One email. Two transactions. Over RM700,000 lost—just like that.
As reported by NST, a company in Tangkak fell victim to a spoofed email scam, resulting in an accountant unknowingly transferring RM704,234.58 to a fake supplier’s bank account. This was not due to negligence or carelessness, but rather a well-orchestrated cyber deception that exploited trust, routine, and outdated verification practices.
The Anatomy of a Spoofed Email Scam
Business email scams are dangerous precisely because they mimic legitimate communications so convincingly.
Common characteristics include:
- Emails that closely resemble real supplier or internal company addresses
- Minor domain changes that are easy to overlook (e.g., .com vs .co)
- Urgent payment requests tied to real, ongoing transactions
- Targeting finance or accounting professionals who routinely handle transfers
In this case, the scammer successfully compromised or impersonated the supplier’s email, making the transaction appear routine—until it was too late.
Why Accountants and Finance Teams Are Prime Targets
Cybercriminals don’t randomly choose their victims. They study workflows.
Finance departments are targeted because they:
- Handle large-value transactions regularly
- Operate under time pressure and deadlines
- Rely heavily on email-based instructions
- Often lack multi-layer verification protocols
The Tangkak incident proves that experience alone is not protection. Even seasoned professionals can be deceived when systems rely solely on trust instead of verification.
The Business Impact Goes Beyond Financial Loss
While RM704,000 is a staggering amount, the hidden consequences can be even more damaging.
Business email scams often result in:
- Operational disruption and delayed supplier relationships
- Loss of stakeholder and client confidence
- Reputational damage within the industry
- Legal exposure and regulatory scrutiny
- Emotional stress on employees involved
Once trust in internal processes is shaken, rebuilding it takes time, money, and leadership commitment.
Prevention Starts With Process, Not Just Technology
Technology alone cannot stop spoofed emails—but technology combined with disciplined processes can.
At Condition Zebra, we advocate for:
- Multi-factor payment verification, especially for changes in bank details
- Mandatory out-of-band confirmation (phone or secure portal)
- Advanced email authentication protocols (SPF, DKIM, DMARC)
- Regular staff awareness training using real-world scam scenarios
- Incident response readiness, including quick escalation to NSRC (997)
Cyber resilience is not about assuming breaches won’t happen—it’s about being prepared when they do.
Conclusion
The spoofed email scam reported by NST is a stark reminder that cybercriminals don’t hack systems—they hack human processes. Malaysian businesses, regardless of size, must accept that email is no longer a trustworthy instruction channel on its own.
At Condition Zebra, we believe that cybersecurity is a business responsibility, not just an IT function. By strengthening verification habits, empowering employees, and implementing smarter controls, companies can stop email scams before money leaves the account.
Your Trusted Partner for Complete Protection
Our approach combines technical assessments, continuous monitoring, and practical training to strengthen your overall cybersecurity posture.
• Vulnerability Assessment & Penetration Testing (VAPT) – Identify weaknesses across applications, networks, and systems before they can be exploited.
• Managed Detection & Response (MDR) – 24/7 monitoring to detect, investigate, and respond to threats in real time.
• Security Awareness Training – Equip employees to recognise and prevent phishing and social engineering attacks.
• Cybersecurity Training (Online or In-Person) – Covering areas such as Network/Web Penetration Testing and Digital Forensics.
📩 Contact us for a free consultation to learn how our solutions can protect your organisation.
Source:
Spoofed email scam sees accountant transfer over RM700k to fake supplier
Share this: