A Pune-based auto components manufacturer became the latest victim of a sophisticated business email compromise (BEC) attack, losing ₹2.35 crore after cybercriminals manipulated internal communications to divert vendor payments. The scam sheds light on the growing scale of social engineering threats targeting Indian firms, especially those with global supply chains.
Fraudsters infiltrate executive email account
According to Pune Cyber Police, the attackers gained access to a senior executive’s email account by exploiting weak credentials. Once inside, they impersonated a trusted overseas supplier and requested a change in payment details for operational reasons. The finance team, unaware of the breach, processed multiple transfers to fraudulent accounts over several weeks.
To avoid detection, the attackers had set up email forwarding rules that filtered out genuine messages from the real supplier, ensuring their own instructions went unchallenged.
The scam came to light only after the actual vendor raised concerns over unpaid invoices. By then, a total of ₹2.35 crore had already been siphoned off.
Weak security measures aided the breach
Investigators highlighted the lack of multi-factor authentication (MFA) and basic email security hygiene as key enablers of the attack. The attackers not only manipulated the communication chain but also used domestic mule accounts to launder the funds before transferring them abroad, making recovery significantly more complex.
So far, police have frozen several suspect accounts and are working with Interpol and financial intelligence agencies to trace the remaining funds.
BEC scams on the rise in India
BEC attacks have surged across India, with Maharashtra alone reporting losses of over ₹60 crore in the first half of 2025. Mid-sized companies with export operations are often targeted, as attackers exploit their familiarity with vendor communication patterns.
Officials have urged businesses to implement MFA, verify all change requests via separate communication channels, and regularly train staff in recognising phishing attempts.
The Pune manufacturer has filed a formal complaint under the IT Act and Indian Penal Code, and an investigation is ongoing.
