Landing page banner

The Police would like to alert members of the public to be vigilant against business email compromise scams, where scammers would deceive victims into changing their vendors’ payment account details with fraudulent bank accounts and get them to make payments to those accounts. Since 1 January 2026, at least 66 cases were reported, with total losses amounting to at least $19 million.

In this scam variant, scammers would impersonate the victims’ colleagues or business vendors using spoofed email addresses or by compromising the vendors’ email accounts. In the emails, the scammers would inform the victims that there have been changes to the vendors’ bank account details, and instruct them to make upcoming payments to the vendors’ “new” bank account. The victims would realise they had been scammed after seeking clarifications directly from their colleagues or the vendors, or when the vendors inform that they did not receive the payments. 

Businesses are advised to adopt the following preventive measures:

1. Educate employees on this scam variant, especially new staff, interns, and those responsible for updating payment details and/or making fund transfers (e.g., procurement, payroll, etc). Employees should treat requests to change a vendor's bank account details, which are generally uncommon, as a red flag and verify before taking other actions.
   
   
2. Implement additional verification mechanisms, or verify with the email sender through a different medium (i.e., phone call, text message or enterprise communication channels) before proceeding with any change in payment instructions or out-of-ordinary requests sent via email.
   
   
3. Ensure that the sender's email address corresponds to the legitimate email address of the person they claim to be by double-checking the sender's email domain. Scammers often use domains that closely resemble legitimate ones but contain subtle differences such as misspellings or additional characters.
   
   
4. Prevent your email account from being compromised by using strong passphrases and enabling Two-Factor Authentication (2FA).
   
   
5. Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your organisation's email domain. This can help prevent scammers from spoofing your domain to deceive others.
   
   • For more information on DMARC, refer to https://www.csa.gov.sg/resources/internet-hygiene-portal/information-resources/dmarc/.
   
   • Free configuration tools and guidance are available at dmarc.globalcyberalliance.org.
   
   
6. Install anti-virus software on your computer, and keep them updated. Perform full scans of your machine(s) in your network regularly.
   
   
7. Ensure that your Operating System (OS) and software applications are kept up-to-date by applying security patches promptly when they are made available.
   
   
8. Report to authorities immediately on any scam encounters and make a police report.  

For more information on scams, members of the public can visit www.scamshield.gov.sg or call the ScamShield Helpline at 1799. Fighting scams is a community effort. Together, we can ACT Against Scams to safeguard our community!