Fraud has become one of the most disruptive forces facing modern organisations. It has grown more sophisticated, more persistent, and more deeply intertwined with the digital systems that companies rely on every day. Businesses are no longer confronted by isolated phishing messages or crude impersonation attempts. Instead, they face carefully orchestrated schemes powered by artificial intelligence, cross-platform manipulation, and coordinated deception that spreads across entire networks of suppliers, partners, and customers.
This shift is not theoretical. In the first half of 2025, Singapore recorded more than 19,600 scam cases with losses of about S$456.4 million. While the number of scam cases declined compared to the previous year, the financial impact remained significant and the methods used have grown more complex. Authorities noted that scams increasingly exploit mainstream social platforms and messaging apps, with some categories such as TikTok-related scams more than doubling. Fraudsters now blend social engineering, digital manipulation, and cross-channel coordination to bypass traditional controls.
Martin Creighan, Vice President for APAC at Commvault, captures the challenge organisations face. “Fraud awareness often focuses on stopping the next attack: detect sooner, train better, patch faster. But resilience must go further.” His point reflects a growing consensus across regulators and incident-response teams: prevention alone is no longer enough. Companies must strengthen their ability to recover quickly when fraud succeeds, because the question has shifted from whether an incident will occur to how rapidly the organisation can regain stability when it does.
Fraud is escalating faster than organisations can respond
Fraud has evolved into a fast-moving threat that adapts quickly to new technologies. Artificial intelligence has made it easy to replicate voices, fabricate video calls, and create digital identities that appear authentic to victims. These methods make deception more convincing, particularly when fraudulent requests seem routine, urgent, or aligned with existing communication patterns.
Statistics from the first half of 2025 illustrate this acceleration. Phishing, e-commerce scams, job, investment, and impersonation scams formed the bulk of cases, although new variations such as “insurance services” scams began emerging. Even with public awareness efforts, scams continue to evolve faster than preventive controls. Social platforms, messaging apps, and online marketplaces remain key channels, with several experiencing sharp increases in abuse.
The progression of AI-assisted fraud has also pushed criminals into more targeted schemes. They now focus on specific employees, departments, or workflows, using realistic audio and video to pressure victims into approving payments or sharing sensitive information. This surge in personalised deception has widened the gap between the sophistication of attacks and the preparedness of organisations.
What is clear is that traditional training, email filters, and policy reminders cannot fully address the scale of modern fraud. Attackers only need one moment of opportunity to trigger a costly incident. Organisations, by contrast, must defend every process and interaction, which is no longer feasible through prevention alone.
Identity compromise now drives the majority of high-impact fraud
Identity has become the most valuable asset for fraudsters. Instead of breaking through hardened systems, attackers increasingly impersonate trusted users and rely on compromised accounts to carry out fraudulent instructions. This shift has made identity-driven fraud exceptionally difficult to detect, because it operates within legitimate communication channels and appears to come from known contacts.
Creighan notes that many incidents begin with identity breaches, observing that “most losses begin with compromised identities; phished or hijacked business accounts that unlock payment changes and impersonation.” This aligns with findings from cybersecurity agencies globally, which warn that Business Email Compromise remains among the most damaging forms of fraud due to its reliance on trust-based communication patterns.
Authorities in Singapore have also highlighted a rise in BEC incidents and released a dedicated BEC playbook to support detection and recovery. This is due to the disproportionate impact of these schemes. A single fraudulent email can modify payment instructions, misdirect invoices, or trigger unauthorised transactions that take weeks to unwind. Even after remediation, the internal effort required to recover trust, restore reconciliations, and verify supplier channels can be considerable.
Deepfake technology has intensified these risks. In recent advisory notes, law-enforcement and financial regulators warned that criminals are now using AI-generated video calls to impersonate senior executives and instruct staff to initiate transfers. Victims have reported being invited into video meetings that appeared authentic, complete with artificially reconstructed faces and voices. Some cases even involved impersonations of regulators and legal counsel to reinforce authenticity.
The rise of identity-driven attacks demonstrates why preventative controls, while necessary, are no longer sufficient. Organisations must be capable of containing fraud quickly and restoring compromised processes without extended downtime.
Fraud increasingly takes advantage of gaps between organisations
Modern fraud does not respect organisational boundaries. Attackers frequently exploit the seams between businesses where oversight is weakest and responsibility is least defined. These gaps are often found in supplier communications, marketplace interactions, invoicing processes, and multi-step payment flows. The more interconnected a company becomes, the greater the number of these vulnerable touchpoints.
Fraudsters target these seams with precision. They infiltrate supplier email chains, manipulate marketplace communications, or exploit payment handoffs where verification may be weaker. Even if a business maintains strong internal controls, a partner with less mature security practices can become an indirect entry point into critical workflows.
Regulatory responses reflect this systemic risk. Singapore’s Shared Responsibility Framework was introduced to strengthen accountability across banks, telecommunications providers, and digital platforms. This approach recognises that no single entity can manage fraud in isolation. Seamless coordination is required to detect, halt, and unwind complex scams that involve multiple intermediaries.
Operational developments also reinforce this need for tighter collaboration. Authorities have expanded crypto-tracing capabilities, ramped up enforcement against illicit SIM card distribution, and conducted thousands of interventions to avert potential losses. These initiatives show that fraud cannot be mitigated by individual organisations alone. It requires collective mechanisms, aligned communication channels, and shared protocols between private and public sector stakeholders.
As long as attackers can exploit the weakest participant in an interconnected system, any business in that ecosystem remains vulnerable. Resilience therefore depends not only on internal readiness, but also on partnerships, clarity of roles, and coordination during high-risk incidents.
Recoverability must become a core responsibility of senior leadership
Given the escalating sophistication of fraud, recoverability has become a strategic priority for boards and executive teams. Prevention remains essential, but leadership must now assume that even strong defences can fail. The question is not whether an incident can be avoided, but whether the organisation can continue functioning when one occurs.
Creighan emphasises the importance of identifying the minimum level of operational capability required during disruption. This includes understanding which data, systems, and processes must be restored first, and which partners or channels are essential for continuity. Recovery objectives should be driven by business needs rather than technical defaults, and decision-making structures must reflect this.
Effective recoverability requires more than backups. Systems must be isolated, unalterable, and tested regularly in realistic scenarios. Restoration exercises should simulate actual pressure conditions, including compromised identities, disrupted payment systems, or inaccessible suppliers. These rehearsals allow organisations to discover hidden dependencies that could slow recovery when time is critical.
When recoverability is treated as a governance issue, its influence extends beyond IT. Financial controls, operational planning, employee readiness, and third-party management all adapt to support resilience. Organisations that take this approach gain greater visibility into their critical processes and can respond more effectively when disruptions occur.
Resilience is now the truest measure of organisational maturity
The nature of fraud has changed permanently. Exploits are faster, impersonations are more believable, and vulnerabilities exist not just inside companies but across the wider digital and economic ecosystem. Organisations today must operate with the understanding that even the best preventive measures cannot guarantee uninterrupted protection.
Resilience has therefore become the defining measure of maturity. It reflects an organisation’s ability to withstand disruption, restore key functions, and maintain stakeholder trust even under pressure. Resilience is built through clear governance, disciplined recovery planning, coordinated partnerships, and a culture that encourages rapid escalation when something feels wrong.
As Creighan notes, “the real test of maturity is how quickly you recover, whatever the cause.” That perspective captures the core challenge of fraud in 2025. The threat is unavoidable, but the impact is not. Companies that build strong recovery foundations will be able to navigate fraud incidents without lasting damage. Those that continue relying on prevention alone will find themselves exposed in ways that are increasingly difficult to manage.
Resilience is no longer an optional capability. It is a critical determinant of operational stability, business continuity, and long-term trust in an era where deception is becoming more advanced with each passing month.
