A Singapore-based CEO received a WhatsApp call from his company's chairman in April 2026. The chairman had an urgent instruction: take responsibility for a new acquisition project and arrange the funding immediately. Over the next four days, US$36.3 million moved out of the company's accounts. The real chairman knew nothing about it.
The fraud was uncovered only when the CEO called the actual chairman to verify the deal. By then, most of the money was gone, routed through local accounts and wired to Hong Kong before authorities could intervene. Singapore's Anti-Scam Centre recovered US$9.7 million. The remaining US$26.5 million had already moved offshore.
The case was one of several highlighted by Singapore Police Force following Operation FRONTIER+ III, a two-month international crackdown involving 10 jurisdictions, 3,200 officers and more than 3,000 arrests. For finance teams, how this fraud worked matters more than how large it was.
The real vulnerability was the culture, not the call
The transfers didn't happen in a single transaction. US$36.3 million moved across four days and multiple accounts, flowing through a normal-looking approval chain where a request arrived from the top and funding was arranged below. No one in that chain had a reason to doubt what appeared to be a legitimate instruction from leadership.
There was no malware, no email compromise and no breached system. A phone call worked because nothing in the approval process required the instruction to be independently verified before the money moved.
According to Eftsure research drawn from over 1,000 Australian respondents, only 25% of employees feel comfortable questioning a suspicious payment request from a senior executive. 91% don't believe senior business leaders adequately understand how modern payment fraud occurs. And 32% say they feel pressured to process payments quickly. When independent verification isn't a required step in the process, impersonating someone at the top of the approval chain is enough to move money.
This isn't a new tactic, but it's getting harder to detect
Impersonation fraud targeting the CFO-CEO relationship isn't new. In 2024, an employee at engineering firm Arup transferred US$25 million after participating in a video call with deepfake versions of the CFO and multiple colleagues. That attack used sophisticated AI-generated video. The Singapore case used a WhatsApp call, and the same trust in hierarchy was enough.
What has changed is the scale and confidence with which these attacks are executed. According to the FBI's IC3, Business Email Compromise (BEC) has cost organizations more than US$55 billion over the past decade. In 2025 alone, BEC and CEO fraud drove more than US$3 billion in reported losses in the US, figures that cover only what was reported and only from a single jurisdiction.
The Singapore case also shows that the attack is no longer limited to email. Voice impersonation, WhatsApp and AI-generated video calls are all in active use, and 90% of Australians surveyed in Eftsure's 2026 research believe AI-generated scams are harder to detect than traditional ones.
What a verification culture actually looks like
The CEO verified the acquisition with the actual chairman four days after the transfers began. The real question is whether the process made independent verification the expected step before approving a payment of this size, not an afterthought once the money had moved.
Independent verification before payment means a documented callback to a known contact number, through a channel that isn't the one the instruction arrived on. It takes a few minutes and doesn't require a technology purchase. It does require a process where that confirmation happens before the payment is approved, not after.
Giving finance teams the language to ask is part of that. When there's no scripted, professional way to pause a payment request from a senior executive without implying distrust, the path of least friction is to proceed. These response templates address that directly: practical language for exactly this scenario, written for the moment when the instruction is coming from above and the process requires a pause.
Build the verification habit before the call comes
The control that would have stopped the Singapore fraud was the same call the CEO eventually made, placed four days earlier, before the transfers were authorized.
Finance leaders who want to close this gap have a straightforward starting point: document what out-of-band verification looks like for every payment channel in use, including email, phone, WhatsApp and video call, then test whether their teams can use it when the instruction appears to come from the chairman. If you're not sure where your organization sits, Eftsure's Deepfake Readiness Assessment takes two minutes and surfaces the specific gaps.
Building verification into the process means finance teams can question the next call like this one before the money moves.
