BEC’s Payroll Diversion Fraud Investigation Report: Operational Modalities, Threat Actor Investigation, and Defensive Architectures

Posted on

1. Executive Summary

The global financial cybercrime landscape has undergone a paradigmatic shift, evolving from indiscriminate, high-volume phishing campaigns to highly targeted, psychologically manipulative operations that exploit the structural seams of corporate finance. Among these threats, Payroll Diversion Fraud—the unauthorized redirection of employee salary disbursements to fraudulent accounts—has metastasized into a premier vector for both organized criminal syndicates and state-sponsored actors seeking to evade international sanctions.

Historically categorized as a subset of Business Email Compromise (BEC), payroll diversion has matured into a distinct ecosystem characterized by its own specialized threat actors, distinct laundering methodologies, and unique forensic signatures. According to the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), BEC and its variants accounted for $2.77 billion in losses in 2024, bringing cumulative global losses to $55.5 billion over the preceding decade.1 Payroll diversion specifically has seen explosive growth, with reported losses increasing by 815% in the late 2010s, a trend that has accelerated through the widespread adoption of remote work and digital payroll portals.1

This report, updated for January 2026, synthesizes forensic intelligence to provide a definitive operational picture of this threat. A critical focus of Version 4.0 is the Asia Pacific (APAC) region, which has become the epicenter of this evolution. Email-based attacks in APAC increased by 27% year-over-year from 2023 to 2024.1 This surge is driven by a convergence of factors: the rapid proliferation of real-time payment rails like India’s Unified Payments Interface (UPI) and Singapore’s PayNow, the industrialization of fraud in the Mekong subregion’s “scam compounds,” and the aggressive entry of North Korean state-sponsored actors into the financial crime theater.

This document integrates validated intelligence on emerging threat actors—such as the education-sector-focused Chiffon Herring, the reconnaissance specialists Curious Orca, and the prolific Scattered Canary—and documents tactical innovations, including the “Gmail dot” technique, SIM-less device obfuscation, and AI-enhanced social engineering. Furthermore, it provides an exhaustive analysis of the paradigm shift in regulatory frameworks across APAC, specifically Singapore’s Shared Responsibility Framework (SRF), Hong Kong’s E-Banking Security ABC initiative, and the Philippines’ mandatory Kill Switch for financial institutions.

The operational realities of 2026 demand a departure from the “buyer beware” model. With liability shifting to infrastructure providers and the window for fund recovery closing to mere minutes due to real-time payments, the defense against payroll diversion requires a fusion of technical hardening, advanced behavioral analysis, and rapid regulatory alignment.

2. Mode of Operation: The Evolving Kill Chain

The execution of payroll diversion fraud follows a disciplined “kill chain” that has evolved from simple social engineering to a complex blend of technical reconnaissance, infrastructure abuse, and psychological manipulation. Understanding this lifecycle is critical for interdiction and attribution.

2.1 Phase 1: Research and Reconnaissance

The precursor to any successful diversion is granular intelligence gathering. Threat actors have moved beyond passive Open Source Intelligence (OSINT) gathering on platforms like LinkedIn to actively weaponize legitimate business tools.

Lead Generation Abuse and the “Gmail Dot” Technique

A significant tactical innovation identified in recent forensic analysis involves the abuse of Business-to-Business (B2B) lead-generation platforms such as Lead411, ZoomInfo, and Lusha. Groups like Scattered Canary have industrialized this process to harvest organizational charts and direct contact information without triggering platform fraud algorithms.2

To achieve scale, these actors utilize the “Gmail dot” technique. The Gmail standard (and Google Workspace) ignores periods within the local part of an email address (before the @ symbol). Consequently, addresses such as j.ohndoe@gmail.com, jo.hndoe@gmail.com, and j.o.h.n.d.o.e@gmail.com all route to the same destination inbox. However, many third-party services, including lead generation platforms, treat these strings as unique user identifiers. Threat actors exploit this architectural discrepancy to register hundreds of unique trial accounts on these platforms using a single controlling email address.3 This allows them to bypass “one account per user” restrictions and scale their data harvesting operations exponentially, building massive repositories of target employee data—including names, roles, email formats, and reporting lines—without incurring high costs or alerting platform security teams.

Reconnaissance Probing (“Curious Orca”)

Before launching a targeted campaign, sophisticated groups validate their target lists to ensure high deliverability rates and map the target’s internal email architecture. The group tracked as Curious Orca has perfected the technique of “reconnaissance probing”.4

This tactic involves sending benign, content-free emails, often with a single-character subject line like “i”, to thousands of corporate email addresses. This probe serves a dual strategic purpose:

  1. Address Validation: It maps the valid email address space of a target organization by identifying which emails generate Non-Delivery Reports (NDRs) or “bounces,” and which are successfully delivered.
  2. Security Posture Testing: It tests the organization’s Secure Email Gateway (SEG) configurations without deploying a malicious payload that would trigger a threat alert.

These probes are typically scheduled outside standard business hours to minimize the likelihood that an employee will notice the anomaly and report it to the Security Operations Center (SOC).2 If a valid address is confirmed, it is added to a master targeting list for future exploitation.

2.2 Phase 2: Infrastructure and Spoofing

Once targets are validated, the attacker establishes the infrastructure required for deception. This infrastructure is designed to bypass technical controls like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Display Name Spoofing

Despite the availability of advanced technical tools, Display Name Spoofing remains the most prevalent tactic, utilized in over 90% of payroll diversion attacks.2 Attackers register free webmail accounts (Gmail, Outlook, Yahoo) and simply alter the display name to match a high-value executive or employee. On mobile devices, where the sender’s actual email address is often hidden by the user interface (UI) to save screen space, this technique is devastatingly effective. A visual inspection of the sender field shows the trusted name (e.g., “John Smith”), obscuring the malicious origin (e.g., john.smith.ceo@gmail.com).

Homograph Attacks and Typosquatting

For campaigns requiring higher fidelity, particularly those targeting organizations with robust external email tagging, actors register lookalike domains. In the APAC region, this has evolved into “Homograph attacks”. 2 This technique utilizes characters from diverse alphabets—Cyrillic, Greek, Thai, or Vietnamese—that are visually indistinguishable from Latin characters (IDN homographs).

For example, a Cyrillic ‘a’ (U+0430) renders identically to a Latin ‘a’ (U+0061) in most fonts but is treated as a distinct character by computer systems. This allows attackers to register domains that appear identical to the victim’s legitimate domain (e.g., company.com) to the human eye but are technically distinct, thereby bypassing domain-based blacklists and reputation filters.

2.3 Phase 3: Execution and Social Engineering

The point of contact is characterized by psychological pressure and the exploitation of corporate hierarchy.

Urgency and Secrecy

The initial email to HR or Payroll typically avoids attachments or links, which might trigger phishing filters. Instead, the message relies on the psychological principles of “Urgency and Authority”. 2 Common scripts include demands for immediate processing before a payroll cutoff or claims that the requester is “in a meeting” and cannot take calls.1 This social engineering tactic is designed to induce a state of cortisol-driven anxiety in the recipient (“security fatigue”), bypassing critical thinking and verification procedures.

AI-Enhanced Sophistication

The integration of Generative AI has fundamentally transformed the efficacy of these attacks. Between 2022 and 2023, AI-enhanced BEC attacks increased by 1,760%.1 Tools like WormGPT ($110/month) and FraudGPT enable attackers to generate contextually perfect, grammatically flawless emails in multiple languages. This eliminates the linguistic markers (syntax errors, awkward phrasing) that previously allowed defenders to identify offshore scammers. Academic research indicates that AI-automated phishing emails achieve a 54% click-through rate, compared to just 12% for traditional phishing—a 4.5x increase in efficacy.1

Deepfake Impersonation

Deepfake technology has escalated the threat level beyond text. In a landmark case in May 2024, a finance worker at Arup Engineering in Hong Kong was deceived into transferring $25.6 million after attending a video conference during which the CFO and other participants were deepfake recreations generated in real time. 1 This incident demonstrates that video verification—previously considered a gold standard for identity proofing—is no longer a guaranteed defense against determined threat actors.

2.4 Phase 4: Account Diversion and Cash-Out

The final phase involves technical modifications to payroll data and the rapid exfiltration of funds.

Prepaid Card Exploitation

A significant driver of the payroll diversion ecosystem is the use of prepaid debit cards issued by institutions such as Green Dot, GoBank, and Sutton Bank.2 These cards often market “early deposit” features, promising access to funds up to two days before the traditional payday. Threat actors exploit this feature to gain a 48-hour head start on the victim. By the time the employee realizes their paycheck has not arrived on Friday, the attacker has already accessed and laundered the funds on Wednesday.

Real-Time Payment Exploitation

In markets with mature instant payment infrastructures, such as India (UPI) and Singapore (PayNow), theft is instantaneous. Funds diverted to a mule account are immediately fragmented and transferred across multiple hops within minutes.2 This “layering” process complicates recovery efforts, as funds are often moved out of the jurisdiction or converted into cryptocurrency before a regulatory freeze can be initiated.

3. Threat Actor Attribution: Global and Regional Profiles

The attribution landscape for payroll fraud has bifurcated into two distinct categories: financially motivated criminal syndicates operating industrial-scale fraud centers, and state-sponsored actors leveraging cybercrime to sustain regimes.

3.1 North Korean State-Sponsored Actors (Lazarus / Kimsuky / Jumpy Pisces)

The involvement of North Korean actors represents a strategic escalation of the threat. Distinct from standard criminal gangs, these Advanced Persistent Threats (APTs) operate with state backing to generate revenue for the Democratic People’s Republic of Korea (DPRK), circumventing international sanctions.

The IT Worker Scheme

A primary vector employed by these groups is the “IT Worker Scheme.”2 Thousands of highly skilled North Korean IT professionals use stolen identities—often belonging to U.S. or South Korean nationals—to secure remote employment as freelance developers at Western technology companies. Once hired, they execute a “self-directed” payroll diversion, funneling their salaries through a complex web of laundering networks back to Pyongyang. The U.S. Department of Justice and the FBI have targeted these networks, seizing domains and issuing alerts about workers using “laptop farms” in the U.S. to mask their true locations. 8

Collaboration with Ransomware Groups

Recent intelligence from 2025 indicates a disturbing convergence of state and criminal interests. The North Korean group tracked as Jumpy Pisces (affiliated with the Reconnaissance General Bureau) has been observed collaborating with the Play ransomware group.9 In these operations, Jumpy Pisces acts as an Initial Access Broker (IAB), compromising networks and providing access to Play affiliates in exchange for a portion of the extortion proceeds. This hybrid model allows the state actor to monetize access without deploying their own attribution-heavy malware.

3.2 The Mekong “Scam Compounds.”

The Southeast Asian region, particularly the Special Economic Zones in Myanmar, Cambodia, and Laos, hosts industrial-scale “fraud factories.” These operations are unique in their blending of human trafficking with cyber-enabled fraud.2

Often staffed by victims of human trafficking who are forced to conduct scams under threat of violence, these compounds generate massive revenue streams. The UN estimates that cyber fraud in East and Southeast Asia generated between $18 billion and $37 billion in losses in 2023.1 These groups utilize “Money Mule Motorcades”—fleets of mule accounts managed by syndicates—to rapidly wash funds into USDT (Tether), which is then often cashed out at regional casinos to break the audit trail.2

3.3 West African Syndicates

West Africa, particularly Nigeria, remains a global hub for BEC operations, hosting prolific groups that have scaled their operations through technical specialization.

SilverTerrier

Identified by INTERPOL and private sector intelligence as a syndicate of over 400 unique actors, SilverTerrier has targeted over 50,000 organizations.1 They utilize commodity malware such as Agent Tesla and LokiBot to harvest credentials at scale, evolving from simple 419 scams to complex BEC operations capable of launching hundreds of thousands of attacks per month.

Gold Galleon

This Nigeria-based group demonstrates high-level sectoral targeting, focusing exclusively on the maritime shipping industry.13 They compromise email accounts of shipping companies and monitor traffic for invoice payments. Knowing that shipping transactions involve large sums and dispersed stakeholders operating in different time zones, they interject fraudulent payment instructions at the critical moment of the transaction, leveraging the time-sensitive nature of the industry.

3.4 Specialist and Niche Threat Groups

Several groups have carved out specific niches within the payroll diversion landscape, refining their TTPs for specific sectors or evasion techniques.

Chiffon Herring

Breaking the mold of targeting C-suite executives, Chiffon Herring focuses specifically on the education sector in the United States.16 They target school districts and universities, impersonating staff members such as teachers and professors. By leveraging public staff directories, they craft highly credible lures directed at payroll administrators, requesting changes to direct deposit information for staff who may not have direct lines of communication with HR. They have been observed using GoDaddy infrastructure to send attacks and target mule accounts for diversion.

Silent Starling

This group pioneered the technique of Vendor Email Compromise (VEC).18 Rather than spoofing an internal executive, Silent Starling compromises the email accounts of a vendor. They then use this trusted access to send fraudulent invoices to the vendor’s customers. This “island hopping” technique is highly effective because the email originates from a legitimate, trusted source, bypassing SPF/DKIM checks and human skepticism. They typically target smaller organizations (under 200 employees) to evade detection.

Mandarin Capybara

Targeting European and APAC entities, Mandarin Capybara is known for multilingual executive impersonation.21 They execute campaigns in over 13 languages and heavily utilize European fintech and neobank accounts (e.g., Revolut, Monese, Bunq) for their mule networks. Their operations capitalize on the ease of digital account opening at these institutions to rapidly spin up laundering infrastructure.

Scattered Spider

A loose collective of English-speaking threat actors, Scattered Spider (also known as UNC3944) specializes in aggressive social engineering.23 They target IT help desks to reset passwords and bypass Multi-Factor Authentication (MFA). Once inside a network, they pivot directly to payroll systems like Workday or ADP to modify direct deposit settings, often targeting Business Process Outsourcing (BPO) firms to access downstream clients.

4. Asia Pacific Regional Statistics

The Asia Pacific region has experienced a significant escalation in cyber fraud, with losses reflecting the region’s rapid digitalization and adoption of real-time payments.

APAC Regional Scam and BEC Statistics (2024-2025):

  • Singapore: $1.1B SGD total scam losses; 51,501 reported cases. (Source: SPF, 2024)
  • Australia: $84M AUD in BEC losses; 84,700 total cybercrime reports. (Source: ACSC, FY2023-24)
  • Malaysia: RM54.02B in scam losses, representing ~3% of GDP. (Source: RMP, 2024)
  • Philippines: 10,004 complaints; ₱198M losses. (Source: CICC, 2024)
  • Thailand: 887,000 complaints; ฿89B losses. (Source: RTP, Jan-Nov 2024)
  • India: 22.68 lakh incidents reported (up from 10.29 lakh). (Source: I4C, 2024)
  • Vietnam: VND 91.8T ($16.23B) losses – 3.6% of GDP. (Source: GASA, 2023)
  • Southeast Asia: $23.6B lost to cyber fraud between Aug 2024 – Aug 2025. (Source: Regional Report)

This data indicates that cyber fraud has become a macroeconomic threat in the region, with losses in countries like Vietnam and Malaysia reaching percentages of GDP that rival major industries. 1

5. Regulatory Frameworks: The Shift to Shared Responsibility

The regulatory landscape in the Asia Pacific region has undergone a seismic shift in 2025 and 2026. Governments are moving away from a “buyer beware” philosophy toward frameworks that mandate active defense and liability sharing by financial institutions (FIs) and telecommunications providers.

5.1 Singapore: Shared Responsibility Framework (SRF)

Effective December 16, 2024, Singapore implemented the Shared Responsibility Framework (SRF), fundamentally altering the liability landscape for phishing scams.24

Core Mandates:

The SRF assigns specific “anti-scam duties” to FIs and Telcos. If a scam loss occurs and the institution has failed to meet these duties, it is liable for reimbursement.

  • For Financial Institutions: Duties include enforcing a 12-hour cooling-off period for high-risk activities (such as adding new payees or increasing transfer limits) and providing 24/7 real-time notification alerts for all transactions.24
  • For Telcos: They must implement filters to block SMS messages containing malicious URLs and block calls from spoofed local numbers.

This framework incentivizes banks to implement friction in the payment process, prioritizing security over speed for high-risk transactions. Additionally, Singapore launched COSMIC (Collaborative Sharing of Money Laundering/TF Information & Cases), a platform that enables major banks (DBS, OCBC, UOB) to share information on suspicious customers and transactions in real time, breaking down data silos.2

5.2 Hong Kong: E-Banking Security ABC and Suspicious Alerts

The Hong Kong Monetary Authority (HKMA) has introduced a suite of measures designed to empower consumers and harden banking interfaces against fraud.27

E-Banking Security ABC:

  • A – Authenticate in-App: Banks must move away from SMS One-Time Passwords (OTPs), which are vulnerable to SIM swapping and interception, and require authentication via mobile banking apps for high-risk transactions.
  • B – Bye to unused functions: Banks must provide customers with the option to easily deactivate unused functions, such as overseas transfers or high transaction limits, reducing the attack surface of compromised accounts.
  • C – Cancel suspicious payments: Mechanisms must be in place to allow the interception and cancellation of suspicious payments mid-flight.

Suspicious Account Alert:

This mechanism integrates the Hong Kong Police Force’s “Scameter” database directly into banking apps. If a user attempts to transfer funds to an account or FPS proxy ID flagged in the database, an immediate high-friction alert pops up, warning the user of the high risk.27

5.3 Philippines: The “Kill Switch” Mandate (BSP Circular 1213)

In a decisive move to combat the speed of digital fraud, the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1213, mandating the implementation of a “Kill Switch.” 30

This regulation requires all BSP-supervised financial institutions to provide a feature within their mobile apps or web portals that allows customers to instantly freeze their accounts and block outgoing financial transactions. Crucially, this must be accessible without waiting for a customer service agent, empowering victims to stop the bleeding immediately upon suspecting compromise.

5.4 India: UPI Fraud Controls

With the ubiquity of the Unified Payments Interface (UPI), India continues to refine its fraud controls. The government and the National Payments Corporation of India (NPCI) have introduced measures to curb real-time fraud.32

4-Hour Time Delay:

A key proposal is a mandatory 4-hour delay on the first transaction between two users if the amount exceeds Rs 2,000. This friction is designed to provide a window for fraud checks and user reconsideration, directly countering the “social engineering urgency” tactic used by scammers.

6. Forensic Investigation Techniques

Tracing the sophisticated actors behind payroll diversion requires moving beyond basic log analysis to advanced forensic methodology.

6.1 Passive DNS (pDNS) Analysis

For investigators, Passive DNS is a critical tool for mapping adversary infrastructure.2 Services like Farsight Security DNSDB allow analysts to query the historical resolution of domains.

By analyzing pDNS data, an investigator can:

  • Identify the IP addresses a malicious domain resolved to in the past.
  • Pivot from a known malicious IP to identify other domains hosted on the same infrastructure (“infrastructure sharing”).
  • Map the “life cycle” of a domain, identifying when it was registered and activated relative to the attack timeline.

This is particularly effective against groups like SilverTerrier and Scattered Canary, who often reuse hosting infrastructure across multiple campaigns.

6.2 Email Header Forensics

Analysis of the X-Originating-IP and Return-Path headers remains fundamental.16 In the case of Chiffon Herring, header analysis revealed the consistent use of GoDaddy’s webmail service (Workspace Webmail 6.12.10), providing a fingerprint for attribution even when the sender address was spoofed. Identifying the Return-Path can often expose the actual compromised domain used to launch the campaign.

6.3 Behavioral Biometrics

Financial institutions are increasingly deploying behavioral biometrics to detect mule accounts at the point of creation.2

  • Application Fluency: Criminals opening accounts often exhibit “high fluency”—they use keyboard shortcuts (Ctrl+C, Ctrl+V) and navigate forms rapidly because they are working from a script or a spreadsheet of stolen identities.
  • Low Data Familiarity: Conversely, they show “low familiarity” with the Personally Identifiable Information (PII) they are entering. A legitimate user rarely hesitates when entering their mother’s maiden name or date of birth; a fraudster often pauses to look up this data.

6.4 Device Fingerprinting and SIM-less Devices

To evade location tracking, mule farms in Southeast Asia utilize SIM-less devices connected via Wi-Fi hotspots.2 This prevents telcos from triangulating the device’s location using cell towers. Advanced device fingerprinting can detect clusters of devices sharing a single external IP address or exhibiting identical hardware configurations, indicative of a “farm” environment.

6.5 Deploying Protective DNS for BEC Resiliency

Protective DNS (PDNS) redefines the role of the DNS resolver, transforming it from a simple directory service into an active security control point. Unlike standard DNS resolution, a PDNS service inspects every DNS query generated by an organization’s network and compares the requested domain and IP address against a real-time “threat list” of known malicious indicators.

Operational Mechanism

If a user clicks a phishing link in a BEC email or if malware attempts to contact a Command and Control (C2) server, the PDNS resolver intervenes. Instead of resolving the malicious IP, it returns a “sinkhole” address or an NXDOMAIN (non-existent domain) response, effectively blocking the connection. The user is then presented with a warning page, neutralizing the threat before a TCP handshake can even occur.

Investigative Value: Who, What, Where

When a block occurs, the PDNS resolver logs the transaction in detail. This creates a high-fidelity audit trail for forensic investigators. By querying these logs, a security team can instantly determine:

  • Who: Which specific device or user identity initiated the query?
  • What: What specific malicious domain was requested?
  • Where: Is this threat targeting a single individual (spear-phishing) or is it a broad campaign affecting multiple users across the enterprise?

Passive DNS Telemetry vs. DNS Logging

For broader threat intelligence, PDNS resolvers can be configured to contribute to Passive DNS (pDNS) databases. It is critical to distinguish this from internal DNS Logging:

  • DNS Logging: Captures the full transaction, including the internal “Client IP” making the request. This data is vital for internal incident response but is considered Personally Identifiable Information (PII) and is strictly retained within the organization.
  • Passive DNS (pDNS) Telemetry: This process strips the internal “Client IP” (PII) from the data. It only records the activity between the DNS Resolver and the Authoritative Name Server on the Internet. This anonymized data allows researchers to build global maps of how domains and IPs change over time—tracking how threat actors “fast flux” their infrastructure or rotate through Authoritative Name Servers (ASNs)—without compromising user privacy.

Tuning PDNS for BEC Threat Vectors

To maximize efficacy against BEC, PDNS policies should be tuned to target specific BEC characteristics:

  • Lookalike Domains (Typosquatting): Configure the PDNS to block domains that are visually similar to the organization’s domain (e.g., company-support.com vs company.com) or high-value targets such as Microsoft 365 login pages.
  • Newly Observed Domains (NOD): BEC actors frequently register ephemeral domains just hours before an attack. PDNS should be set to block or flag any domain that has existed for less than 24-72 hours, as legitimate business domains rarely appear overnight.

Protective DNS Market Options

Organizations can deploy robust PDNS capabilities through vendors such as:

  • Infoblox (BloxOne Threat Defense): Offers hybrid on-premises and cloud-based protection with specialized feeds for “Lookalike Domains” and integration with its ecosystem for automated responses.
  • ThreatSTOP (DNS Defense): Provides a cloud-based service that automates the enforcement of threat intelligence, including “Newly Observed Domains” (NOD) and specific BEC blocklists, transforming standard DNS servers into firewalls.

7. High-Profile Asia Pacific Case Studies

The following case studies illustrate the scale and sophistication of the threat in the APAC region, as well as successful recovery operations.

7.1 Singapore Commodity Firm: $42.3M Loss and I-GRIP Recovery

In July 2024, a Singapore-based commodity firm fell victim to a BEC scam involving a spoofed supplier email. The loss totaled $42.3 million. However, through the rapid activation of INTERPOL’s I-GRIP (Global Rapid Intervention of Payments) mechanism, authorities were able to intercept and recover $41 million within days.1 This case serves as a proof-of-concept for the efficacy of international cooperation in asset recovery when reported immediately.

7.2 Arup Engineering: The Deepfake CFO ($25.6M Loss)

In May 2024, an employee at Arup Engineering’s Hong Kong office received a message purportedly from the company’s UK-based CFO regarding a confidential transaction. Initially suspicious, the employee’s doubts were erased when they joined a video conference call. The call included the CFO and several other senior executives—all of whom were AI-generated deepfakes. The employee subsequently transferred $25.6 million to five different accounts.1 This case highlights the dangerous frontier of “Deepfake BEC” and the inadequacy of visual verification alone.

7.3 Shivganga Drillers (India): Full Recovery via International Cooperation

In 2025, Shivganga Drillers, a company based in Indore, India, lost ₹3.72 crore ($415,000 USD) to a BEC attack. Through swift coordination between the Indian Cyber Crime Coordination Centre (I4C), the FBI’s IC3, and JP Morgan Bank, the funds were frozen in the U.S. account and fully recovered.1 This underscores the critical role of the FBI’s Recovery Asset Team (RAT) in cross-border incidents.

7.4 Korea-China Voice Phishing Syndicate ($1.1B Loss)

Korean and Chinese authorities dismantled a voice phishing syndicate responsible for $1.1 billion in losses affecting over 1,900 victims. The organization impersonated law enforcement officials using counterfeit identification. The operation led to the arrest of 27 members, exemplifying the cross-border nature of modern financial crime syndicates in APAC.1

8. Asia Pacific Law Enforcement Reporting Guide

Timely reporting is the single most critical factor in fund recovery. This directory provides actionable contact information for key APAC jurisdictions.

APAC Law Enforcement Reporting Contacts:

  • Singapore: Singapore Police Force (SPF) – Anti-Scam Command. Hotline: 1800-255-0000. ScamShield: 1799. Portal: police.gov.sg/iwitness
  • Australia: Australian Signals Directorate (ASD) – ACSC. 1300 CYBER1 (1300 292 371). Portal: cyber.gov.au/report
  • Hong Kong: HKPF – Cyber Security & Technology Crime Bureau (CSTCB). Anti-Deception ADCC: 18222.
  • India: Indian Cybercrime Coordination Centre (I4C). Helpline: 1930. Portal: cybercrime.gov.in
  • Philippines: Cybercrime Investigation and Coordinating Center (CICC). I-ARC Hotline: 1326. Portal: cicc.gov.ph
  • Thailand: Anti-Online Scam Operation Center (AOC). Hotline: 1441.
  • Malaysia: National Scam Response Center (NSRC). Call 997.
  • Japan: National Police Agency (NPA) – Cyber Affairs Bureau. Crime Report: 112. Cyber Terror: 118.
  • South Korea: Korean National Police Agency (KNPA). Emergency: 112. Cybercrime: 118. Portal: cyberbureau.police.go.kr
  • Indonesia: Indonesian National Police (POLRI). Contact Local Police. Portal: patrolisiber.id
  • New Zealand: CERT NZ / National Cyber Security Centre (NCSC). 0800 CERT NZ. Portal: cert.govt.nz
  • Vietnam: Ministry of Public Security – Dept of Cybersecurity. Contact A05.

9. Defense-in-Depth Strategies

Defending against modern payroll diversion requires a layered strategy that addresses technical vulnerabilities, procedural gaps, and the human element.

9.1 Technical Controls

  • Deploy Protective DNS (PDNS): Implement a PDNS solution (e.g., Infoblox BloxOne, ThreatSTOP) to inspect and block DNS queries to malicious domains. Tune policies to block “Lookalike Domains” and “Newly Observed Domains” (NOD), which are high-risk indicators for BEC infrastructure. Leverage PDNS logs for investigative capability (identifying who clicked what) and contribute anonymized Passive DNS telemetry to broaden threat visibility.
  • FIDO2/WebAuthn Passkeys: Organizations must transition from phishable credentials (passwords + SMS OTP) to Passkeys.1 Passkeys utilize cryptographic origin binding, meaning the authentication credential cannot be phished because it simply will not function on a fake site.
  • Strict DMARC Enforcement: Only 20% of domains enforce DMARC at p=reject.1 Implementing this prevents attackers from directly spoofing the organization’s domain.
  • External Email Tagging: Visual cues (e.g., “”) remain a vital prompt for employee vigilance.
  • Lookalike Domain Detection: Implement security tools that flag emails from domains that are visually similar to the organization’s domain (e.g., trustbgw.com vs trustbwg.com).

9.2 Procedural Controls

  • Out-of-Band Verification: Mandate that any request to change banking details must be verified via a phone call to a known internal number (from the company directory, not the email signature). Reliance on email for verification is a critical failure point.
  • Dual Authorization: Require approval from two distinct authorized personnel for any modification to payroll master data.
  • Cooling-Off Periods: Implement a mandatory waiting period (e.g., 24-48 hours) between a change request and the actual update becoming active, allowing time for notification and objection.
  • Notification to Employee: Send automated confirmation to the employee’s known email AND phone number whenever payroll details are changed.

9.3 Strategic and Regulatory Alignment

  • Kill Switch Implementation: Financial institutions must comply with mandates like BSP Circular 1213 to empower customers with immediate freeze capabilities.
  • Shared Responsibility Compliance: Banks and Telcos in jurisdictions like Singapore must audit their workflows against the SRF duties to avoid liability for scam losses.

10. Rethinking BEC Resiliency as a Digital Safety Challenge

The escalation of Business Email Compromise (BEC) from a nuisance to a macroeconomic threat demands that organizations rethink their defensive architectures, processes, and risk-transfer strategies. It is no longer sufficient to treat BEC as a simple “spam” problem; it is a profound challenge to digital identity and trust.

10.1 From Technical Defense to Zero Trust Identity Assurance

Traditional perimeter defenses (like firewalls) are largely ineffective against BEC because these attacks exploit trusted identities rather than technical vulnerabilities. A compromised CEO’s email account is, to the network, a valid user. The defensive paradigm must shift to Zero Trust Architecture (ZTA), which operates on the principle of “never trust, always verify.”

  • Identity as the Perimeter: In a Zero Trust model, the user’s identity is the new security perimeter. This requires implementing strict Identity and Access Management (IAM) controls, as BEC actors now heavily focus on credential harvesting and session hijacking to bypass traditional defenses.37
  • Continuous Authentication: Organizations must move beyond static passwords to phishing-resistant Passkeys (FIDO2). Passkeys bind the user’s identity to their physical hardware using cryptography, making it technically impossible for a remote attacker to “phish” a credential, even if the user is deceived. 36

10.2 The Cyber Insurance Paradigm Shift

The cyber insurance market has fundamentally changed in response to the BEC epidemic.

  • Claims Dominance: In 2024, approximately 60% of all cyber insurance claims originated from BEC and Funds Transfer Fraud (FTF), far surpassing ransomware in frequency.38
  • Active Insurance: Insurers are moving from a reactive payout model to an “Active Insurance” model. This involves continuous external scanning of policyholders to detect vulnerabilities (such as open RDP ports or missing DMARC records) and requires proactive risk mitigation before binding a policy.38
  • Coverage Distinctions: Organizations must understand the critical distinction between “Cyber Crime” (unauthorized technical access/hacking) and “Social Engineering” (voluntary transfer of funds by a deceived employee). Many policies sub-limit social engineering losses or exclude them entirely if specific verification procedures (such as callbacks) were not followed.

10.3 Regulatory Convergence: The End of “Buyer Beware.”

Governments across the Asia Pacific region are abandoning the “buyer beware” doctrine in favor of Shared Responsibility Frameworks.

  • Liability Shift: Frameworks like Singapore’s SRF 26 and Hong Kong’s E-Banking Security ABC 27 explicitly hold financial institutions and telcos liable for scam losses if they fail to implement required safeguards.
  • Mandated Friction: The regulatory trend is toward reintroducing friction into the payment process. Mandates like the Philippines’ Kill Switch (BSP Circular 1213) and India’s proposed 4-hour UPI delay 32 prioritize safety over speed, forcing a pause that allows for fraud detection and victim reaction.

10.4 The Human-Centric Defense

Technology alone cannot solve a psychological crime. Defense strategies must integrate human-centric controls that disrupt the attacker’s “OODA Loop” (Observe, Orient, Decide, Act).

  • Procedural Friction: Implementing mandatory Out-of-Band Verification (voice confirmation via a known number) for all payment changes is the most effective stopgap against AI-driven social engineering.
  • Protective DNS (PDNS): A high-ROI control, PDNS serves as a safety net against human error. Blocking requests to malicious domains at the infrastructure level prevents a clicked link from leading to a compromised session, neutralizing the threat before the user is exploited.

11. Summary and Actions: A Call to Resilience

The landscape of payroll diversion fraud has fundamentally shifted from opportunistic theft to industrial-scale financial warfare. As documented in this report, the convergence of AI-driven social engineering, state-sponsored actors like North Korea’s Lazarus Group, and the mechanized fraud factories of the Mekong region has created a threat environment of unprecedented velocity and sophistication.

The losses are no longer rounding errors; they are macro-economic impacts that threaten the solvency of businesses and the integrity of national financial systems. The $55.5 billion in cumulative losses is a testament to the failure of traditional defenses. The era of relying solely on employee vigilance is over.

To survive this new reality, organizations must pivot from reactive security postures to active, resilience-based architectures. The following checklist synthesizes the critical actions required to defend against the modern payroll diversion threat.

11.1 The Executive Action Checklist

  1. 1. Harden Identity (The New Perimeter):
  • [ ] Deploy FIDO2 Passkeys: Eliminate phishable passwords. Transition to hardware-bound credentials that neutralize credential harvesting attacks.
  • [ ] Enforce Zero Trust Principles: Assume breach. Verify every identity and device before granting access to payroll systems.
  1. 2. Fortify the Infrastructure:
  • [ ] Deploy Protective DNS (PDNS): Implement active blocking (e.g., Infoblox, ThreatSTOP) for “Newly Observed Domains” and “Lookalike Domains” to kill the kill chain at the connection phase.
  • [ ] Lock Down Email: Enforce DMARC at p=reject to prevent direct domain spoofing.
  1. 3. Mandate Procedural Friction:
  • [ ] The “Golden Rule” of Verification: Strictly enforce Out-of-Band Verification (voice call via internal directory) for every request to change banking details. No exceptions for executives.
  • [ ] Implement Dual Authorization: Require two separate approvals for any modification to payroll master data.
  1. 4. Align Financial Safety Nets:
  • [ ] Audit Cyber Insurance: Verify the distinction between “Cyber Crime” and “Social Engineering” coverage. Ensure your procedural controls meet the insurer’s requirements to avoid claim denial.
  • [ ] Review Banking Controls: Activate all available bank-level security features, such as “Kill Switches” (where available) and transaction thresholds.
  1. 5. Prepare for Crisis:
  • [ ] Rapid Response Protocols: Pre-authorize contact lists for the FBI Recovery Asset Team (RAT) and INTERPOL’s I-GRIP. Speed is the only currency that matters when funds are stolen; know who to call before the crisis hits.

The defense against payroll diversion is a shared responsibility. It requires synchronizing technology, process, and people. By implementing these measures, organizations can transform themselves from soft targets into hard obstacles, forcing threat actors to look elsewhere.

Works cited

  1. Payroll_Diversion_Fraud_Investigation_Report_v3.1.docx
  2. Forensic Analysis of Payroll Diversion Fraud: Operational Modalities, Threat Actor Investigation, and Defensive Architectures 4.0
  3. Scattered Canary – Fortra, accessed January 10, 2026, https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf
  4. Curious Orca BEC Scammers Use Email Probes to Validate Targets – Bleeping Computer, accessed January 10, 2026, https://www.bleepingcomputer.com/news/security/curious-orca-bec-scammers-use-email-probes-to-validate-targets/
  5. Blank Emails Come Before BEC Fraud Attack – KnowBe4 blog, accessed January 10, 2026, https://blog.knowbe4.com/blank-emails-come-before-bec-fraud-attack
  6. Multilingual Executive Impersonation Attacks | Abnormal AI, accessed January 10, 2026, https://abnormal.ai/blog/midnight-hedgehog-mandarin-capybara-multilingual-executive-impersonation
  7. FRAUDULENT REMOTE IT WORKERS FROM DPRK – FBI, accessed January 10, 2026, https://www.fbi.gov/wanted/cyber/fraudulent-remote-it-workers-from-dprk
  8. Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes, accessed January 10, 2026, https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote
  9. Stonefly APT engaged in a campaign delivering Play ransomware – Broadcom Inc., accessed January 10, 2026, https://www.broadcom.com/support/security-center/protection-bulletin/stonefly-apt-engaged-in-a-campaign-delivering-play-ransomware
  10. North Korea’s Andariel Group Tied to Play Ransomware in New Cyber Attack – Anvilogic, accessed January 10, 2026, https://www.anvilogic.com/threat-reports/north-korea-andariel-play
  11. Jumpy Pisces Engages in Play Ransomware – Palo Alto Networks Unit 42, accessed January 10, 2026, https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
  12. Circular No. 1213 – BSP, accessed January 10, 2026, https://www.bsp.gov.ph/Regulations/Published%20Issuances/Images/Circular_1213.pdf
  13. Nigerian Hackers Attempt to Steal Millions From Shipping Firms – SecurityWeek, accessed January 10, 2026, https://www.securityweek.com/nigerian-hackers-attempt-steal-millions-shipping-firms/
  14. Golden Galleon Raids Maritime Shipping Firms – Dark Reading, accessed January 10, 2026, https://www.darkreading.com/cyberattacks-data-breaches/golden-galleon-raids-maritime-shipping-firms
  15. GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry – Sophos, accessed January 10, 2026, https://www.sophos.com/en-us/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
  16. BEC Group Targets Teachers with Payroll Diversion Attacks – Abnormal Intelligence, accessed January 10, 2026, https://intelligence.abnormalsecurity.com/blog/bec-group-targets-teachers-payroll-diversion-attacks
  17. Threat Highlights Report September 2022 – WithSecure, accessed January 10, 2026, https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Threat_Highlight_report_September_2022_EN.pdf
  18. Guide: Silent Starling Threat Dossier – BEC to VEC – Agari, accessed January 10, 2026, https://emailsecurity.fortra.com/resources/guides/silent-starling-scamming
  19. Not us, YOU: vendor email compromise explained | Malwarebytes Labs, accessed January 10, 2026, https://www.malwarebytes.com/blog/news/2019/11/not-us-you-vendor-email-compromise-explained
  20. Silent Starling: Pioneering Vendor Email Compromise, 2020’s “Biggest Financial Threat” – Verdict Encrypt | Issue 11 | Winter 2019, accessed January 10, 2026, https://verdict-encrypt.nridigital.com/verdict_encrypt_winter19/silent_starling_vendor_email_compromise
  21. Threat Groups Using Translation Tools in Phishing Attacks | JD Supra, accessed January 10, 2026, https://www.jdsupra.com/legalnews/threat-groups-using-translation-tools-3246629/
  22. BEC Groups Target Firms With Multilingual Impersonation Attacks – Infosecurity Magazine, accessed January 10, 2026, https://www.infosecurity-magazine.com/news/bec-groups-multilingual/
  23. Scattered Canary Behind Hundreds of Fraudulent Unemployment Claims – Tripwire, accessed January 10, 2026, https://www.tripwire.com/state-of-security/scattered-canary-behind-hundreds-of-fraudulent-unemployment-claims
  24. About Shared Responsibility Framework (SRF) | DBS Singapore, accessed January 10, 2026, https://www.dbs.com.sg/personal/support/general-shared-responsibility-framework.html
  25. Singapore: Shared Responsibility Framework to be implemented from 16 December 2024, accessed January 10, 2026, https://insightplus.bakermckenzie.com/bm/financial-institutions_1/singapore-shared-responsibility-framework-to-be-implemented-from-16-december-2024
  26. MAS and IMDA Announce Implementation of Shared Responsibility Framework from 16 December 2024 – Monetary Authority of Singapore, accessed January 10, 2026, https://www.mas.gov.sg/news/media-releases/2024/mas-and-imda-announce-implementation-of-shared-responsibility-framework-from-16-december-2024
  27. New Anti-Digital Fraud Measures: “E-Banking Security ABC” – “Bye to unused functions” and “Cancel Suspicious Payments”, accessed January 10, 2026, https://www.shacombank.com.hk/eng/about/news/images/popup_notice_202506_saa.html
  28. New Anti-Digital Fraud Measures: “E-Banking Security ABC” Annex, accessed January 10, 2026, https://brdr.hkma.gov.hk/eng/doc-ldg/docId/getPdf/20250411-3-EN/20250411-3-EN.pdf
  29. New Anti-Digital Fraud Measures: “E-Banking Security ABC” – Hong Kong Monetary Authority, accessed January 10, 2026, https://brdr.hkma.gov.hk/eng/doc-ldg/docId/getPdf/20250411-1-EN/20250411-1-EN.pdf
  30. AFASA Booklet with IRRs – Bangko Sentral ng Pilipinas, accessed January 10, 2026, https://www.bsp.gov.ph/Regulations/Banking%20Laws/AFASA-Booklet-with-IRRs.pdf
  31. Future-Ready Fraud Defense In Philippines: Clari5 Alignment with BSP Circular 1213, accessed January 10, 2026, https://www.clari5.com/future-ready-fraud-defense-in-philippines-clari5-alignment-with-bsp-circular-1213/
  32. UPI fraud: Govt plans 4-hour delay for first user-to-user transactions over Rs 2K – Odisha TV, accessed January 10, 2026, https://odishatv.in/news/technology/upi-fraud-govt-plans-4-hour-delay-for-first-user-to-user-transactions-over-rs-2k-221270
  33. Alert for UPI Users: Government Takes Action Against Fraud With A 4-Hour Delay On Transactions Above Rs 2000 – Mashable India, accessed January 10, 2026, https://in.mashable.com/tech/64820/alert-for-upi-users-government-takes-action-against-fraud-with-a-4-hour-delay-on-transactions-above
  34. Passive DNS Monitoring – Why It’s Important for Your IR Team – Red Canary, accessed January 10, 2026, https://redcanary.com/blog/security-operations/passive-dns-monitoring-your-ir-team-needs-it/
  35. Introducing DNSDB 2.0 | Passive DNS – DomainTools, accessed January 10, 2026, https://www.domaintools.com/products/farsight-dnsdb/
  36. BSP Circular 1213: What It Means for Authentication – Ideem, accessed January 10, 2026, https://www.useideem.com/post/bsp-circular-1213-what-it-means-for-authentication—-and-what-comes-next
  37. Cyber insurance trends shaping 2025 and beyond – Lander & Rogers, accessed January 11, 2026, https://www.landers.com.au/legal-insights-news/cyber-insurance-trends-shaping-2025-and-beyond
  38. Coalition 2025 Claims Report Finds Ransomware Stabilized but …, accessed January 11, 2026, https://www.coalitioninc.com/announcements/2025-cyber-claims-report