A Local Business Lost $300k SGD to an Email Scam.
Here is how it happened.
A 30-year-old Singapore fashion company got hit by a business email compromise scam and lost around $300k SGD. The hacker was already inside their system before the transfer even happened. I break down exactly how it worked, and share a near-miss from my own business.
A 30-year-old company. Gone in one transfer.
I came across a news report about a local fashion company with 30 years of history, operating in Singapore and overseas. The owner, referred to as Mr Lee, had his company email system compromised by scammers. What followed was a $300k SGD loss that took one approved transfer to execute.
This is not a story about someone being careless or naive. It is a story about how sophisticated these attacks have become, and why even experienced business owners get hit.
Step by step, here is what actually happened.
Step 1: The hacker got into the email system.
The scammer breached Mr Lee's company email system and gained access to internal communications. This is the part most people miss -- the hacker was not guessing. They were reading actual emails, learning the business, and waiting for the right moment.
They discovered that Mr Lee's company had an upcoming payment to a Hong Kong supplier scheduled for February 6.
Step 2: They impersonated the supplier.
On January 21, the real Hong Kong supplier sent a legitimate payment request. The scammer used this as a reference point. On February 3, just days before the scheduled transfer, an email arrived appearing to come from the supplier, asking the company to update their bank account details before processing the payment.
The fake email domain was nearly identical to the real one, with just one letter different. At a glance, it looked completely legitimate.
Step 3: They used the boss's own email to instruct staff.
Here is the part that makes this particularly difficult to defend against. Because the scammer had access to Mr Lee's email account, they did not just impersonate an external supplier. They sent transfer instructions to staff from what appeared to be the boss's own email address.
Staff received what looked like an internal instruction from their own boss to process the payment to the new account. There was no obvious red flag from their side.
Step 4: The transfer was approved too quickly.
Mr Lee was driving when the approval came through. He approved it on the go without pausing to verify. By the time anyone realised something was wrong, the money had moved. The company lost around $220k USD, equivalent to roughly $300k SGD.
The scam did not beat his intelligence. It beat his process. There was no friction built in for bank account changes, and no rule that said approvals cannot happen while driving.
What happened after.
Mr Lee's wife flew to Hong Kong to file a report. They also notified the Hong Kong Monetary Authority and the relevant banks. Singapore Police confirmed they received the report and investigations were ongoing. By the time they acted, however, over a month had passed since the transfer, and recalls are extremely difficult once funds have moved to secondary accounts.
Same playbook. Different outcome.
Around the same time I read this story, my wife Sylvia received a WeChat message from our usual supplier contact at a factory we work with for Vivre Activewear. The message said they needed to change their bank account from China to Hong Kong, something about qualifying for a better wholesaler rating.
It sounded plausible. We had been dealing with this supplier for a while. The message came from a contact we recognised.
But I told Sylvia to verify before doing anything. Not through WeChat. Not by replying to the same thread. Separately -- direct email to the factory, contact the boss directly.
Turns out it was completely legitimate. They really did change their bank account.
But here is the thing. We had no way of knowing that from the WeChat message alone. The process of verifying was correct regardless of the outcome. If it had been a scam, we would have caught it. Since it was legit, we confirmed it and moved on.
You cannot tell the difference between a scam and a legitimate request just by looking at it. That is the whole point. You verify anyway.
Simple rules that actually help.
Never verify through the same channel the request came from.
If the bank change request came by email, do not reply to that email to check. Call a number you already have saved. Email a separate address you know is real. The scammer controls the channel they used to contact you. They cannot control your phone call to a number you stored yourself six months ago.
Bank account changes should require a second layer of confirmation.
Build this into your process. Any request to change a supplier's bank details needs a phone call to a known contact before you update anything. This is not about distrust. It is just standard operating procedure now.
Approvals should not happen while driving or distracted.
If you are the approver, give yourself two minutes to actually look at what you are approving. A transfer of any significant size deserves thirty seconds of focused attention. That is all it would have taken here.
If your email gets compromised, act immediately.
Change passwords, enable 2FA if you have not already, and check for any mail rules or forwarding that was added without your knowledge. In Mr Lee's case, the scammer had added accounts and rules inside the Microsoft email system. These are not always visible unless you actively look.
Common questions about business email scams.
What is a business email compromise (BEC) scam?
It is when a scammer gains access to or impersonates a company email account to trick staff into transferring money or updating payment details. They usually monitor internal communications first so the attack is timed and targeted, not random.
How do you verify if a bank account change request is legitimate?
Do not verify through the same channel the request came from. Call the supplier on a number you already have saved, or email a separate address you know is real. If the request came via WeChat or WhatsApp, follow up with a direct call to the factory. Take five minutes. It is worth it.
What should you do if you think you have been scammed?
Contact your bank immediately to attempt a recall. File a police report in Singapore. If the receiving account is in another country, notify the relevant financial authority there as well. Speed matters because once the money moves to a second account, recovery becomes very difficult.
Can this happen to small businesses too?
Yes. Scammers do not only target large companies. If you have regular supplier relationships and make bank transfers, you are a potential target. The attack scales down just as well as it scales up.
You cannot always prevent it. But you can make it harder.
Mr Lee is reportedly still doing well financially despite the loss. The point of sharing this is not to shame anyone. It is because he himself said he hopes that by going public, other businesses will not become victims.
The scam worked because the process had no friction at the right moment. Build in the friction. Verify through a separate channel. Do not approve significant transfers on the go.
That is about as much as any of us can do.
Kevin Chia is a Singapore-based entrepreneur and consultant. He co-built Vivre Activewear from $10k to $2M+ in annual revenue, and is the founder of Snapbook.ai, a SaaS platform for Singapore SMEs. He writes about business, semi-retirement, and tools that actually work at kevinchia.sg.