Email Security

Business Email Compromise: How Indian Companies Lose Crores

Threat ResQ Team  ·  Jan 2026  ·  5 min read

BEC fraud cost Indian businesses over Rs.200 crore in 2025. Simple, effective, and entirely preventable. How they work and exactly how to stop them.

What Is BEC?

Business Email Compromise is fraud where attackers impersonate trusted individuals to trick employees into transferring money. No malware. No malicious links. Just a convincing email asking for something urgent. Indian businesses lost over Rs.200 crore to BEC in 2025.

Common BEC Attack Types

CEO Fraud

Attacker spoofs CEO email. Sends urgent wire transfer request to Finance: 'Wire Rs.40 lakhs immediately for a deal closing today. I'm in a meeting, can't be reached by phone.' Finance processes the payment.

Invoice Fraud

Attacker compromises supplier email or creates lookalike domain. Sends 'new bank account' notification to Accounts Payable. Next invoice payment goes to attacker's account.

Payroll Diversion

Attacker emails HR impersonating an employee, requesting salary bank account change. Next payroll goes to attacker.

Why BEC Bypasses Technology

  • Passes all spam filters — no malware, no suspicious links
  • May pass SPF/DKIM checks if attacker compromised a legitimate account
  • Creates urgency that bypasses normal verification instincts
  • Targets high-value employees: Finance, HR, Accounts Payable

Technical Prevention

  • Implement DMARC in enforcement mode (p=reject) — prevents domain spoofing
  • Set up DKIM signing and SPF for all outbound email
  • Deploy AI-powered email security with executive impersonation protection
  • Enable alerts for emails using executive names from external domains
  • Conduct email security audit (Inbox IQ) to identify configuration gaps

Process Controls

  • Dual approval for payments above threshold — two people via two different channels
  • Out-of-band verification — call the requestor on a known number for any bank account change or urgent transfer
  • BEC-specific phishing simulations — run TRAP campaigns targeting Finance and HR
  • Written procedures for payment changes — formal documented process with identity verification

If You Get Hit: Immediate Steps

  1. Immediately: Contact your bank to initiate wire transfer recall — first 24 hours are critical
  2. Within 1 hour: File complaint at cybercrime.gov.in
  3. Within 6 hours: Report to CERT-In if required
  4. Preserve evidence: Do not delete fraudulent emails
  5. Engage IR team: Understand full scope of attacker's access

Need Help With This?

Threat ResQ offers free 30-minute consultations on all topics covered in this article. Our certified experts give you a tailored action plan.

Book Free Consultation →
💬 📞