Company Loses Over RM700,000 in Fake Email Steel Supply Scam

A Malaysian company has lost over RM700,000 after falling victim to a business email compromise (BEC) scam involving fake steel supply invoices. The attackers intercepted legitimate email correspondence between the company and a steel supplier, then impersonated the supplier using a near-identical email domain to redirect payment to a fraudulent bank account.

Business email compromise is one of the most financially devastating forms of cybercrime globally, and Malaysian businesses are increasingly targeted. The RM700,000 loss in a single incident highlights the scale of risk facing companies that rely on email-based payment instructions without secondary verification. This case adds to the alarming cybercrime costs documented in Cybercrime Costs Malaysia Rm1 22 Billion.

BEC attacks require no malware and no technical exploitation of systems. They rely entirely on deception — making them difficult for traditional cybersecurity tools to detect and particularly dangerous for businesses that handle large procurement transactions.

In a typical BEC attack, criminals first gain access to or monitor email communications between a company and its supplier. This may happen through phishing attacks on employee credentials, compromised email servers, or social engineering. Once the attackers understand the relationship and payment patterns, they register a domain nearly identical to the supplier's — often changing a single letter (e.g., steelsupply.com vs steelsuppIy.com with a capital I instead of lowercase L).

The attackers then send a convincing email, often during an active transaction, informing the victim company that the supplier's bank details have changed. The email includes a new invoice with the fraudulent account number. Because the email appears to come from a trusted contact and references a real ongoing order, the finance team processes the payment. As highlighted in Data Theft Rising Malaysia How To Protect Your Business, data breaches and credential theft often provide the initial access that makes BEC attacks possible. The rising sophistication of these schemes is part of the broader Cybersecurity Threats Malaysia Banking 2026 landscape.

How can my company prevent BEC attacks?

Implement a strict policy requiring verbal confirmation via a known phone number before processing any change to supplier bank details. Use multi-factor authentication on all email accounts, train finance staff to inspect email domains carefully, and consider email authentication protocols (SPF, DKIM, DMARC) to reduce spoofing risk.

Can we recover money lost to a BEC scam?

Recovery is possible but time-sensitive. Contact your bank within the first 24 hours to initiate a payment recall. The longer you wait, the lower the chances of recovery, as criminals quickly move funds through multiple accounts.

How do I report this scam in Malaysia?

Call 997 (NSRC), lodge a police report, report via SemakMule at semakmule.rmp.gov.my.