A 54-year-old company director in Johor recently lost RM6.2 million in what’s becoming an alarmingly common threat — an email scam. And no, this wasn’t some obvious Nigerian prince con. It was a Business Email Compromise (BEC), sleek, professional, and devastatingly effective.
The director filed a police report after being duped into wiring funds for a European equipment purchase to a fraudulent bank account. The scammer had mimicked the supplier’s email address with just enough subtlety to pass undetected by the company’s internal checks, until it was far too late.
How the Scam Unfolded
According to Johor police chief Datuk Kamarul Zaman Mamat, the timeline went something like this:
- In February 2022, the company made a legitimate equipment purchase from a European supplier
- In August 2023, the supplier followed up, demanding payment, triggering alarms
- The director and accounts team realised they had already paid RM6.2 million (or €2.1 million) to what they believed was the supplier’s “new bank account”
- Upon re-checking the original email, they noticed discrepancies in the sender’s address
- The real supplier denied ever sending any change request
It was a classic Business Email Compromise, quiet, convincing, and catastrophic.
Business Email Compromise: The Cybercrime You Don’t See Coming
This incident is part of a global wave of BEC attacks that are:
- Highly targeted, not random
- Often disguised as legitimate business correspondence
- Responsible for billions in losses globally each year
And the worst part? Many companies don’t even realise it’s happening until it’s too late.
Key Lessons for Malaysian Businesses
1. Always Double Check Banking Details
If you receive a request to change a vendor’s bank account, STOP
Call your verified contact and confirm. Never rely on email alone, no matter how official it looks.
2. Train Your Finance and Procurement Teams
They are on the front lines. Run phishing simulations, conduct BEC awareness sessions, and establish a culture where verification is routine, not optional.
3. Use Email Authentication Tools
Implement SPF, DKIM, and DMARC protocols to prevent spoofed emails from reaching your inbox in the first place.
4. Set Up Dual Authorisation for High-Value Transactions
Require multi-person approval for all payments above a specific threshold. It’s one of the most effective internal controls.
5. Audit Your Cybersecurity Posture Regularly
Use professional services to test, audit, and strengthen your systems. Penetration testing, vulnerability assessments, and endpoint protection are essential layers of defence.
Final Thoughts
This director’s RM6.2 million loss wasn’t caused by carelessness; a lack of cyber vigilance caused it. BEC scams are evolving, and if your team isn’t trained or your systems aren’t hardened, it’s only a matter of time before you’re targeted.
You can’t always stop scammers from sending fake emails, but you can prevent your company from falling for them.
At Condition Zebra, we specialise in helping organisations build cyber resilience through a combination of:
- Cybersecurity awareness training
- Threat simulation exercises
- Penetration testing and risk assessments
- Email and endpoint security consultation