A finance employee at the Hong Kong office of British engineering firm Arup joined what looked like a routine Microsoft Teams call with the company's UK-based Chief Financial Officer and several other "colleagues." He left the call having authorised 15 wire transfers totalling HK$200 million — about US$25.6 million. Every face on that call, except his own, was an AI-generated deepfake. (Hong Kong Police briefing, 4 February 2024, reported by CNN; Arup confirmed it was the victim on 16 May 2024 — CNN Business.)

That was the wake-up call for Asia-Pacific finance and treasury teams, including in Singapore. By 25 March 2025, a finance director at a multinational firm in Singapore had wired US$499,000 (about S$670,000) after a near-identical Zoom-call ruse, this time with the company's "CFO" and "CEO" both deepfaked, and an "external lawyer" sending an NDA on the side. (Singapore Police Force / MAS / CSA Joint Advisory, 12 March 2025.)

If your business pays vendors, runs payroll, or moves money on instruction from senior staff — which is to say, if your business is a business — this article is for you. The next sections cover what is happening, what the law in Singapore says, and where Cyber, Crime/Fidelity, and Social Engineering insurance does and does not respond. We are an MAS-registered introducer under FAA-N02; we do not advise on, recommend, or arrange policies. We point you to a licensed Independent Financial Adviser (IFA) at the end so you can compare actual wordings.

The Arup case, reconstructed

The attack on Arup's Hong Kong office is now the most widely cited deepfake-driven fraud in Asia. It is also the most useful case study for SMEs, because almost nothing about it required exotic technology.

In mid-January 2024, an employee in the Hong Kong finance department received an email purportedly from Arup's UK-based CFO referring to a "secret transaction" that needed to be carried out. The employee initially thought it was phishing. (South China Morning Post, 17 May 2024.)

Then came the video conference. On the call, the employee saw and heard what looked and sounded like the CFO and several other senior colleagues. Hong Kong Police Senior Superintendent Baron Chan Shun-ching told public broadcaster RTHK that "in the multi-person video conference, it turns out that everyone [he saw] was fake." (CNN, 4 February 2024.) The employee was instructed to make 15 transfers to five Hong Kong bank accounts, totalling HK$200 million. He realised he had been scammed only after following up with Arup's UK headquarters about a week later.

Arup's global Chief Information Officer, Rob Greig, later confirmed the fraud publicly, telling the Financial Times and Dezeen: "We can confirm that fake voices and images were used. Our financial stability and business operations were not affected and none of our internal systems were compromised." Greig added: "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes. What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months." (Dezeen, 17 May 2024.)

Three points matter for Singapore SMEs:

  • The attack did not breach Arup's network. No malware, no stolen passwords, no access to Arup's IT environment. The attackers exploited human trust, not technical vulnerability. The Professional Risk Managers' International Association case study notes that all of Arup's traditional cybersecurity layers — firewalls, MFA, endpoint protection — were operating effectively throughout. (PRMIA Case Study on Arup.) That is the single most important fact in this whole article. Cyber controls that defend against intrusion will not stop a deepfake video call.
  • No arrests, no recovery. As of early 2025, Hong Kong Police investigations remained ongoing and no perpetrator had been publicly identified or stolen funds recovered, according to the most current public reporting. (PurpleSec Arup case file.)
  • The mechanics are reproducible. The attackers built convincing avatars from publicly available material — LinkedIn videos, conference recordings, interviews. McAfee's Beware the Artificial Impostor research (May 2023) demonstrated that just three to four seconds of voice recording was enough for a free voice-cloning tool to produce a clone matching a researcher's voice at an estimated 85% accuracy. OpenAI's Voice Engine, announced 29 March 2024, requires only a 15-second audio sample. A few minutes of video is enough for a passable real-time face-swap.

What is happening in Singapore

Singapore's regulator, police force, and cybersecurity agency have all gone on the record that this attack pattern is now operating against companies based here.

On 12 March 2025, the Singapore Police Force, Monetary Authority of Singapore, and Cyber Security Agency of Singapore issued a joint advisory titled Scams Involving Digital Manipulation. The advisory describes "scams involving digital manipulation, in which Artificial Intelligence (AI) is allegedly used to create or manipulate synthetic media (i.e. deepfakes)." It describes the now-familiar pattern: an unsolicited WhatsApp message from a "high-ranking executive," followed by an invitation to a live-streamed Zoom video call where digitally manipulated participants instruct the victim to transfer funds. (SPF/MAS/CSA Joint Advisory, 12 March 2025.)

The headline Singapore case sits inside that advisory. On 24 March 2025, the finance director of a multinational firm in Singapore was contacted on WhatsApp by someone purporting to be the company's CFO. On 25 March, the director joined a Zoom call featuring the "CEO" and other "officers" — all deepfaked. A separate "lawyer" emailed a non-disclosure agreement. The director transferred US$499,000 from the company's HSBC account to a Singapore mule account, from which US$494,000 was onward-transferred to Hong Kong accounts. He realised it was a scam only when an additional US$1.4 million transfer was demanded the next day. The Singapore Anti-Scam Centre and Hong Kong's Anti-Deception Coordination Centre worked together to seize the full amount in Hong Kong by 28 March. (HRD Asia, citing SPF; Reality Defender summary of MAS report.)

Six months later, on 18 September 2025, MAS published an information paper titled Cyber Risks Associated with Deepfakes (MAS/TCRS/2025/06). It is intended for financial institutions but reads as a near-checklist for any business at risk. The paper identifies three core deepfake threat vectors: defeating biometric authentication, social engineering and impersonation scams, and misinformation/disinformation aimed at investor confidence. It cites the Arup case and the Singapore US$499,000 case as examples. (MAS Information Paper, September 2025.)

The broader Singapore scam picture frames why all of this matters at the SME level:

  • The SPF Annual Scams and Cybercrime Brief 2024 reported total scam losses of at least S$1.1 billion in 2024, up 70.6% from S$651.8 million in 2023. (SPF Annual Scams and Cybercrime Brief 2024.)
  • Within that total, Business Email Compromise scams accounted for S$88.5 million of losses in 2024, ranking among the top five scam categories by amount lost. (Same brief.)
  • The largest single BEC case in 2024 hit a Singapore commodities firm. On 19 July 2024, the firm transferred US$42.3 million (about S$57.2 million at the time) to what staff thought was a long-time supplier; the attackers had spoofed the supplier's domain by replacing an "i" with an "l". The SPF Anti-Scam Centre, working with INTERPOL and Timor-Leste authorities, recovered US$39 million within 24 hours of being notified, with seven suspects ultimately arrested. (SPF News Release, 3 August 2024.)
  • The 2025 picture eased slightly. The SPF Annual Scam and Cybercrime Brief 2025 reported 41,974 cases (down 24.8% from 2024) and S$913.1 million in scam losses. BEC remained in the top five by amount lost. (SPF Police Life summary.)

Deepfakes of senior Singapore Government officials have been used in retail investment scams since at least December 2023 — including videos of then-DPM Lawrence Wong and former PM Lee Hsien Loong endorsing fake investment products. (CSA Advisory AD-2024-006.) On 7 March 2025, PM Wong publicly warned that deepfakes of him were being used to sell crypto schemes and PR application services. (Yahoo News / Bloomberg, 7 March 2025.) These campaigns are aimed at retail investors, not SMEs directly, but they tell you the technology is in active use against Singapore-based audiences.

How the attack actually works

The technical floor has dropped. None of this requires a state actor.

Source material. Attackers harvest video and audio from LinkedIn, YouTube, conference recordings, internal town-halls reposted publicly, and media interviews. McAfee's 2023 Beware the Artificial Impostor research demonstrated that "just three to four seconds of voice recording was enough" for a free tool to clone a voice at 85% accuracy. OpenAI's Voice Engine product, announced 29 March 2024, generates speech from a 15-second sample. (PurpleSec Arup case file, on source-data harvesting.)

The "live deepfake." Earlier deepfakes were rendered in advance. Today's fraud calls run a live face-swap on top of a real attacker's webcam feed in real time, and feed a cloned voice from a text-to-speech model. The Arup attackers populated a multi-participant call with several deepfaked "executives" simultaneously — not because each was unique, but because the social pressure of seeing several colleagues agreeing in real time overrides individual scepticism.

Voice cloning bypasses voice biometrics. Some banks and corporate phone systems use voice-print authentication. The CrowdStrike 2025 Global Threat Report (released 27 February 2025) reported that voice phishing (vishing) attacks rose 442% between the first and second halves of 2024. (IT Brew citing CrowdStrike, 30 May 2025.)

Synthetic identity for KYC bypass. The same technology is being used to defeat onboarding KYC — submitting deepfake selfies and document photos. At his 4 February 2024 briefing, Hong Kong Senior Superintendent Baron Chan Shun-ching told reporters that in one investigation, "on at least 20 occasions, AI deepfakes had been used to trick facial recognition programs by imitating the people pictured on the identity cards." (CNN, 4 February 2024.)

Delivery vectors. All five major channels are now active: spear-phishing email, WhatsApp, Microsoft Teams / Zoom / Webex, voice calls, and Telegram. The most successful attacks combine two or more — typically a WhatsApp message to set up a "Teams call," because WhatsApp is outside corporate email security and Teams is trusted.

The "look for weird artifacts" advice has expired. Older guidance told staff to look for unnatural blinking, lighting mismatch, or lip-sync drift. By 2024–2026, the better deepfake models eliminate most of those tells. Singapore's CSA itself acknowledges that "deepfake detection tools for general consumer use are still nascent." (CSA Advisory AD-2024-006.)

The "callback" myth. The standard advice — "if in doubt, hang up and call the person back on their normal number" — works only if the attacker has not also compromised the contact route. Attackers have been seen using a fake WhatsApp profile with the executive's photo, then routing the "call back" to themselves, or providing a "new number for security reasons" (the Ferrari case, below). The verification has to happen on a channel and number you established before the request, not one provided in the request.

Other deepfake fraud cases worth knowing

WPP, May 2024 (attempt, unsuccessful). Fraudsters set up a fake WhatsApp account using a public photo of WPP CEO Mark Read and used it to invite a senior agency leader to a Microsoft Teams meeting. Inside the meeting, the attackers played a voice clone of Read alongside YouTube footage and impersonated Read off-camera in the chat window. The targeted leader was asked to set up a "new business" to solicit money and personal details. WPP confirmed the attempt was prevented. Read wrote in an internal email: "We all need to be vigilant to the techniques that go beyond emails to take advantage of virtual meetings, AI and deepfakes." (Slashdot, citing The Guardian email; MM+M Online.)

Ferrari, July 2024 (attempt, unsuccessful). A Ferrari executive received WhatsApp messages from a number with CEO Benedetto Vigna's photo: "Hey, did you hear about the big acquisition we're planning?" A follow-up phone call featured a voice clone with Vigna's southern Italian accent, asking for an "unspecified currency hedge transaction." The executive asked the caller to name the title of a book Vigna had recommended a few days earlier (Decalogue of Complexity by Alberto Felice De Toni). The attacker hung up. (Bloomberg, 26 July 2024; Fortune.)

LastPass, April 2024 (attempt, unsuccessful). A LastPass employee on the sales team received calls, texts, and a WhatsApp voicemail using deepfake audio of CEO Karim Toubba demanding urgent action. The employee was suspicious because LastPass does not normally use WhatsApp for business communication, and reported it. Intelligence analyst Mike Kosak wrote: "An employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO." (BleepingComputer, citing LastPass blog.)

UAE bank, January 2020 (US$35 million, successful). This is the older precedent — a Hong Kong-based branch manager of a Japanese company was tricked by deepfake voice imitating a company director, combined with forged emails referencing a fake lawyer named "Martin Zelner." The branch manager authorised US$35 million in transfers across at least 17 accounts globally. UAE authorities filed court documents seeking US help to trace US$400,000 routed through Centennial Bank. (Dark Reading, citing Forbes / court filings.)

Beazley insured, 2023 (US$6 million, successful). A CFO of a Beazley-insured company received a WhatsApp video that appeared to be from the CEO, then continued via chat after "video failed." Over two weeks, the CFO transferred more than US$6 million across multiple payments to a fraudulent Hong Kong account. Beazley paid the claim. This is one of the few publicly described deepfake claims the insurance market has acknowledged paying. (Beazley case study.)

The pattern is consistent: WhatsApp or email setup; an "urgent, confidential" reason; a video call where seeing the boss and other colleagues is the trust-building moment; a "lawyer" or "advisor" lending procedural authority; instructions to wire to specific accounts. The only variable is whether someone in the chain pauses long enough to verify out-of-band.

The attack patterns Singapore SMEs are seeing

Based on the SPF/MAS/CSA joint advisory, the MAS Cyber Risks Associated with Deepfakes paper, and reported cases, the playbook applied to Singapore SMEs falls into several recognisable shapes:

  • The "urgent acquisition" pattern. The deepfake CEO calls the finance director or treasurer to authorise a large transfer for a confidential M&A deal, with a "lawyer" sending an NDA. This is the Arup pattern and the Singapore March 2025 US$499,000 pattern.
  • The "supplier change" pattern. A long-standing vendor's "finance director" calls or emails the AP team to confirm new bank account details before the next invoice. Voice deepfaked from a recorded call. This is the structure of the S$57.2 million commodities-firm case (where the trick was a domain look-alike, but the same pattern with voice deepfake is now active).
  • The "regulatory authority" pattern. A deepfake purporting to be a MAS officer, SPF officer, or bank Relationship Manager directs a transfer to a "safety" or "audit" account. The SPF/MAS warning of 30 November 2024 noted that government-official impersonation scam losses for the first ten months of 2024 reached at least S$120 million, almost double the same period in 2023. (SPF/MAS Joint Advisory, 30 November 2024.)
  • The "internal HR" pattern. A deepfake CEO directs HR or payroll to transfer a "discretionary bonus" or "consultant fee" to a new payee. Often timed to a known travel period of the real CEO.
  • The "stranded executive" pattern. A deepfake of a director "stuck overseas" needs an emergency transfer for a hotel, lawyer, or visa fixer.
  • The "crypto on-ramp" pattern. The instruction is to convert the funds to USDT or another stablecoin and send to a wallet. The SPF Annual Brief 2024 noted cryptocurrency-related losses jumped from 6.8% of total scam losses in 2023 to 24.3% in 2024.
  • The "subsidiary" pattern. Singapore is a regional HQ for many MNCs. A deepfake of the regional CFO instructs a local Singapore branch to transfer funds to a "subsidiary acquisition." This is functionally the Arup setup.

The SPF, MAS, and CSA emphasise: there is no public Singapore deepfake detection technology that they currently recommend. The defence is procedural — out-of-band verification on a pre-established channel — not technical.

Singapore Insurance Market Context

This is where it gets technical, and where SMEs are most often surprised after a loss. Three insurance product families are involved: Cyber, Crime/Fidelity, and the Social Engineering Fraud (SEF) extensions that bridge the two. None of them automatically pay a deepfake-driven funds-transfer loss. All of them have specific conditions that determine whether they do.

Cyber Insurance. A typical Singapore SME cyber policy includes coverage for breach response, network security failure, business interruption, and third-party privacy liability. Most Singapore-distributed cyber policies now include a Funds Transfer Fraud (FTF) or Social Engineering Fraud insuring agreement, but as a sub-limit — a smaller cap inside the main aggregate. MSIG Singapore's own market commentary acknowledges the dynamic: "As impersonation scams and business email compromise become more sophisticated, insurers may cap limits or narrow the terms for these types of claims. These incidents are difficult to verify and prevent, making them a growing concern for underwriters." (MSIG Singapore, "Ins and Outs of Cyber Policies".) No Singapore insurer publishes a standardised SEF/FTF sub-limit on its public fact sheet — figures appear only in individual quotes.

The "voluntary parting" problem. This is the single most important wording issue for deepfake claims. A traditional Computer Crime insuring agreement responds only when funds are taken without the insured's authorisation — for example, when a hacker breaches the bank login and transfers funds directly. In a deepfake CEO scam, the insured employee voluntarily authorises the transfer (because they were tricked). Insurers have historically excluded these "voluntary parting" losses unless the policy specifically endorses Social Engineering Fraud or Fraudulent Instruction coverage. (Aon, "When is a cyber crime not a cyber crime?".)

The "verified instruction" condition. Many Cyber and Crime policies condition Social Engineering Fraud coverage on the insured having performed a verification step — typically an out-of-band callback to a pre-established number — before transferring funds. AIG's Singapore CyberEdge policy wording, for example, includes the condition that "the Fraudulent Instruction was Verified prior to" the transfer. (AIG Singapore CyberEdge wording; AIG Singapore CyberEdge product page.) If the AP clerk did not call the CEO back on their real mobile number — or did call back on a number provided by the attacker — the insurer may decline the claim.

Crime / Fidelity Insurance. A standalone Commercial Crime policy traditionally covers employee dishonesty, computer fraud, and forgery. The relevant agreements for deepfake-driven losses are:

  • Computer Fraud — covers loss from a hacker manipulating systems. Usually does not cover voluntary transfers.
  • Funds Transfer Fraud — covers fraudulent instructions to a financial institution to transfer funds from the insured's account. May or may not cover deepfake-induced instructions, depending on wording.
  • Social Engineering Fraud / Fraudulent Instruction / Impersonation Fraud — explicitly designed for the deepfake/BEC scenario where an employee was tricked into transferring funds. Usually offered as an endorsement, with its own sub-limit.

Marsh Singapore describes the position bluntly on its commercial crime page: "Today's crime risks extend well beyond familiar types of fraud. Social engineering and deepfake technology are enabling more convincing impersonation schemes... Many organisations assume they are covered, only to discover gaps after a loss." Marsh confirms it places "complex crime programmes, ranging from US$10 million to US$300 million," and lists "Social engineering fraud — Criminals impersonate executives using email, phone, or even deepfake technology to deceive staff into transferring funds" as a covered risk on appropriately structured programmes. (Marsh Singapore Commercial Crime.)

Affirmative deepfake coverage in 2026. Globally, a small number of insurers have begun adding affirmative deepfake language. The most notable is Coalition's Deepfake Response Endorsement, announced 9 December 2025. The endorsement amends Coalition's Impersonation Fraud insuring agreement, expands the trigger for a Funds Transfer Fraud event to include "fraudulent instruction transmitted through the use of deepfakes or any other artificial intelligence technology," and provides up to US$250,000 for forensic analysis, takedown, and crisis communications. Coalition has explicitly listed the territories where this endorsement is available: the United States, the United Kingdom, Canada (including Quebec), Australia, Germany, Denmark, Sweden, and France. (Coalition press release, 9 December 2025; IA Magazine product profile, 27 February 2026.)

Singapore is not on Coalition's list. SMEs in Singapore looking at this product would need to access it via an offshore route, which is outside the scope of standard Singapore intermediary distribution.

Singapore-distributed cyber and crime insurers have not, to public knowledge as of May 2026, announced affirmative deepfake-specific endorsements branded as such. Coverage for deepfake-driven CEO transfers in Singapore relies on the existing Fraudulent Instruction, Impersonation Fraud, or Social Engineering Fraud insuring agreements within Cyber or Crime policies — typically subject to (a) verification preconditions, (b) sub-limits well below the main aggregate, and (c) careful claims investigation around whether the loss was a "voluntary parting." Beazley operates from a Singapore hub via Lloyd's Asia and writes Fraudulent Instruction coverage that has paid deepfake-style claims globally. (Lloyd's Asia / Beazley Singapore; Beazley case study.)

The Lloyd's Asia route. Singapore is Lloyd's Market's largest underwriting centre outside London, with 15 syndicates and over 200 expert underwriters. (Lloyd's Singapore.) For SMEs needing higher Crime/SEF limits or wordings closer to London market practice, an MGA or coverholder route into a Lloyd's syndicate is generally available via a licensed Singapore broker.

The sub-limit erosion problem. The Arup loss was US$25.6 million. A Singapore SME holding a S$1m–S$5m main cyber limit with a typical S$100,000–S$250,000 SEF sub-limit would be looking at a coverage shortfall of more than 95% on an Arup-scale event. Even on the Singapore March 2025 US$499,000 case, a S$250,000 sub-limit would have left more than half the loss uninsured. This is the primary reason crime/cyber insurance is not a substitute for procedural controls.

Defence costs vs indemnity. Some policies pay defence and forensic costs inside the same sub-limit as the indemnity. A S$250,000 SEF sub-limit that has to fund forensic investigation, legal advice, and the loss itself can be exhausted before the SME sees any indemnity payment for the wired funds.

Notification triggers. Most Singapore-distributed cyber policies require notification within 72 hours of the insured becoming aware of a covered event; some require 24 hours. Late notification is a common reason for declined claims. Notification to the bank should happen within minutes — the SPF/HK ADCC recovery on the March 2025 US$499,000 case worked because the bank was alerted within hours and Hong Kong banks were able to freeze the receiving accounts.

Singapore legal and regulatory position

Several Singapore statutes and regulatory instruments touch deepfake-driven fraud:

Penal Code 1871, sections 415, 416, 420. Cheating, cheating by personation, and cheating with delivery of property. A deepfake video instructing a transfer is squarely within section 416 (cheating by personation) read with section 420 (cheating to induce delivery of property). (Penal Code 1871 on Singapore Statutes Online.)

Computer Misuse Act 1993 (CMA). Sections 3, 4, 5 and 7 cover unauthorised access, modification, and use of computer material. Where a deepfake fraud touches the insured's IT systems (for example, compromising a calendar to insert the fake meeting), CMA charges may apply. (Singapore Statutes Online, CMA 1993.)

Online Criminal Harms Act 2023 (OCHA). OCHA empowers government agencies to issue Stop Communication Directions, Account Restriction Directions, and Disabling Directions to platforms hosting scam-related content, including deepfakes. The threshold for a scam-related direction is lower than for general criminal harms, recognising the speed required. (CNP Update on OCHA.) On 24 September 2025, the OCHA Competent Authority issued a formal Implementation Directive to Meta requiring the platform to implement measures targeting "scam advertisements, accounts, profiles, and/or business pages impersonating key Government Office Holders on Facebook." (Hogan Lovells, on the SPF directive.)

Personal Data Protection Act 2012 (PDPA), section 26D. If a deepfake-related compromise exposes personal data — for example, employees' identity documents or customer records used to construct the deepfake or transmitted in the course of the fraud — the organisation must notify the Personal Data Protection Commission within 3 calendar days of assessing the breach as notifiable, and notify affected individuals as soon as practicable. The threshold is "significant harm" or scale of 500+ individuals. Maximum financial penalty under amendments now in force is up to 10% of annual turnover in Singapore or S$1 million, whichever is higher. (PDPA section 26D, Singapore Statutes Online.)

Protection from Scams Act 2025. Came into operation 1 July 2025. Empowers SPF officers to issue Restriction Orders to the seven Domestic Systemically Important Banks (DBS, OCBC, UOB, Citibank, HSBC, Maybank, Standard Chartered) restricting individual banking and credit facilities for up to 30 days at a time (extendable up to 180 days total). This is aimed at retail consumer self-effected transfers, not corporate accounts, but it indicates the direction of travel. (Protection from Scams Act 2025; MHA Press Release, 30 June 2025.)

Shared Responsibility Framework (SRF). Implemented 16 December 2024 via MAS and IMDA Guidelines. Allocates phishing-scam losses between financial institutions, telcos, and consumers when defined duties are breached. The SRF covers consumer retail accounts and phishing scams with a Singapore digital nexus — it does not cover SME corporate accounts in deepfake CEO scams. (MAS Guidelines on SRF; MAS/IMDA Press Release 24 October 2024.)

MAS Notice 626 / 1015 / 656 (AML/CFT for FIs). Apply to financial institutions, not SMEs directly, but indirectly relevant: an SME's bank is required to monitor for unusual transactions. This is why the bank, not the SME, is often the first to notice and freeze a fraudulent transfer.

MAS Information Paper on Cyber Risks Associated with Deepfakes (MAS/TCRS/2025/06, September 2025). Not a binding rule, but signals what MAS expects from financial institutions on deepfake risk management — and increasingly informs supplier and customer due diligence on SME business partners. (MAS information paper page.)

Concrete scenarios for a Singapore SME

To make this real, here are four short scenarios reconstructed from the SPF advisories and reported cases.

Scenario 1 — F&B chain, "urgent acquisition." A Singapore F&B chain's Accounts Manager receives a Microsoft Teams calendar invitation marked "Confidential — Acquisition Opportunity," apparently from the founder. On the call are the founder, the CFO, and an "external lawyer." The founder explains the chain is buying a competitor and needs an S$800,000 escrow deposit moved within the hour. The lawyer sends an NDA. The Accounts Manager makes the transfer. All three "people" on the call are deepfaked. Cyber policy with S$250,000 SEF sub-limit, no out-of-band verification performed before transfer — claim partially paid up to sub-limit, S$550,000 retained by the business.

Scenario 2 — Manufacturing SME, "supplier change." A Singapore manufacturing SME's AP clerk receives a phone call from a long-time Vietnamese supplier's "finance director" — the voice is right, the accent is right, the references to last quarter's invoices are accurate. The "finance director" advises that the supplier has changed banks and asks for the next month's payment of S$150,000 to go to a new account in Hong Kong. The clerk updates the vendor master file. The voice was deepfaked from a recording of an earlier phone call; the conversation details came from a previously-phished email account. No out-of-band verification on the pre-established main number. SEF sub-limit insufficient; vendor master data hygiene cited as the gap.

Scenario 3 — Tech SME, "consultant payment." A Singapore tech SME's HR manager gets a WhatsApp video deepfake from the founder, who is "travelling abroad," requesting an urgent payment of S$60,000 to a "consultant" for a confidential pre-Series B project. The founder's WhatsApp profile is correct because the attacker created an account with a public photo. The "founder" provides the consultant's bank details and asks HR to "skip the usual approval" for confidentiality. Below the SEF sub-limit, but loss recovered against the policy only because HR had already conducted dual approval through a code-word system the founder had instituted six months earlier.

Scenario 4 — Logistics SME, "fraud-recovery account." A Singapore logistics SME's treasury team receives a Zoom call from a person identifying as the "DBS Relationship Manager," confirmed by an SMS from a Sender ID that looks genuine. The "RM" warns that the company's account has been used in an external scam and asks for an urgent transfer to a "fraud-recovery holding account" while DBS investigates. This pattern is straight out of the SPF/MAS 30 November 2024 advisory. Because the SRF excludes corporate accounts, the SME has no direct payout claim against the bank under the SRF, and any insurance recovery depends on whether the policy includes Impersonation Fraud and whether out-of-band verification was performed on a number the SME established with DBS before the call.

What This Means for Your Business

A deepfake-driven funds-transfer fraud is not a cyber-defence problem you can fix by buying better firewalls. It is a process and procurement problem, with insurance as a backstop. The actionable shape of the response is consistent across the SPF, MAS, CSA, and the major Singapore brokers:

Step 1 — Out-of-band verification protocols. For any payment over a defined threshold (some companies use S$10,000; others S$50,000; the right number depends on cash flow), require a callback on a pre-established number not provided in the request. Not the number on the calendar invite. Not the number on the WhatsApp profile. The number stored in your HR system from the day the executive was onboarded.

Step 2 — Code-word system. Establish a verbal or written code-word that the executive must provide for any out-of-band payment instruction. Rotate it. The Ferrari case worked because the executive asked for something only the real CEO could know.

Step 3 — Train AP, treasury, finance, and HR specifically. Generic phishing training does not cover deepfake video calls. Training should include real examples of the Arup, WPP, Ferrari, LastPass, and Singapore March 2025 cases and the specific patterns: WhatsApp set-up, "confidential urgent" framing, "lawyer" presence, "new bank account" instruction, "stranded executive" theme.

Step 4 — Banking-side controls. Dual approval on payments above thresholds. Time delays on transfers to new payees (most Singapore banks support a 12–24 hour cooling-off on new payees). Daily payment limit thresholds. Designated "approved payee" list. Money Lock features available on retail-style accounts can be relevant for owner-managed SMEs.

Step 5 — Vendor master data hygiene. Any change to vendor bank account details — any — must be verified by independent contact through pre-established channels, in writing, with a signed letter on the vendor's letterhead, and a phone-call confirmation to a pre-established number. Domain look-alike attacks (the "i"/"l" trick in the S$57.2 million case) succeed because the verification step was skipped.

Step 6 — Tabletop exercises. Run a deepfake fraud simulation at least once a year. Have the CFO send a fake "urgent transfer" instruction to the AP team via WhatsApp from an unknown number; see who calls back, who escalates, who acts on it.

Step 7 — Insurance gap audit. Map the coverage stack for funds-transfer fraud across your Cyber, Crime, and any standalone Social Engineering policies. Establish: where is the FTF coverage; what is the sub-limit; what verification conditions apply; what is the notification deadline; does defence cost share the sub-limit; does the policy respond to a "voluntary parting"; what about supplier-impersonation deepfakes.

Step 8 — Incident response playbook. Step 1 of the playbook is not "call the lawyer" or "notify the insurer." It is "call the bank and ask them to attempt a recall, then file a police report." On both the Singapore March 2025 US$499,000 case and the July 2024 US$42.3 million commodity case, recovery happened because the bank was alerted within hours. Insurer notification follows. The 72-hour insurance notification clock matters, but the 6-hour bank recall window matters more.

Questions to Ask Your Adviser

When you sit with a licensed IFA or commercial broker to review your policies, ask these questions specifically. Take written answers. The wording shifts year to year and insurer to insurer.

  1. Does my Cyber policy include affirmative Funds Transfer Fraud and Social Engineering Fraud coverage, or is it "silent" on these losses? If silent, will you add an endorsement or recommend a separate Crime policy?
  2. What is the sub-limit for Social Engineering Fraud and Funds Transfer Fraud, and how does that sub-limit compare to my exposure (largest single payment my AP team can make in a day)?
  3. Does the policy explicitly cover losses where my employee was deceived by a deepfake video or voice call — not only by a fraudulent email — and is that coverage aligned with my Cyber, Crime, or both?
  4. What verification conditions does the policy require before a transfer, and what happens to coverage if the employee called back on a number that was provided in the fraudulent instruction itself?
  5. Does the defence cost for investigating the fraud and pursuing recovery sit inside the sub-limit, or is it separate?
  6. What is the notification deadline to the insurer — 24 hours, 48 hours, 72 hours? Who in my company is named as the notification contact?
  7. Does the Cyber policy respond to a supplier-impersonation deepfake (vendor change-of-bank-account fraud), or only to executive impersonation? Where would the line be drawn?
  8. If the loss is partly recovered by SPF/Anti-Scam Centre/INTERPOL after the claim is paid, what is the subrogation position — does the recovery flow back to me, the insurer, or split?

COVA is a Singapore B2B insurance management platform registered as an introducer under MAS Notice FAA-N02. We do not advise on, recommend, or arrange policies. We provide factual information sourced from primary regulators and route Singapore SMEs to licensed Independent Financial Advisers and brokers who can compare actual wordings, sub-limits, and conditions against your specific exposure.

Related Information

Published 8 May 2026. Source verified 8 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.