesses, and they are growing more sophisticated every year. Globally, BEC accounted for approximately 73 per cent of all reported cyber incidents in 2024. The FBI's Internet Crime Complaint Center recorded nearly US$2.7 billion in adjusted BEC losses in 2024 alone, with almost US$8.5 billion lost between 2022 and 2024. BEC volume increased by 15 per cent in 2025 compared to the previous year. AI-generated BEC emails now account for an estimated 40 per cent of attempts, making them increasingly difficult to distinguish from genuine correspondence.
What Is Business Email Compromise?
BEC is a fraud technique in which an attacker impersonates a trusted party — a CEO, a vendor, a finance officer, or a client — to induce a payment or the disclosure of sensitive information. Unlike mass phishing, BEC is targeted. Attackers research their victims, identify relationships, and craft messages that reference real business context.
The most financially damaging variant in Singapore is invoice fraud: the attacker intercepts or spoofs an email from a legitimate vendor and instructs the victim to update bank account details before a scheduled payment. The victim pays what they believe is a legitimate invoice into a fraudulent account. By the time the real vendor raises the issue, the funds have been moved and are often unrecoverable.
How BEC Attacks Work in Practice
Vendor Email Compromise (VEC)
The attacker gains access to a vendor's email account — or creates a lookalike domain (e.g., vendor-sg.com instead of vendorsg.com) — and sends payment instruction changes from what appears to be a trusted address. Vendor Email Compromise attacks rose 66 per cent in the first half of 2024.
CEO Fraud
A message appearing to come from the company's CEO or senior leadership instructs a finance employee to make an urgent wire transfer, often with framing that bypasses normal approval processes ('I am in a meeting, please process this quietly').
Contact Details Swapping
A newer variant involves a fraudster impersonating a corporate finance department and claiming to be updating official contact information. This is followed by a fraudulent advisory email containing new banking details, sometimes preceded by a phone call to the accounting department to build
credibility.
New Employee Targeting
New hires are increasingly targeted because they are unfamiliar with their colleagues' communication patterns, have not yet established internal relationships that allow informal verification, and are reluctant to challenge instructions from apparent seniors.
Red Flags: What to Look For
• Unexpected request to update bank account details from a known vendor or supplier
• Email address that is slightly different from the usual domain — a transposed letter, an extra hyphen, or a country-code variant
• Urgency framing: the payment must be made today, the usual contact is unavailable, normal procedures are to be bypassed
• Wire transfer request for an unusually large amount from a senior figure via email only, without a call to confirm
• Invoice number, amount, or payment terms that differ slightly from previous transactions
• Grammar or phrasing inconsistencies compared to previous communications from the same contact
• Email received outside of business hours or from a mobile device notation when the sender typically uses a desktop
• Request to process a payment while omitting someone who would normally be in the approval chain
The Verification Protocol: What Businesses Should Do
Independent Verification of Payment Changes
Any instruction to change bank account details for a vendor, supplier, or creditor must be verified by calling the known contact directly — not via a number provided in the suspicious email. Use the number from your CRM, from a previous signed contract, or from the vendor's official website. This single step would have prevented the S$57.2 million case cited above.
Dual-Approval for Wire Transfers
Implement a two-person approval rule for all wire transfers above a defined threshold. No single employee should be able to authorise and execute a significant transfer without a second approval from a different person, through a separate channel.
Email Authentication
Ensure your organisation's email environment has DMARC, DKIM, and SPF records configured correctly. These technical controls reduce the ability of fraudsters to spoof your own domain when targeting your customers or partners. They do not prevent spoofing of third-party domains, which is why procedural controls remain essential.
Vendor Verification Before Onboarding
Before adding a new vendor to your payment systems, verify the company's ACRA registration status on BizFile. For significant supplier relationships, check whether the company has an independent trust score or business verification credential. Scam.SG provides a searchable index of ACRA-registered entities with TrustScore profiles, allowing procurement teams to run a quick legitimacy check before
onboarding a new supplier.
Staff Training
Finance and accounts payable staff are the primary targets of BEC. Regular training
on current BEC tactics, including AI-generated emails that are linguistically
indistinguishable from genuine correspondence, is a requirement rather than an
optional investment. Tabletop simulation exercises where staff receive mock BEC
attempts are more effective than awareness sessions alone.
If You Have Been Targeted
If you suspect you have received a BEC attempt, do not respond to the suspicious email. Report it to your IT security team and to the Singapore Police Force (police.gov.sg or the SPF hotline). If funds have already been transferred, contact your bank immediately — the faster a recall request is lodged, the higher the
probability of recovery. SPF's Anti-Scam Command (ASCom) recovered S$140.5 million in 2025 and prevented a further S$348 million in losses through early intervention.
Reducing Your Exposure Through Business Verification
Businesses that are independently verified present a cleaner profile to their counterparties. When your organisation holds a Scam.SG TrustScore and a Certificate of Business Authenticity from Data Bureau (Singapore), your clients and partners have a verifiable basis for trusting your identity. This is particularly relevant for businesses in trade, financial services, and professional services, where vendor impersonation is most damaging. Visit www.scam.sg/business to begin verification.