On 15 May 2026, the Singapore Police Force issued a public advisory about a businessman who lost at least S$4.9 million in one of the most sophisticated fraud cases Singapore has seen.
The scam began with a WhatsApp message from someone posing as the Secretary to the Cabinet. The victim was asked to sign an NDA and attend an urgent video conference. The Zoom call featured AI-generated deepfakes of Prime Minister Lawrence Wong, President Tharman Shanmugaratnam, Minister Indranee Rajah, and representatives from MAS, BlackRock, and overseas governments.
The fabricated briefing concerned a geopolitical situation in the Strait of Hormuz. The deepfake of PM Wong acknowledged the victim by name. After the call ended, someone posing as a lawyer followed up with wire transfer instructions. The victim transferred S$4.9 million across multiple transactions before something felt wrong and he contacted the real Cabinet Secretary.
Nothing in the victim's IT systems was hacked. No password was compromised. No malware was installed.
A person was shown something convincing and chose to act on it. That is what social engineering is: the manipulation of human judgment rather than the exploitation of technical vulnerability.
And that distinction is exactly why most standard insurance policies would not have covered this loss.
Why standard insurance leaves a gap here
Most business owners assume that if they are defrauded, their insurance will respond. In social engineering cases, that assumption is frequently wrong.
A standard commercial crime policy covers theft by criminals who take something from you without your knowledge or consent. A cyber insurance policy covers incidents involving the breach or compromise of your systems.
**Social engineering fraud **fits neither category cleanly. In the Lawrence Wong case, the victim's systems were not breached. And the transfer was not theft in the traditional sense: the victim authorised every transaction. He was deceived, but he acted voluntarily.
Most commercial crime policies contain what is called a "voluntary parting" exclusion, which means losses arising from someone on the insured's authority willingly authorising a transfer are not covered, even if that person was manipulated into doing so. **This is the gap. **
The fraud works precisely because the victim believes they are doing the right thing. Standard insurance is not designed for that scenario. Social Engineering Fraud insurance is.
What Social Engineering Fraud insurance actually covers
A Social Engineering Fraud (SEF) endorsement is added to a commercial crime or cyber policy. It is not typically sold as a standalone product. It specifically covers financial loss resulting from a good-faith transfer of money or property made in response to fraudulent instructions from someone impersonating a legitimate authority: a supplier, a senior executive, a government official, or in the Lawrence Wong case, the Prime Minister himself.
In plain terms: if your finance director receives a convincing instruction to transfer funds and acts on it in good faith, SEF insurance covers the resulting loss up to the policy limit. Without the SEF endorsement, the same claim would almost certainly be declined under the voluntary parting exclusion.
The types of fraud covered typically include:
CEO fraud or business email compromise. A scammer impersonates a senior executive and instructs a finance employee to transfer funds urgently to a new account. In April 2026, SPF reported a case where a Singapore company CEO received a WhatsApp call from someone posing as his firm's Chairman, directing him to proceed with an acquisition. The company transferred in excess of USD 36 million before discovering the fraud.
Supplier or invoice fraud. A scammer intercepts or spoofs supplier communications and redirects payment to a fraudulent account. In April 2026, a Singapore commodity trading firm transferred USD 6.6 million after receiving an email that appeared to be from their supplier, with a domain name that had two letters transposed. The funds were fully recovered through SPF's international cooperation, but recovery is the exception, not the rule.
Impersonation of government or institutional authority. The Lawrence Wong case is the clearest illustration. The fraudsters built a scenario of sufficient authority that the target believed the transfer was not only legitimate but patriotic. AI-generated deepfakes of public figures in video conferencing is an emerging variant of this pattern.
What SEF insurance does not cover
Understanding the limits is as important as understanding the coverage.
SEF insurance does not cover losses where the company had no verification procedures in place and the insurer's underwriting requirements called for them. Most insurers writing SEF endorsements will ask about your payment authorisation process. If you have no dual-approval requirement for large transfers, no callback verification for changed bank account details, and no authentication protocol for urgent payment requests from senior executives, the insurer may either decline coverage outright, apply a significant sub-limit, or decline a specific claim on the basis that reasonable controls were absent.
SEF does not cover employee dishonesty. If your own employee is in on the fraud, that is Commercial Crime cover, not SEF.
SEF does not typically cover data loss or system compromise. If the same scammer who tricked your finance team also exfiltrated client data from your server, the data-related loss sits under cyber insurance, not SEF.
What underwriters look for before offering SEF cover
The practical implication for any business looking to arrange or renew SEF cover is that the controls you have in place directly affect both your eligibility and your premium.
Insurers writing SEF endorsements typically ask:
- Do you require a second approval for transfers above a set threshold?
- Do you require staff to verify changes to supplier bank details via a separate, pre-existing contact number (not the number provided in the email requesting the change)?
- Do you have a policy against acting on urgent payment requests received through messaging apps or video calls without independent verification?
These are not complicated controls. A Singapore commodity trading firm in January 2025 lost S$300,000 when a staff member transferred payment to a fraudulent account after receiving an email where "gmail.com" had been replaced with "asia.com." A phone call to the genuine supplier's known number before processing the payment would have caught it. SPF recovered the funds in that case. They are not always able to.
Having these controls does two things: it reduces the probability of a successful fraud, and it demonstrates to the underwriter that the insured is a considered risk rather than a passive one.
The practical takeaway for Singapore SMEs
Most Singapore SMEs carry commercial crime coverage or believe their cyber policy gives them adequate protection. Few have checked whether their policy contains a SEF endorsement and what the sub-limit is. A S$100,000 sub-limit on a policy taken out several years ago reflects neither the current threat environment nor the scale of a realistic loss in 2026.
The Lawrence Wong case is an extreme example, but the underlying pattern is not unusual. A CFO receives a convincing email. A finance executive gets a WhatsApp call. A supplier's account details change a week before a large invoice is due. These are the scenarios SEF cover is designed for. They do not require a deepfake Zoom call with the Prime Minister. They require one convincing message and one good-faith action.
TZY CO advises Singapore businesses on Social Engineering Fraud insurance placement and cover review, including whether your existing commercial crime or cyber policy contains meaningful SEF protection. If you have not checked your policy against the current fraud environment, we are glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.