The rising threat of Business Email Compromise (BEC) attacks and CEO Fraud in Asia

In an era defined by rapid technological advancements, Asia's rising prominence as a global economic powerhouse has attracted the attention of cybercriminals who seek to exploit vulnerabilities and capitalize on financial gains. As businesses forge ahead in their pursuit of innovation and growth, it becomes imperative for organisations to understand the nature of these insidious cyber-attacks, and their potential to disrupt their financial resources and tarnish their hard-earned reputation. Amongst these digital perils, Business Email Compromise ("BEC") scams and CEO fraud have emerged as significant and persistent threats, infiltrating corporate domains with alarming frequency. 

In the recently reported case of IBI Group Hellas Single Member Societe Anonyme v Saber Holdings Pte Ltd [2023] SGDC 95 ("SHPL"), the District Court was faced with a competing claim by a company based in Greece (the "Competing Claimant") regarding a sum of around USD 800,000 ("the Seized Monies") held in a Singapore bank account, owned by Singapore company Saber Holdings, which was seized by the Commercial Affairs Department of Singapore ("CAD") in 2021 as part of fraud investigations and which were requested to be released by the CAD after its investigations had concluded. 

While Saber Holdings (represented by Singapore-based special counsel Alvin Lim and associate Valen Lim in Withers' technology and intellectual property team) ultimately succeeded in persuading the Court to return the Seized Monies to it, this case highlights the rising threat and consequences of falling victim to a type of business email compromise attack, also known as "CEO fraud". 

The Facts in SHPL

Acting on a scammer's instructions, an employee of the Competing Claimant transferred around EUR 700,000 to the bank account of a Hong Kong company. It transpired that the same Hong Kong company then assisted a Chinese customer of Saber Holdings in a foreign currency exchange transaction for the purpose of sending to Saber Holdings USD 800,000 as payment for goods purchased from Saber Holdings. The scammer had initially posed as the Competing Claimant's CEO on WhatsApp, instructing the employee to make the transfer for the purposes of purchasing a new company, and had even compromised the CEO's email address in order to send an email with instructions on how to execute the transfer. 

Ultimately, the Seized Monies were returned to Saber Holdings. While both Saber Holdings and the Competing Claimant demonstrated that they had lawful possession and title to the Seized Monies, case law in Singapore indicates that, in such scenarios, seized properties should be restored to the party last in possession before the seizure, i.e., Saber Holdings. 

The Rising Threat of CEO Fraud / BEC Scams

BEC scams have increased in frequency given the increasing number of online or computer-based businesses. According to a statement from the Singapore Police Force, in the first three months of 2022 alone, more than SGD 56.2 million was lost to BEC scams.^[1] 

BEC scams are designed to allow an attacker to gain unauthorized access to a company's confidential information or transfer the company's monies and/or goods to third parties, often through the use of a compromised email account.^[2] BEC scammers often target companies which rely heavily on email correspondence, aiming to target senior executives and/or employees involved in the company's financial transactions.

CEO fraud is perhaps one of the more egregious forms of BEC scams as it comes with heavy financial and reputational risks. Companies and CEOs are left to deal with the fallout when other victims of the BEC scam seek recourse or recovery of the monies. Having access to the CEO or senior executive's email accounts may also allow malicious actors to conduct themselves in a manner which is damaging to the company's public image. 

BEC scams and CEO fraud have become an emerging threat in Asia. 

(a) The FBI has warned that Hong Kong and Thailand bank accounts are often used in BEC scams. There have also been recent cases involving similar scams. In the case of CONCRETE WATERPROOFING MANUFACTURING PTY LTD v CHANGXUAN CO LTD (長勛貿易有限公司) [2020] 5 HKC 137, the scammer pretended to be the managing director of the victim's company and requested its finance manager to make a payment of USD 112,700 (the "Lost Sum") to a designated bank account in Hong Kong. The email address used by the scammer was ‘android.techbox2gulshantaufiquetextile.com’, whereas the actual email address of the managing director was  ‘robg@xypex.com.au’. The victim company had to seek equitable relief from the Hong Kong courts and a declaration that the Lost Sum was held by the scammer on trust for the victim company, as well as the return of the Lost Sum.

(b) In Japan, companies started receiving BEC scams in Japanese.  According to the Japan Computer Emergency Response Team, fake invoices from business partners are the most commonly-used scam in Japan, with impersonation of the CEO or CFO following closely behind.  A leading airline company, an EU subsidiary of a prominent automotive component manufacturer, and an U.S. subsidiary of a media conglomerate have all recently suffered multi-billion yen losses due to BEC scams.  

Mitigating Your Risk 

Companies should stand at the forefront of cybersecurity to mitigate the risk of BEC scams. Taking the measures below can help to prevent scams:

1. Training for staff and employees. Staff should be wary of dubious requests or domain names. Staff should also be trained on proper security habits, such as changing one's password regularly and not clicking on suspicious links. This training should be conducted frequently for employees who often deal with financial transactions. 
2. Implement proper procedures. When dealing with sensitive information or large sums of monies, individuals should check with the relevant parties (verbally and/or physically) to ensure that the emails originate from legitimate parties. Staff should not rush into making payments or disclosing information. Companies should demarcate and set aside channels for employees to clarify any such doubts and to confirm instructions. 
3. Robust IT Policy. The company's IT infrastructure and security measures should be monitored, updated and revised accordingly to prevent the risk of any technical vulnerabilities. Multi-factor authentication and password encryption should be used where necessary or appropriate. Email auto-forwarding should be turned off as scammers often exploit such rules to perpetuate further BEC scams. 
4. Filtering and anti-phishing policy. The company's IT team should block all malicious or spoofed emails through Microsoft 365's anti-spoofing protection, anti-phishing policies and email authentication options. Otherwise, IT teams should implement email filtering to block malware indicators and suspicious IP addresses. 

Prevention is better than cure. It is often very difficult for victims of such scams to retrieve monies that have been lost to scammers, especially for scammers that may be based in other countries or take sophisticated steps to launder the proceeds and hide their tracks. 

We also suggest the following measures be taken when dealing with BEC scams:-

(a) Once funds are transferred to the fraudster's bank account, they will attempt to transfer the funds out as quickly as possible.  As such, it is essential that the victim should immediately contact the bank in question and seek an immediate hold or reversal of the transfer.  

(b) Victims of BEC scams or CEO fraud should also lodge a report with the relevant supervising authorities as soon as possible. For example, in Singapore, it is recommended that victims of BEC scams file a report with the Singapore Cyber Emergency Response Team ("SingCERT").^[3] This will notify them of the scam and assist in preventing further attacks from being perpetuated. In Hong Kong, it is recommended that victims file a report with the Commercial Crime Bureau of the Hong Kong Police, which collaborates with Mainland and international law enforcement agencies on the exchange of intelligence and investigation requests in relation to cross-jurisdictional crimes.

(c) Otherwise, businesses should keep vigilant, monitoring and developing their IT policies in order to ward against potential BEC scams. This is especially the case in Japan, for businesses which manufacture or produce critical materials or raw materials seeking to apply for government certification. ^[4] For such businesses, they would need to be especially cautious regarding their cybersecurity systems and prevent potential security compromises, BEC scams or CEO fraud

(d) as such businesses would be required to explain in their  application documents (i) cybersecurity system (including implementation of appropriate inspections, assessments, and countermeasures against risks), and (ii) measures to prevent technology leakage.