Skip to main content

Threat intelligence

Business email compromise: how Indonesian companies lose billions to a single email

In short

BEC costs more than ransomware and bypasses your firewall entirely. How the attack works on Indonesian companies, and the layered defense that stops it.

Threat detection solutions

Most cyber spending goes to stopping malware. Business email compromise ignores all of it. There is no virus to catch and no exploit to patch, just a believable email asking a real employee to do something they are allowed to do: pay an invoice, change bank details, release a wire. By the time anyone notices, the money is gone. Indonesian police have disclosed BEC cases that cost two companies tens of billions of rupiah, and the pattern reaches firms of every size.

~65%

of BEC attempts use a look-alike domain that differs from the real one by a character or two (Verihubs analysis)

2 to 4 weeks

typical reconnaissance before an attacker sends the first message

USD 4.8M

average cost of a breach that starts with phishing, the most common initial attack vector (IBM Cost of a Data Breach 2025)

How the attack actually unfolds

BEC is slow and deliberate, which is why it works. The attacker studies your company before sending a single email aimed at the moment money moves.

  1. 01

    Reconnaissance

    The attacker reads LinkedIn, your website, and social media to learn who approves payments, which vendors are active, and when routine invoices fall due. This stage often runs for two to four weeks.

  2. 02

    Access or impersonation

    They either break into a real mailbox through phishing, or register a look-alike domain that differs from yours by one character. Both let the message look like it came from inside or from a known partner.

  3. 03

    The believable request

    Posing as a CEO, CFO, or trusted vendor, they send a small number of well-timed emails. The tone is urgent and confidential, and the request fits a normal business action so it raises no alarm.

  4. 04

    The transfer

    A finance staffer pays the invoice or updates the vendor bank details. The funds route to a mule account and move on quickly, which is why recovery depends on acting within hours.

Why technical controls are only half the answer

You cannot filter your way out of BEC, because a clean email carrying a fraudulent instruction is still a clean email. Defense has to close the infrastructure gap and the human gap at the same time.

Email authentication

SPF, DKIM, and DMARC together make it far harder for an attacker to spoof your domain or impersonate your staff to outsiders. Enforced DMARC is the single highest-value technical control against domain abuse.

Account protection

Multi-factor authentication on every mailbox limits the account-takeover route. Without it, one phished password lets an attacker send fraud from a genuinely trusted address.

A verification habit

Any change to payment details or any urgent transfer is confirmed through a second channel, such as a phone call to a known number. This one habit stops most BEC even when the email is convincing.

The signals your finance team should treat as stop signs

BEC messages share a recognisable shape. People who move money need to know it by heart, because they are the last line of defense.

Urgency and secrecy in the same messageA sender address that is almost, but not quite, rightA new or changed bank account for an existing vendorA request that skips the normal approval stepPressure to act before a deadline or while a boss is travellingReply-to address that differs from the visible sender

When prevention fails: respond in hours, not days

If a payment has already gone out, the first few hours decide how much comes back. Contact the bank to attempt a recall, report to the police, preserve the original emails and headers, and check whether an internal mailbox was compromised so you can reset credentials before a second attempt. A practised incident response process turns a panicked scramble into a sequence that protects evidence and improves recovery.

References

  1. 1.IBM Cost of a Data Breach Report
  2. 2.Business email compromise, how it works and prevention (Verihubs)
  3. 3.Business email compromise awareness (OCBC)

BEC is a people problem wearing a technical disguise, so Alpha Code treats it on both fronts. Our human risk management program trains the staff who move money to recognise the request and verify it, and our incident response team is on hand for the hours that matter when a transfer has already left.

Reviewed by Mirna Indriasari, Security Program Manager

Frequently asked questions

Business email compromise, or BEC, is a fraud where an attacker impersonates an executive, a vendor, or a colleague over email to trick someone into transferring money or sharing sensitive data. It relies on social engineering, not malware, so antivirus and firewalls do not see it. The fake message asks a real employee to do something they are authorised to do, such as pay an invoice.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.