One Email, S$57.2 Million Lost
In July 2024, a Singapore commodities firm received an email that appeared to
come from a known vendor. The message instructed the firm to update the
vendor's bank account details. The firm complied, transferred the funds, and later
received a late payment notice from the real vendor. The email had been
fraudulent. The loss: S$57.2 million.
This case — reported in the Singapore Police Force's Annual Scams and Cybercrime
Brief for 2024 — is an extreme example of a very common attack type. Business
Email Compromise (BEC) and invoice fraud are among the most financially
damaging fraud categories targeting Singapore businesses, and they are growing
more sophisticated every year.
Globally, BEC accounted for approximately 73 per cent of all reported cyber
incidents in 2024. The FBI's Internet Crime Complaint Center recorded nearly US$2.7
billion in adjusted BEC losses in 2024 alone, with almost US$8.5 billion lost between
2022 and 2024. BEC volume increased by 15 per cent in 2025 compared to the
previous year. AI-generated BEC emails now account for an estimated 40 per cent
of attempts, making them increasingly difficult to distinguish from genuine
correspondence.
What Is Business Email Compromise?
BEC is a fraud technique in which an attacker impersonates a trusted party — a
CEO, a vendor, a finance officer, or a client — to induce a payment or the disclosure
of sensitive information. Unlike mass phishing, BEC is targeted. Attackers research
their victims, identify relationships, and craft messages that reference real business
context.
The most financially damaging variant in Singapore is invoice fraud: the attacker
intercepts or spoofs an email from a legitimate vendor and instructs the victim to
update bank account details before a scheduled payment. The victim pays what
they believe is a legitimate invoice into a fraudulent account. By the time the real
vendor raises the issue, the funds have been moved and are often unrecoverable.
How BEC Attacks Work in Practice
Vendor Email Compromise (VEC)
The attacker gains access to a vendor's email account — or creates a lookalike
domain (e.g., vendor-sg.com instead of vendorsg.com) — and sends payment
instruction changes from what appears to be a trusted address. Vendor Email
Compromise attacks rose 66 per cent in the first half of 2024.
CEO Fraud
A message appearing to come from the company's CEO or senior leadership
instructs a finance employee to make an urgent wire transfer, often with framing
that bypasses normal approval processes ('I am in a meeting, please process this
quietly').
Contact Details Swapping
A newer variant involves a fraudster impersonating a corporate finance
department and claiming to be updating official contact information. This is
followed by a fraudulent advisory email containing new banking details,
sometimes preceded by a phone call to the accounting department to build
credibility.
New Employee Targeting
New hires are increasingly targeted because they are unfamiliar with their
colleagues' communication patterns, have not yet established internal
relationships that allow informal verification, and are reluctant to challenge
instructions from apparent seniors.
Red Flags: What to Look For
• Unexpected request to update bank account details from a known vendor
or supplier
• Email address that is slightly different from the usual domain — a
transposed letter, an extra hyphen, or a country-code variant
• Urgency framing: the payment must be made today, the usual contact is
unavailable, normal procedures are to be bypassed
• Wire transfer request for an unusually large amount from a senior figure via
email only, without a call to confirm
• Invoice number, amount, or payment terms that differ slightly from
previous transactions
• Grammar or phrasing inconsistencies compared to previous
communications from the same contact
• Email received outside of business hours or from a mobile device notation
when the sender typically uses a desktop
• Request to process a payment while omitting someone who would
normally be in the approval chain
The Verification Protocol: What Businesses Should Do
Independent Verification of Payment Changes
Any instruction to change bank account details for a vendor, supplier, or creditor
must be verified by calling the known contact directly — not via a number provided
in the suspicious email. Use the number from your CRM, from a previous signed
contract, or from the vendor's official website. This single step would have
prevented the S$57.2 million case cited above.
Dual-Approval for Wire Transfers
Implement a two-person approval rule for all wire transfers above a defined
threshold. No single employee should be able to authorise and execute a
significant transfer without a second approval from a different person, through a
separate channel.
Email Authentication
Ensure your organisation's email environment has DMARC, DKIM, and SPF records
configured correctly. These technical controls reduce the ability of fraudsters to
spoof your own domain when targeting your customers or partners. They do not
prevent spoofing of third-party domains, which is why procedural controls remain
essential.
Vendor Verification Before Onboarding
Before adding a new vendor to your payment systems, verify the company's ACRA
registration status on BizFile. For significant supplier relationships, check whether
the company has an independent trust score or business verification credential.
Scam.SG provides a searchable index of ACRA-registered entities with TrustScore
profiles, allowing procurement teams to run a quick legitimacy check before
onboarding a new supplier.
Staff Training
Finance and accounts payable staff are the primary targets of BEC. Regular training
on current BEC tactics, including AI-generated emails that are linguistically
indistinguishable from genuine correspondence, is a requirement rather than an
optional investment. Tabletop simulation exercises where staff receive mock BEC
attempts are more effective than awareness sessions alone.
If You Have Been Targeted
If you suspect you have received a BEC attempt, do not respond to the suspicious
email. Report it to your IT security team and to the Singapore Police Force
(police.gov.sg or the SPF hotline). If funds have already been transferred, contact
your bank immediately — the faster a recall request is lodged, the higher the
probability of recovery. SPF's Anti-Scam Command (ASCom) recovered S$140.5
million in 2025 and prevented a further S$348 million in losses through early
intervention.
Reducing Your Exposure Through Business Verification
Businesses that are independently verified present a cleaner profile to their
counterparties. When your organisation holds a Scam.SG TrustScore and a
Certificate of Business Authenticity from Data Bureau (Singapore), your clients and
partners have a verifiable basis for trusting your identity. This is particularly relevant
for businesses in trade, financial services, and professional services, where vendor
impersonation is most damaging. Visit www.scam.sg/business to begin
verification.