Business Email Compromise in Singapore: How to Stop CEO Fraud and Invoice Scams

Business Email Compromise (BEC) is not a sophisticated cyberattack in the technical sense — there are no zero-days, no exotic malware, no darknet toolkits required. What makes it devastating is its simplicity. An attacker impersonates your CEO, your CFO, or a trusted supplier. They send a carefully worded email. A staff member authorises a transfer or changes a bank account. The money is gone within hours, and recovery is rarely possible.

Singapore Police Force data shows BEC and email-related scams consistently rank among the top financial fraud categories year after year. In 2024, commercial email-related fraud collectively cost Singapore businesses tens of millions — with individual losses ranging from S$50,000 at small firms to over S$5M at larger enterprises. MAS has flagged BEC as a standing operational risk that financial institutions must actively address under their TRM frameworks. For every Singapore business, this is a board-level concern, not just an IT problem.

How BEC Attacks Work — The Four Common Playbooks

Understanding the mechanics of BEC is the first step to stopping it. Attackers typically use one of four approaches, and Singapore businesses encounter all of them.

CEO Fraud (Executive Impersonation)

The attacker spoofs or compromises an executive's email and sends an urgent, confidential wire transfer request to finance staff. The message typically invokes authority ("I need this done today — don't loop anyone else in"), urgency ("I'm in a meeting, just get it processed"), and secrecy ("This is commercially sensitive"). Finance staff, conditioned to act quickly on executive requests, comply before verifying. The average loss per incident in Singapore for this variant is above S$200,000.

Invoice Fraud (Supplier Impersonation)

The attacker impersonates a known supplier or vendor and sends a fake invoice — or intercepts a real invoice thread and substitutes bank account details. The payment is made to a fraudulent account. This variant often involves account takeover of a supplier's email, making the communication appear entirely legitimate from a trusted contact.

Account Takeover (Compromised Mailbox)

Rather than spoofing, the attacker gains access to a real mailbox — typically through phishing, credential stuffing, or a weak password. They then conduct reconnaissance, reading months of email history to understand relationships, payment processes, and ongoing deals before striking at the optimal moment. This is the hardest variant to detect because the emails genuinely originate from a known address.

Payroll Fraud

The attacker impersonates an employee — often just before payroll processing — and requests a change of bank account details with HR. The next salary cycle pays directly to the attacker's account. This variant is growing in Singapore as remote HR practices create gaps in out-of-band verification.

Why Technical Controls Alone Are Not Enough

Many organisations believe their email security gateway or spam filter provides adequate BEC protection. It does not. Spam filters are calibrated for bulk phishing — mass campaigns with known malicious indicators. BEC emails are targeted, personalised, and often free of any technical indicators: no malicious links, no suspicious attachments, no known-bad domains.

A well-crafted CEO fraud email may arrive from a domain that differs by a single character ([email protected] vs [email protected]), or from a completely legitimate-looking display name with a different actual address. Without specific anti-spoofing controls and human verification processes, technical defences will not catch it.

Effective BEC defence requires a layered approach: technical controls at the email infrastructure layer, process controls for payment authorisation, and people controls through training and awareness.

Technical Controls: SPF, DKIM, and DMARC — Non-Negotiable Foundations

The three email authentication standards — SPF, DKIM, and DMARC — are the foundational technical controls that prevent your domain from being spoofed by attackers. Remarkably, a significant proportion of Singapore SMEs either have not implemented them at all, or have implemented them incorrectly.

• SPF (Sender Policy Framework) defines which mail servers are authorised to send email on behalf of your domain. An email from your domain sent by an unauthorised server will fail SPF. This is your first layer of protection against domain spoofing.
• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound emails, allowing receiving mail servers to verify that the email genuinely originated from your domain and was not modified in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do with messages that fail authentication: pass them, quarantine them to spam, or reject them outright. A DMARC policy of p=reject provides the strongest protection — unauthenticated emails claiming to be from your domain are rejected before reaching the recipient.

Implementing DMARC at p=reject is one of the highest-impact, lowest-cost controls you can deploy. It requires no ongoing licensing, and once properly configured it eliminates an entire class of spoofing attack. Yet many Singapore organisations remain on p=none (monitoring only) or have no DMARC record at all, leaving their domain open for impersonation.

Additional Technical Measures

• External email warning banners — automatically flagging emails from outside your organisation with a visible banner, particularly when the sender's display name matches an internal executive.
• Lookalike domain detection — monitoring for newly registered domains that closely resemble yours (character substitutions, hyphen variations, additional TLDs), which attackers register specifically for impersonation campaigns.
• MFA on all email accounts — mandatory multi-factor authentication prevents account takeover even when credentials are phished or leaked. Microsoft 365 and Google Workspace both support MFA natively — there is no justification for leaving it disabled.
• Email filtering rules — configuring rules to flag or quarantine emails that impersonate internal executives based on display name matching with external sender addresses.

Process Controls: Closing the Human Gap

Technical controls address email-layer threats. Process controls address the human decision points that BEC attacks exploit. These are your most important defences against the variants that bypass technical detection.

• Dual-authorisation for all fund transfers — no single person should be able to authorise a payment above a defined threshold without a second approver. This single control eliminates CEO fraud losses: even if a staff member is deceived, the second approver provides a checkpoint.
• Out-of-band verification for bank account changes — any request to change a supplier's bank account details must be verified via a known phone number (not one provided in the email). Call the contact you have on file. This stops invoice fraud almost entirely.
• Cooling-off periods for new payees — implement a mandatory 24-hour hold before processing a first-time payment to a new account. Attackers exploit urgency; a holding period removes their most effective lever.
• Escalation-proof authorisation — define clearly that no executive directive — regardless of seniority, urgency, or confidentiality — overrides dual-authorisation requirements. The CEO cannot verbally override the policy. Train staff to politely but firmly apply the process even under pressure.
• Supplier onboarding verification — verify bank account details for all new and existing suppliers through a formal process that includes direct phone confirmation, independent of any email communication.

People Controls: Training That Actually Changes Behaviour

Security awareness training is only effective if it changes how people behave under pressure — not just whether they can pass a quiz. For BEC specifically, the most effective training approach is simulation-based: regular, realistic phishing and BEC simulations that put staff in the position of receiving a convincing executive fraud email and having to make a real decision.

Finance staff, executive assistants, HR personnel, and anyone with payment or account-change authority should receive targeted BEC simulation training at least quarterly. The simulation should include the hallmarks of real BEC: display name spoofing, urgency, authority, and secrecy. Post-simulation coaching for staff who clicked or complied should be specific and constructive — not punitive.

Beyond simulation, build awareness of the specific Singapore context: brief staff on current BEC variants circulating in the market (SPF publishes regular advisories), highlight real case studies without identifying victims, and make it clear that stopping a BEC attempt is a valued, praised behaviour — not an embarrassment.

What to Do If You Suspect — or Confirm — a BEC Attack

Speed is everything. If a fraudulent transfer is detected, every hour the money sits in the fraudulent account reduces recovery chances.

• Immediately contact your bank — most major Singapore banks have a dedicated fraud line for emergency wire recalls. SWIFT's Payment Controls service allows recall requests on international transfers. Contact your relationship manager and the fraud team simultaneously.
• File a police report with the SPF Scam Advisory Centre — Singapore Police Force operates ScamShield and the Anti-Scam Centre (ASC), which works directly with banks to freeze suspect accounts. A police report is required to activate these channels.
• Report to CSA's SingCERT — if the attack involved a compromised email account, report to SingCERT ([email protected]) to support broader threat intelligence and potential assistance.
• Preserve evidence — do not delete or alter email threads. Preserve full email headers, which contain the technical forensic trail needed for investigation and any insurance claim.
• Notify MAS (if you are a financial institution) — MAS TRM Guidelines require notification of material fraud incidents. Assess against your incident classification framework immediately.

How Infinite Cybersecurity Helps Singapore Organisations Stop BEC

Our approach to BEC defence is practical and measurable. We help Singapore organisations across three areas: assess, implement, and sustain.

• Email security assessment — we audit your current SPF, DKIM, and DMARC configuration, test for lookalike domain exposure, assess your email gateway controls, and benchmark your posture against MAS TRM and CSA Cyber Essentials requirements.
• Implementation — we configure DMARC at enforcement, implement email banner policies, and help you build the process controls (dual-auth, out-of-band verification) into your finance and HR workflows in a way that sticks.
• Phishing and BEC simulation — our simulation programme delivers realistic, targeted BEC scenarios to your highest-risk staff, with detailed reporting on click rates, compliance with verification processes, and behavioural improvement over time.

BEC is a preventable fraud. The organisations that suffer the most are those that treat it as an IT issue rather than a business risk — waiting for a technical solution while leaving the human and process gaps wide open. Contact our Singapore cybersecurity experts to assess your current exposure and build defences that address all three layers.