BEC is responsible for the largest losses per incident of any scam category — single transfers commonly exceed S$200,000. It rarely uses malware. It uses patience and a hijacked inbox.
How the inbox is taken
Attackers obtain credentials through phishing, credential stuffing, or session-token theft. Once inside, they create silent forwarding rules, read for weeks, and learn the company's invoice cadence, tone and approvers — before sending the swap email at the exact right moment.
The four signature timings
Friday afternoon. The day before a public holiday. The hour after the real invoice was discussed in a meeting. The week the CFO is travelling. Trained finance teams treat these windows as elevated-risk by default.
- Bank account change in the final email before payment
- Reply-to header differs from From header
- Subtle domain typo (rn vs m, .co vs .com)
- Unusual pressure to keep the change confidential
- 1.Hard rule: bank account changes are only valid after a callback to a known number.
- 2.Enable MFA + conditional access on every mailbox; audit forwarding rules monthly.
- 3.Use DMARC, DKIM and SPF with reject policy on your own domain.
- 4.For finance: dual approval and an out-of-band confirmation for transfers above your defined threshold.
Want this lesson delivered live to your team?
Tailored workshops for SMEs, families and organisations — in English or Spanish.
Book a workshop →