The Cost of Trust: How Business Email Compromise Is Targeting Singapore SMEs

It starts innocently enough — a new invoice, a supplier’s “updated” bank account, or a message from the boss marked URGENT. Everything looks legitimate. The logo matches, the tone feels familiar, and the sender’s name is correct. 

But once the payment is made, reality hits. The money is gone — and so is the scammer. 

This is Business Email Compromise (BEC) — one of the most damaging cyber scams in the world today, and one that’s quietly draining millions from Singapore’s businesses every year. 

According to the Singapore Police Force (SPF), BEC scams alone cost local companies more than SGD$65 million in 2023, a figure that continues to rise as scammers become more sophisticated in their methods. 

What Is Business Email Compromise? 

Business Email Compromise (BEC) is a form of scam where fraudsters impersonate trusted parties — such as suppliers, clients, or company executives — to deceive employees into transferring funds or revealing confidential information. 

Unlike traditional hacking, BEC doesn’t rely on breaking through firewalls or complex malware. Instead, it exploits the weakest link in cybersecurity — human trust. 

Common BEC tactics include: 

• Email spoofing: Scammers register domains that look almost identical to legitimate ones, such as replacing “.com.sg” with “.asia” or adding a subtle hyphen. 

• Social engineering: Fraudsters study company hierarchies, writing styles, and communication patterns to mimic genuine behaviour. 

• Timing attacks: Messages are often sent when key staff are unavailable — for instance, during public holidays or weekends — to create urgency and bypass verification. 

The result? A payment made in good faith to a fraudster’s account, often overseas, where funds become nearly impossible to recover. 

Why Singapore Businesses Are High-Value Targets 

Singapore’s strong reputation as a global business hub makes it an attractive target for cybercriminals. Local companies are deeply integrated into regional and international supply chains, relying heavily on digital communications and cross-border transactions. 

For many Small and Medium Enterprises (SMEs), business operations run through emails — from invoicing to purchase approvals. This dependency, combined with lean finance team and tight schedules, creates fertile ground for deception. 

In 2024, this risk became very real for a Singapore company that nearly lost more than SGD$300,000 after an employee responded to a fraudulent email. The scammer had subtly altered the supplier’s email address, changing “gmail.com” to “asia.com,” and requested that payment be made to a new bank account in the UAE.  

The company only discovered the impersonation when the genuine supplier followed up to confirm that its bank details had not changed. Fortunately, the funds were eventually recovered with assistance from the Anti-Scam Command and international authorities (Straits Times, 2024). 

How BEC Scams Work — Step by Step 

1. Reconnaissance 

Scammers quietly gather information about your company using publicly available sources — LinkedIn profiles, your website, job postings, news features, or even social media. Their goal is to map out reporting lines, identify who approves payments, and understand your communication style. The more they learn, the more convincing their impersonation becomes. 

2. Impersonation 

Using what they’ve learned, attackers create an email that looks legitimate — sometimes by spoofing your domain (e.g., swapping an “l” for an “I”), and other times by breaking into a real employee’s inbox. These emails often mirror your internal tone, signature formats, and previous message styles to avoid suspicion. 

3. Manipulation 

Next, they introduce urgency or pressure. This could look like: 

• “We need to settle this invoice today to avoid late fees.” 

• “Client is waiting — please process ASAP.” 

• “I’m in a meeting, just handle this for me.” 

The goal is to push the victim into fast action before they have time to verify. 

4. Execution 

Once the victim initiates the transfer, funds are immediately routed through multiple accounts, often overseas. This rapid movement is intentional — by the time discrepancies are noticed, the money is usually gone or extremely hard to trace. Even with swift reporting, recovery rates are low due to how quickly scammers disperse funds. 

How Businesses Can Protect Themselves 

BEC scams can be prevented, but protection requires both technology, verification protocols, and staff awareness. 

1. Verify Before You Pay

Any request to change bank details or initiate a payment should be verified through an independent channel. Call the supplier using a known number, or confirm via internal chat. Never rely solely on the instructions in the email. 

2. Implement Dual Authorisation 

For payments above a certain threshold, require approval from two authorised personnel. Many ERP and accounting systems make this workflow straightforward. 

3. Strengthen Email Security 

Adopt email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). These protocols verify that emails claiming to be from your domain are legitimate, helping prevent scammers from sending spoofed messages. They can be implemented at low cost and provide significant protection against phishing and impersonation attacks. 

4. Train Employees Continuously 

Cybersecurity education is not a one-off task. Regular training keeps employees alert to new phishing tactics and social engineering strategies. The Cyber Security Agency of Singapore (CSA) recommends integrating ongoing awareness programs into everyday operations. 

5. Adopt Verified Digital Tools 

Transitioning from manual email-based invoicing to secure platforms, like ERP systems or e-invoicing tools, reduces human error and fraud exposure. Initiatives under IMDA’s SMEs Go Digital provide SMEs with vetted solutions that come with verification, audit trails, and workflow approvals built-in. 

Prevention Is Cheaper Than Recovery 

The consequences of BEC scams go beyond financial losses. Businesses face reputational damage, strained supplier relationships, and reduced internal confidence. Even when funds are recovered, the operational disruption and emotional toll can last for months. 

Investing in secure systems and staff awareness is far more cost-effective than repairing the damage caused by a single six-figure scam. Embedding a "verify before you trust” culture can significantly reduce exposure to BEC attacks. 

Singapore’s National Efforts Against BEC 

The government and local agencies have established frameworks to support SMEs against scams: 

• SPF’s Anti-Scam Command, which collaborates internationally to intercept fraudulent transfers. 

• CSA’s portal, providing useful cybersecurity resources for businesses. 

• IMDA’s CTO-as-a-Service (CTOaaS) platform, connecting SMEs to vetted digital consultants and pre-approved digital solutions. 

Through CTOaaS, businesses can adopt secure e-invoicing, cloud accounting, and ERP solutions that streamline operations while protecting against scams. 

In Summary 

Business Email Compromise is no longer rare; it is a persistent threat for SMEs in Singapore. Awareness, verification, and the right technology can significantly mitigate risk. 

Every email sent and received in the course of business is part of your digital footprint. Embedding verification procedures, educating your teams, and using secure systems ensures that trust remains an asset, not a vulnerability. 

Enjoyed the article? Follow us on LinkedIn for more updates and insights! Click here to read more of our articles! 

Image Source: Freepik and Canva