Threat intelligence
Business email compromise: how Indonesian companies lose billions to a single email
In short
BEC costs more than ransomware and bypasses your firewall entirely. How the attack works on Indonesian companies, and the layered defense that stops it.
Most cyber spending goes to stopping malware. Business email compromise ignores all of it. There is no virus to catch and no exploit to patch, just a believable email asking a real employee to do something they are allowed to do: pay an invoice, change bank details, release a wire. By the time anyone notices, the money is gone. Indonesian police have disclosed BEC cases that cost two companies tens of billions of rupiah, and the pattern reaches firms of every size.
~65%
of BEC attempts use a look-alike domain that differs from the real one by a character or two (Verihubs analysis)
2 to 4 weeks
typical reconnaissance before an attacker sends the first message
USD 4.8M
average cost of a breach that starts with phishing, the most common initial attack vector (IBM Cost of a Data Breach 2025)
How the attack actually unfolds
BEC is slow and deliberate, which is why it works. The attacker studies your company before sending a single email aimed at the moment money moves.
- 01
Reconnaissance
The attacker reads LinkedIn, your website, and social media to learn who approves payments, which vendors are active, and when routine invoices fall due. This stage often runs for two to four weeks.
- 02
Access or impersonation
They either break into a real mailbox through phishing, or register a look-alike domain that differs from yours by one character. Both let the message look like it came from inside or from a known partner.
- 03
The believable request
Posing as a CEO, CFO, or trusted vendor, they send a small number of well-timed emails. The tone is urgent and confidential, and the request fits a normal business action so it raises no alarm.
- 04
The transfer
A finance staffer pays the invoice or updates the vendor bank details. The funds route to a mule account and move on quickly, which is why recovery depends on acting within hours.
Why technical controls are only half the answer
You cannot filter your way out of BEC, because a clean email carrying a fraudulent instruction is still a clean email. Defense has to close the infrastructure gap and the human gap at the same time.
Email authentication
SPF, DKIM, and DMARC together make it far harder for an attacker to spoof your domain or impersonate your staff to outsiders. Enforced DMARC is the single highest-value technical control against domain abuse.
Account protection
Multi-factor authentication on every mailbox limits the account-takeover route. Without it, one phished password lets an attacker send fraud from a genuinely trusted address.
A verification habit
Any change to payment details or any urgent transfer is confirmed through a second channel, such as a phone call to a known number. This one habit stops most BEC even when the email is convincing.
The signals your finance team should treat as stop signs
BEC messages share a recognisable shape. People who move money need to know it by heart, because they are the last line of defense.
When prevention fails: respond in hours, not days
If a payment has already gone out, the first few hours decide how much comes back. Contact the bank to attempt a recall, report to the police, preserve the original emails and headers, and check whether an internal mailbox was compromised so you can reset credentials before a second attempt. A practised incident response process turns a panicked scramble into a sequence that protects evidence and improves recovery.
References
BEC is a people problem wearing a technical disguise, so Alpha Code treats it on both fronts. Our human risk management program trains the staff who move money to recognise the request and verify it, and our incident response team is on hand for the hours that matter when a transfer has already left.
Reviewed by Mirna Indriasari, Security Program Manager
Frequently asked questions
Business email compromise, or BEC, is a fraud where an attacker impersonates an executive, a vendor, or a colleague over email to trick someone into transferring money or sharing sensitive data. It relies on social engineering, not malware, so antivirus and firewalls do not see it. The fake message asks a real employee to do something they are authorised to do, such as pay an invoice.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.