In 2025, the Singapore Police Force reported that Business Email Compromise (BEC) attacks accounted for the largest financial losses of any cybercrime category in Singapore — exceeding SGD 85 million across confirmed cases, with significant underreporting from organisations that opted to absorb losses quietly rather than file police reports. The BEC category has evolved well beyond the phishing emails of a decade ago. Today's attacks blend compromised vendor email accounts, AI-generated deepfake audio of executives authorising urgent transfers, and carefully researched vendor impersonation that arrives at exactly the moment a finance team is processing a legitimate payment run.
For Singapore companies — particularly those in engineering, logistics, import-export, and professional services — invoice fraud is the dominant BEC variant. An attacker who has compromised a vendor's email account, or who has registered a domain that closely resembles a trusted supplier, sends a message to the accounts payable team stating that bank account details have changed and future payments should go to a new account. The message arrives in context: same email thread style, same sender name, same tone as previous communications. The finance team updates the banking details. Payment goes to the attacker's account. Recovery is extremely rare.
Why Traditional Email Security Fails Against BEC
Most organisations have implemented some combination of spam filtering, phishing detection, and email authentication protocols — SPF, DKIM, and DMARC. These controls are effective against bulk phishing and commodity spam. They are largely ineffective against BEC because BEC attacks typically originate from legitimate, pre-compromised email accounts. The attacker's email passes every authentication check because the account genuinely belongs to the impersonated sender.
AI-generated content has made the problem significantly worse. Modern BEC emails read like genuine communications. They are grammatically correct, use the organisation's internal terminology, and reference actual projects, purchase orders, or supplier relationships that the attacker has researched. Deepfake audio — where finance staff receive a phone call or WhatsApp message that sounds exactly like the CEO or CFO authorising an urgent wire transfer — is no longer theoretical in Singapore. There are documented cases in the professional services and commodities trading sectors where finance staff transferred six-figure sums on the basis of what they believed was a genuine executive voice authorisation.
PDPA implication: If a BEC incident results in unauthorised access to personal data — for example, if the compromised vendor account contained personal data of Singapore residents — the organisation may have PDPA breach notification obligations regardless of whether financial loss occurred. The Singapore Personal Data Protection Commission expects organisations to assess whether a BEC-related email compromise constitutes a reportable data breach, particularly where the compromised vendor email contained personal data about employees or customers.
The Anatomy of a Singapore Invoice Fraud Attack
A sophisticated invoice fraud attack against a Singapore company follows a predictable sequence. The attacker begins with reconnaissance: identifying the company's vendors, their communication patterns, the timing of payment runs, and the names and roles of accounts payable staff. This information is gathered from the company's own website, LinkedIn, SEC filings for publicly listed companies, and historical email threads that have been exposed in previous data breaches. The more connected the target company's supply chain, the more ammunition the attacker has.
The attacker then compromises the vendor's email account — typically through a credential stuffing attack where the vendor has reused passwords from previous breach exposures, or through a targeted phishing email to the vendor's finance staff. With access to the genuine vendor account, the attacker reads historical email threads to understand the communication style, billing patterns, and any prior discussions about payment terms or banking changes.
When the moment is right — typically at the start of a month or immediately before a public holiday when finance staff are processing batch payments — the attacker sends an email from the vendor's genuine account to the target's accounts payable team. The email states that banking details have changed due to a new banking relationship, provides new account information, and may include a plausible reason for the urgency. For a Singapore engineering company processing payment to a Taiwanese component supplier, a last-minute banking change email arriving the day before Chinese New Year would draw no suspicion — it fits the rhythm of the business relationship.
The target company's accounts payable staff updates the vendor details in the ERP or accounting system, processes the payment to the new account, and the funds are rapidly moved through a series of mule accounts before the fraud is detected. By the time the legitimate vendor follows up on the missing payment — which may take days or weeks — the funds are unrecoverable.
The Controls That Actually Work Against BEC
Email filtering and authentication alone will not stop BEC. The most effective controls operate at the process and people layers, not the email gateway layer.
Out-of-band verification for banking change requests: Any request to change vendor banking details must be verified through a channel independent of the originating communication. This means: if the request comes via email, verify via phone call to a known number for the vendor. If it comes via phone, verify via a second independent channel. The verification must use contact information obtained independently — not from the communication requesting the change. Finance staff should be trained to treat banking detail changes as inherently high-risk and to verify them without exception.
Payment approval thresholds with dual controls: Any payment above a defined threshold — SGD 5,000 for most organisations, lower for high-risk categories — should require two independent authorisations. For high-value transfers, the second authorisation should be someone who was not part of the original payment request. Large wire transfers should never be authorised by a single person, regardless of time pressure.
Vendor onboarding verification with ongoing refresh: When adding new vendors, verify banking details against independent records — a phone call to the vendor's known contact, a review of the contract on file, or confirmation from a different contact point at the vendor. When existing vendors request banking changes, apply the same verification as new vendor onboarding. Many Singapore companies have excellent onboarding processes but do not apply the same rigour to subsequent changes.
Domain monitoring and lookalike detection: Register domains that are one character different from your primary business domain, your key vendors' domains, and your company's common misspelling variants. Monitor for newly registered domains in your sector and geography that impersonate your brand or your vendors. This is low-cost and can be automated — and it catches the attacker who registers singapore-engineering.com to impersonate singaporeengineering.com before the first email is sent.
AI Deepfake Fraud: The Emerging Threat Singapore Companies Must Address
The use of AI-generated voice and video deepfakes in fraud is no longer confined to large enterprise targets. In Singapore's professional services, commodities trading, and manufacturing sectors, there are documented cases of fraudsters using voice cloning — trained on samples from LinkedIn profile videos, company websites, or conference presentations — to call finance staff and direct urgent transfers. The quality of these deepfakes has improved to the point where familiar voice characteristics, speech patterns, and accent are convincingly reproduced.
The control for deepfake audio fraud is the same as for email-based BEC: out-of-band verification with a pre-established, independently confirmed contact protocol. Finance staff must understand that an urgent request from an executive — particularly one that bypasses normal approval channels — is by definition a high-risk transaction that requires verification through a channel the attacker cannot impersonate. A callback to the executive's known mobile number, confirmed through an internal directory or prior documented contact, is the minimum standard. This verification step must be a policy requirement, not a suggestion.
Protect Your Finance Function from BEC
Business Email Compromise is the highest-impact financial cybercrime facing Singapore companies today. Infinite Cybersecurity's BEC protection programme includes invoice fraud risk assessment for accounts payable functions, staff awareness training that covers deepfake fraud scenarios, domain monitoring for lookalike attacks, and incident response support for organisations that have experienced a BEC attack. Contact our Singapore cybersecurity experts to assess your exposure.
What to Do If a BEC Attack Has Succeeded
If your organisation has transferred funds to a BEC attacker, the window for recovery is narrow. Contact your bank's fraud department immediately and request a SWIFT recall — the success rate is low but not zero, particularly for transfers that have not yet been cleared by the destination bank. File a police report with the Singapore Police Force's Anti-Scam Centre (ASC), which has specific processes for tracing and recovering funds in commercial fraud cases. Preserve all email headers, communication records, and payment documentation for the investigation.
Review the scope of the compromise: did the attacker access any personal data through the compromised email account? If so, PDPA breach notification obligations may apply — and the PDPC has been increasingly active in investigating organisations whose vendor email compromises led to personal data exposure.
Conduct a root cause analysis: how did the attacker gain access to the vendor's email account, and would your organisation's controls have detected or prevented an equivalent attack against your own email accounts? The answer determines whether you need to fix your own security posture or simply improve your payment verification processes.
BEC is not a technology problem. It is a business process problem with technology and human behaviour dimensions. The controls that prevent it — out-of-band verification, dual authorisation, vendor verification protocols — are operational and cultural, not technical. They require investment in process design, staff training, and leadership attention. The SGD 85 million in losses reported in Singapore in 2025 is the cost of organisations that have not yet made that investment.