On 20 May 2026, the Singapore Police Force issued an advisory on business email compromise involving requests to change a vendor's payment account. The pattern is simple: someone posing as a supplier or a colleague writes in to say the bank account has changed, and asks that the next payment go to the new account. According to the Police, at least 66 such cases were reported in the first months of 2026, with losses of at least $19 million.
The mechanics are quiet, which is rather the point. There is no broken lock and no obvious intrusion. A real invoice is paid, by a real employee, to an account that simply turns out to belong to someone else.
How does business email compromise actually work?
In the variant the Police describe, the fraudster either spoofs an email address or gains access to a genuine mailbox, then waits for a payment that is already expected. When the invoice falls due, a message arrives announcing new banking details. The request looks ordinary because the underlying transaction is real.
The deception tends to surface late: when the genuine supplier asks why it has not been paid, or when someone calls to confirm and learns that no change was ever requested. By then the money has often moved through several accounts.
It is not only the supplier-payment version. The Police have also flagged a variant in which staff are asked, supposedly by a chief executive, to buy gift cards urgently against a promise of reimbursement. Larger cases follow the same logic at greater scale. In one matter announced in May 2026, a Singapore commodity trading firm was deceived into sending USD 6.6 million abroad after a supplier's domain was altered by transposing two letters. The sum was recovered through cross-border cooperation, though recovery is never something to count on.
Why is it so hard to catch?
Business email compromise targets trust and routine rather than technology. The amounts look normal, the names are familiar, and the timing matches a genuine obligation. A look-alike domain that swaps or transposes a single character is easy to miss on a busy day.
Two features make it harder still. First, the request often comes from a genuine but compromised account, so the sender really is who they appear to be. Second, the payment is made willingly by the company's own staff, following what looks like a proper instruction. On the Police's annual figures, scams in which victims transfer the money themselves account for the large majority of reported cases. That last point matters a great deal for insurance.
Where does insurance fit, and where is the gap?
Here is the distinction worth understanding. Many businesses assume that a commercial crime or fidelity policy answers any loss involving fraud. Those policies are built mainly around dishonesty by employees and certain third-party theft, and they may not respond where staff are deceived into authorising a payment themselves. In form the transfer was voluntary, even though deception produced it.
Social engineering fraud cover exists to address that specific situation: a genuine employee, acting in good faith, is manipulated into releasing funds or changing payment details. It is often arranged as an extension rather than a standalone policy, and the terms, sub-limits, and verification conditions differ between insurers and products. Whether a particular loss is covered depends on the wording agreed and the controls in place at the time. We looked at the broader category in Social Engineering Fraud in Singapore.
We would not present cover as a reason to buy a policy and then stop thinking. The sensible approach treats prevention and insurance as two parts of one plan: lower the chance of a successful deception, and arrange cover for the exposure that no process removes entirely.
What can a business do before it happens?
The Police advisory sets out practical steps, and they cost very little. The most effective single measure is to verify any change to payment details through a separate, known channel, such as a phone call to a number already on file, rather than replying to the email that asked for the change.
A few further measures round this out: confirm that a sender's address matches the expected domain exactly, since fraudulent ones often differ by only a character or two; enable two-factor authentication on email accounts; and consider implementing DMARC, which makes it harder for outsiders to spoof a company's own domain. Briefing the people who actually release payments, in finance and procurement, usually matters more than any single tool, because they are the ones the request is designed to reach. If something does go wrong, the Police ask that it be reported quickly, and the ScamShield Helpline on 1799 can advise.
A measured way to read it
On the Police's figures, overall scam losses in Singapore fell in 2025, yet business email compromise remained among the most costly categories by total amount. It is a steady, deliberate exposure rather than a dramatic one, sitting at the meeting point of process and cover. Reviewing both, well before a payment is ever in question, is time well spent. Where email is the entry point, it is also worth reading The Cost of a Cyber Incident in Singapore.
If you would like to understand how your present arrangements would respond to a deception of this kind, and where social engineering fraud cover would sit alongside your existing policies, we would be glad to talk it through.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.