First72
Sign in

Business email compromise (BEC)

Your supplier's email is spoofed with a new bank account number. The payment looks routine. The account belongs to the attacker.

Last reviewed: 1 October 2025

What it is

Business email compromise (BEC) is a fraud in which an attacker intercepts or impersonates business email correspondence to redirect a legitimate payment to an account they control. The most common pattern in India: you receive what appears to be an email from a known supplier, vendor, or business partner informing you that their bank account details have changed. You make the next scheduled payment to the new account. The money does not reach your supplier.

BEC differs from most consumer cyber-frauds in that it requires no malware, no OTP, and no social engineering call. The fraud is embedded in a document — a PDF, a revised invoice, or an email — that arrives through the normal business channel.

The attacker has either compromised the supplier's email account and is sending the message from the real address, or has registered a domain visually similar to the supplier's — a single-character substitution, a hyphen, a different top-level domain — that goes unnoticed in the subject line and display name.

Why this scam succeeds

BEC exploits the inertia of routine. Businesses make regular payments to known vendors. A request to update bank details is unusual but not unheard of. The email looks right — the signature, the tone, the formatting — because it is either the real account or a precise imitation.

In many cases, the attacker monitors the compromised email account for weeks before acting. They choose a moment when a large payment is due, sometimes referencing a real invoice number from an intercepted message. The payment is processed without suspicion.

Discovery is often delayed. Suppliers contact you when their payment does not arrive — which may be 30 to 90 days after the fraud, well outside the window for most bank dispute mechanisms.

The signs you were targeted

  • You received an email from a known supplier or vendor requesting a bank account change, and made a payment to the new account
  • Your supplier contacted you to say they have not received payment for work you believe you paid
  • The email used to request the account change had a domain that was similar to — but not identical to — the supplier's real domain
  • The email was sent from an address you have corresponding history with, but the new account number was from a different bank or state than usual

What to do in the first 12 hours

  1. Call your bank's corporate banking helpline immediately and request a payment recall or hold.
  2. Call 1930 — the National Cybercrime Helpline.
  3. Contact your supplier directly by phone — not by email — to confirm their real account details and establish whether their email was compromised.
  4. Preserve the fraudulent email. Do not delete it. Export it with full headers (in Gmail: Show original; in Outlook: View message source).
  5. Record all related correspondence — the original invoice, the account-change email, your payment confirmation.

What to do in the first 72 hours

File a formal complaint with your bank as quickly as possible. BEC cases often involve corporate accounts where the standard RBI retail customer-liability framework does not apply in the same way. The complaint strategy must be tailored to whether the account is held by an individual or a business entity.

In either case, the bank has the ability to initiate a payment recall to the destination bank. Speed is critical — recalled funds are more recoverable when the attacker has not yet withdrawn them.

File a cybercrime portal complaint at cybercrime.gov.in with the full details of the fraudulent account, the originating email domain, and all transaction references.

When the bank denies you

Corporate account holders face a different set of protections than retail customers. Banks frequently position BEC losses as arising from a business process failure rather than bank-side liability. This position is not unchallenged — particularly in cases where the receiving bank failed to flag obvious anomalies in the destination account.

A correctly structured complaint to the Ombudsman for corporate accounts, or to the relevant Banking Ombudsman, documents the specific failure and the applicable regulatory obligation.

What First72 does for you

BEC cases are handled under the Escalation package. The triage establishes your fraud type and loss amount. If your case qualifies, we draft the complete complaint set tailored to business account BEC — bank dispute, cybercrime narrative, and ombudsman appeal — within four hours.

Start the free triage

Or talk to us — +91 72000 72000 · help@first72.in

Inside the 72-hour window?

Start the free triage. It takes five minutes, establishes your fraud type and window status, and tells you exactly what to file.

Start free triage