Cybersecurity experts are urging companies to instil a strong culture of security among their employees to prevent losses arising from business email compromise (BEC) scams.
Cybersecurity practitioner Murugason R Thangaratnam said scammers tend to study their targets to identify vulnerabilities and gather useful personal and organisational data. This allows them to tailor their attacks for maximum impact.
“Social media profiling is a tried and tested method for cybercriminals, and platforms like LinkedIn, Facebook, Instagram and X reveal job titles, travel plans, email addresses, personal interests, and even family information,” he told FMT.
Murugason said job advertisements and company websites also detail sensitive information on a company’s internal tools and vendors that scammers can exploit in impersonation scams.
He said robust email security settings — such as multi-factor authentication and domain-based message authentication — are critical to prevent spoofing, a technique cybercriminals use to disguise a malicious message as one originating from a trusted source.
Murugason was responding to a recent Kaspersky report which revealed that Malaysia suffered over RM7.5 million in losses from BEC scams between 2023 and mid-2025.
The country recorded an average of 5,300 phishing attempts targeting companies each month in 2024 — the third-highest in Southeast Asia. These attacks typically involve malicious actors posing as trusted entities to deceive individuals into disclosing sensitive information.
Employee training key
SL Rajesh, who heads the computer forensics department at the International Association for Counterterrorism and Security Professionals Centre, said companies must take steps to minimise human error.
He said regular employee training was key to preserving company security, as employees would be trained to identify red flags such as unduly urgent emails, changes in bank account details, and other dubious messages.
“Use two-person approval for payments. Make it a rule that no payment goes through unless two people have reviewed it. This slows things down just enough to catch mistakes or suspicious requests.”
“The more we rely on online communication to operate and make decisions, the more important it becomes to weave cybersecurity awareness into the way we work every day,” he added.
