Compromised Supplier Email Chain Fraud — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Beware of Compromised Supplier Email Chain Fraud in India 2026: A High-Risk WhatsApp and Phishing Scam

Compromised Supplier Email Chain Fraud is a growing cybercrime threat in India that uses stolen email access to trick companies into sending payments to fraudsters.

What Is the Compromised Supplier Email Chain Fraud?

This scam targets Indian businesses that have ongoing supplier relationships. Fraudsters gather publicly available information—often from LinkedIn and company websites—about suppliers and their usual business contacts inside target firms, especially members of accounts, procurement, or finance teams.

Once they've identified a supplier with regular email correspondence, attackers use phishing techniques to gain access to the supplier's official email account. With control over this email, they send fraudulent messages that look completely authentic because they come directly from the supplier’s actual email ID. This addiction makes the scam difficult to detect, as the communication appears routine.

In India, reported cases of this scam have been rising, affecting companies across industries including manufacturing, IT services, retail, and export-import businesses. The increasing interdependence on email and WhatsApp for supplier coordination creates opportunities for attackers to intercept financial transactions. CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have issued advisories highlighting email compromise and phishing risks, especially concerning business-email fraud patterns such as this.

How This Scam Works — Step by Step

1. Reconnaissance: Scammers research target companies and their suppliers through public profiles on LinkedIn or business websites, noting names, email formats, and typical transaction cycles.

2. Phishing Attack to Compromise Supplier Email: Using a fake login page, malicious attachments, or other phishing lures, scammers trick supplier employees into revealing passwords or installing malware that gives account access.

3. Monitoring the Supplier's Email Communication: After gaining access to the supplier’s email account, fraudsters watch ongoing email exchanges with the target company’s accounts team to learn about invoice amounts, payment schedules, and banking details.

4. Injecting Fraudulent Payment Instructions: At a strategic moment—often when a legitimate invoice is expected to be paid—they send an email from the supplier's genuine email ID but with modified bank account details directing payment to the fraudster’s account.

5. Follow-up via WhatsApp or Phone: Scammers may also impersonate the supplier’s representative via WhatsApp or phone to confirm the change or urge urgency, increasing pressure to approve the payment without verification.

6. Monetary Loss: The victim company unknowingly transfers money in INR or foreign currency to the fraudster’s account, after which the scammers quickly withdraw or launder the funds.

Real Warning Signs to Watch For

• Email requests to change beneficiary bank account details, especially without prior notice or official communication from the supplier.
• Urgent payment demands with pressure tactics, often coupled with follow-up WhatsApp messages or calls.
• Slightly altered email addresses or sender names that closely mimic the supplier’s domain but are off by one letter or use different domains.
• Requests for payment to new or different bank accounts than those used historically.
• Lack of digital signatures or absence of usual invoice formats in the emails.
• Unexpected communication outside regular business hours or from unusual locations.
• Supplier contacting the company after payment, surprised that they received no funds (a sign the real supplier is unaware).

What Happens to Victims

Victims of compromised supplier email chain fraud often suffer substantial financial losses running into lakhs or crores of INR. Since the funds move through Indian bank accounts or sometimes overseas channels, recovery is difficult. While the Reserve Bank of India (RBI) allows for certain UPI transaction reversals, payments through NEFT/RTGS to fraud accounts rarely get refunded once cleared.

Besides financial damage, companies face disruption in supplier trust and business operations if payments are delayed or disputed. There is also a significant emotional and reputational toll on finance teams, who may feel responsible for not detecting the scam.

In some Indian cases, fraudsters have exploited linked Aadhaar-based KYC details or combined SIM swap frauds to deepen network infiltration. This increases risks around data privacy and further fraud inside corporate mobile communication.

What RBI and CERT-In Say

While there is no RBI or CERT-In notification specifically naming compromised supplier email chain fraud, both agencies frequently warn about Business Email Compromise (BEC) attacks and phishing misuse in India. CERT-In stresses the importance of cyber hygiene and multi-factor authentication (MFA) on all official emails and mandates timely reporting of incidents.

For fraud reporting, the Indian Cyber Crime Coordination Centre (I4C) recommends contacting the national cybercrime helpline at 1930, which assists in tracking, investigating, and mitigating losses. The RBI also encourages vigilance and provides guidance on official banking communication, cautioning firms against paying on email instructions alone.

How to Protect Yourself

1. Verify Payment Changes via Secondary Channels: Always confirm any change in supplier bank details by calling the supplier’s verified phone number directly, not the contact in the suspicious email or WhatsApp message.
2. Implement MFA on Supplier Emails: Encourage suppliers to enable multi-factor authentication on their email accounts to reduce the risk of account compromise.
3. Train Finance and Procurement Teams: Conduct regular awareness sessions about phishing and social engineering, focusing on recognizing official communication versus fraud.
4. Use Digital Signatures: Request digitally signed invoices or emails from suppliers to authenticate message legitimacy.
5. Monitor Email Headers Carefully: Check sender domains and email metadata for signs of spoofing or minor spelling changes in addresses.
6. Limit Access to Banking Information: Avoid sharing sensitive information widely in emails; restrict access internally and externally.
7. Install Endpoint Security and Email Filters: Use anti-phishing filters and updated antivirus software on systems handling supplier communication.

What to Do If You've Been Targeted

• Immediately freeze all pending payments related to the suspicious communication.
• Inform your bank and request blocking or tracing of the transaction if already processed.
• Report the incident at the 1930 cybercrime helpline or at cybercrime.gov.in, providing all relevant email and WhatsApp communication evidence.
• Alert your IT department or service provider to check for ongoing email account compromises.
• Notify suppliers to secure their email accounts and review other communications.
• File a formal FIR with your local police cybercrime cell to establish a legal trail.
• Monitor all associated accounts and Aadhaar links for unusual activity and consider placing a watch on mobile SIM services to prevent swap fraud.

Frequently Asked Questions

Q1: How is this scam different from usual phishing attacks?
While generic phishing aims to steal passwords or personal data directly from individuals, this scam focuses on compromising trusted supplier email chains to intercept and alter legitimate business payment instructions to divert funds fraudulently.

Q2: Can banks reverse the payments made in this fraud?
In most cases, once NEFT, RTGS, or IMPS payments settle, reversal is challenging unless the fraud is detected early and the beneficiary bank cooperates. UPI transactions have limited windows for reversals but are less commonly used for supplier payments. Prompt reporting increases chances but recovery is not guaranteed.

Q3: Why do scammers use WhatsApp after hacking supplier email?
WhatsApp follow-ups create a sense of urgency and authenticity, reinforcing the fraudulent email’s legitimacy. Indian businesses often rely heavily on WhatsApp for real-time communication, making it easier for fraudsters to manipulate victims emotionally and bypass cautious checks.

Stay alert and verify any suspicious payment requests at BharatSecure.app. Report fraud incidents quickly at the 1930 helpline to help authorities track and stop cybercriminals.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.