The Singapore Police Force (SPF) issued a formal advisory on February 26, 2026, regarding a surge in Business Impersonation Call (BIC) scams. Since early 2025, at least ten reported cases resulted in staggering losses exceeding $13.5 million. This variant represents a significant evolution in social engineering, moving beyond simple emails to highly deceptive, real-time multimedia manipulation.
Mechanics of the Impersonation
Criminals target employees, often in finance or junior roles, by posing as high-level executives, CEOs, or influential investors. The deception typically unfolds through a coordinated multi-step process. Scammers create WhatsApp accounts using names and publicly available profile photos of company leadership. They initiate conversations regarding "confidential projects" or "urgent corporate restructuring" to build a sense of exclusivity and importance.
To cement the fraud, victims join a Zoom video conference. During these calls, scammers use AI-driven digital manipulation to alter facial features and voices in real time. They may even impersonate officials from the Monetary Authority of Singapore (MAS) to provide a false sense of regulatory oversight. Scammers frequently instruct victims to sign non-disclosure agreements (NDAs) or board letters. This tactic is specifically designed to isolate the employee, preventing verification of the request with colleagues or through official corporate channels. Once trust is established, the victim is pressured to transfer large sums of company funds to "safety accounts" or for "project financing." The fraud is often discovered only after the money is gone.
How Scammers Acquire WhatsApp Numbers
A common misconception is scammers must hack an executive's phone to impersonate them, in reality, they often use pretexting combined with external data. Scammers gather names, professional headshots, and contact details from LinkedIn, company websites, and dark web data leaks. They register a new WhatsApp account using a virtual or disposable number but set the profile details to match the executive.
Scammers often explain away the unfamiliar number by claiming it is a private line for sensitive matters. In more aggressive scenarios, scammers may use GhostPairing or QR code scams to mirror an existing account. They might also perform a SIM swap by tricking a mobile carrier into porting the executive's number to a new SIM card.
Defensive Protocols for Decision Makers
Executives and decision makers must secure communication channels to prevent their identities from becoming weaponized. Restricting WhatsApp profile photos and "Last Seen" status to "My Contacts" only prevents scammers from harvesting high-quality images for spoofing. Enabling a PIN-based two-step verification on WhatsApp prevents unauthorized registration of the phone number on new devices, even if a verification code is intercepted.
Establishing Verification Rituals
Organizations should implement a strict callback policy where ny request for fund transfers or sensitive data received via a messaging app must be verified through a second, independent channel. This could be a direct call to a known office extension or a separate internal platform. Understanding these tactics is a critical component of modern loss mitigation.
This scam relies heavily on the psychological mechanics of pretexting, where a fabricated scenario is used to manipulate individuals into bypassing security.
- Log in to post comments