AI-Assisted BEC Fraud on Indian SMEs

How AI-Assisted BEC Fraud on Indian SMEs Works

Overview: Business Email Compromise (BEC) fraud has rapidly evolved in India, with cybercriminals now using artificial intelligence (AI) to craft convincing emails and messages. Indian small and medium enterprises (SMEs), startups, and export-oriented companies are especially targeted. The scam is dangerous because a single fake email can authorize the transfer of lakhs—sometimes crores—of rupees from company accounts, often with little chance of recovery. How It Works: Scammers start by researching a company’s staff, leadership, and payment workflow, usually through LinkedIn, company websites, or leaked data. Using AI, they create highly realistic emails impersonating the managing director, CFO, or other key officials. These messages typically request urgent payments or updates to vendor bank account details. The finance officer, believing the email to be from a genuine executive, authorizes the transfer. Funds are moved quickly into mule accounts controlled by fraudsters and then dissipated. India Angle: In India, BEC attacks most often target businesses using English for internal communication, such as exporters, tech startups, or manufacturing firms. Payment requests may reference Indian financial systems such as NEFT, RTGS, or UPI. Scam emails may also feature Indian-registered domains or fake addresses. SMEs in cities like Mumbai, Bengaluru, Pune, Delhi, and Hyderabad are common targets. In some incidents, attackers pose as foreign suppliers demanding rupee payments citing fake GST issues. Real Examples: 1. "Dear Accounts Team, Our vendor's bank details have changed. Please make pending payments to the new account today. Regards, CEO." 2. “This is an urgent request from the Managing Director. Transfer ₹22,75,000 to the following account for invoice processing.” 3. A WhatsApp message from a spoofed number: “I’m travelling, can’t take calls. Approve this transfer immediately. Will explain later.” Red Flags: 1. Unexpected email from a boss or senior leader demanding urgent payment. 2. Request for secrecy—don’t inform anyone else or discuss over call. 3. Slight misspelling in email address [ADDRESS_REDACTED]. 4. Sudden change of vendor bank account details, especially to new banks. 5. Poor grammar but a sense of urgency, or requests at odd business hours. 6. Claimed unavailability by phone, insisting only on email or chat replies. Protective Measures: - Always verify payment requests, especially if sent via email or WhatsApp, by voice call with the sender using official channels. - Implement multi-person approval (maker-checker) for all significant fund transfers, regardless of urgency. - Train staff to recognize BEC tactics and encourage a questioning culture. - Use strong, unique passwords for all business email accounts and enable two-factor authentication (2FA). - Check sender’s email address [ADDRESS_REDACTED]. If Victimised: - Immediately call your bank’s fraud helpline and instruct them to freeze the fraudulent transaction. - Notify senior management and IT team at once to prevent further compromise. - Report the incident to local police, the National Cyber Crime Reporting Portal (cybercrime.gov.in), and the 1930 Cyber Helpline. - If substantial money is lost, notify the RBI and bank to begin recovery processes. Related Scams: - Vendor email compromise: Attackers impersonate a legitimate supplier to divert payments. - Fake CEO fraud: Scammers spoof the CEO’s email or WhatsApp, asking for urgent fund transfer. - Payroll diversion: Fake HR requests lead to employee salary rerouting.

How This Scam Works — Detailed Explanation

Scammers engaging in AI-Assisted Business Email Compromise (BEC) fraud begin by conducting extensive research on their targets, focusing primarily on small and medium enterprises (SMEs). They often leverage social media platforms like LinkedIn to gather information about key personnel within the targeted companies. Once they identify a suitable victim, typically a finance manager or a senior executive, they use AI tools to craft highly sophisticated emails that closely mimic the tone and style of genuine communications from company leadership. This could involve using readily available data from public profiles and company websites to create a sense of authenticity. Additionally, platforms such as WhatsApp may also be used by scammers wishing to follow up on urgent requests, thus maintaining a seamless communication channel.

In order to persuade victims, scammers employ various psychological tactics that exploit trust and urgency. For instance, they often impersonate senior executives or trusted partners by using subtle changes in email addresses to make their communications appear legitimate. A common trick involves constructing messages that include urgent payment instructions or changes to payment methods that must be executed immediately. Victims are typically pressured into acting quickly by emphasizing confidentiality and suggesting that all communication must occur through email or chat, discouraging any phone calls that could reveal the fraud. This tactic aims to isolate the victim, prevent verification with a trusted source, and manipulate the emotional response toward compliance.

Once a victim receives an incentivizing email, they may follow the provided instructions, which often include details for transferring funds to a new bank account that belongs to the scammer. For example, if an SME is involved in export activities, a scammer could impersonate a business partner, sending modified banking details to facilitate payment for goods already shipped. Victims may believe they are conducting legitimate transactions, such as paying suppliers or settling invoices, only to discover later that the funds have been diverted to the scammer's account via services like UPI. In India, numerous firms have reported losses amounting to ₹150 crore this year alone due to such fraudulent activities.

The impact of AI-Assisted BEC fraud on Indian SMEs cannot be understated. Reports show an alarming increase in the number of BEC incidents, contributing to the financial strain on SMEs already grappling with economic pressures. The Ministry of Home Affairs (MHA) and the Reserve Bank of India (RBI) have repeatedly warned businesses to address cybersecurity measures seriously. The Computer Emergency Response Team India (CERT-In) has issued advisories highlighting the use of AI in orchestrating sophisticated scams, along with statistics revealing how many victims barely recover their lost funds. Victims not only suffer financial loss, but the long-term consequences can also include damage to their reputation and client relationships, resulting in a loss of trust in their business affairs.

To distinguish AI-assisted BEC fraud from legitimate communications, businesses should be aware of essential red flags. Look for any urgent and confidential payment instructions that appear to be from a senior leader, especially those that mandate immediate action. Pay attention to any unusual changes in vendor bank account details or subtle variations in the email address of the supposed sender. Typos or odd patterns may indicate that you are not receiving a genuine message. Specifically, watch out for requests to avoid phone calls for verification, as these indicate the communication is more likely to be fraudulent. Businesses should always encourage a culture of caution and double-check the authenticity of unexpected emails with a direct confirmation through official channels before proceeding with financial transactions.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does AI-Assisted BEC Fraud on Indian SMEs Target?

General public across India

Red Flags — How to Identify AI-Assisted BEC Fraud on Indian SMEs

• Urgent and confidential payment instructions from a senior leader
• Unusual changes to vendor bank accounts with immediate effect
• Subtle changes or typos in email sender addresses
• Requests to avoid phone calls and communicate only by email or chat

What To Do If You Encounter AI-Assisted BEC Fraud on Indian SMEs

1. Report the incident immediately by calling the cybercrime helpline at 1930 or visiting cybercrime.gov.in.
2. Contact your bank to alert them of the potential fraud. Use SBI's helpline at 1800-11-1109 or HDFC's at 1800-202-6161.
3. Review your account statements closely to check for unauthorized transactions.
4. Change your email passwords and enable two-factor authentication wherever possible.
5. Educate your team about the signs of BEC fraud and conduct training on proper response protocols.
6. Consult with cybersecurity professionals to assess your current defenses and strengthen your systems.

How to Report AI-Assisted BEC Fraud on Indian SMEs in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a UPI scam?

Immediately contact your bank's helpline and inform them about the incident. You can reach SBI at 1800-11-1109 and HDFC at 1800-202-6161 to report fraud.

How can I identify AI-assisted BEC scams?

Look out for emails with urgent requests, odd email addresses, and requests to communicate only via email. Any changes in payment instructions should be verified directly.

How do I report a Business Email Compromise scam in India?

You can report the incident by calling 1930 or visiting cybercrime.gov.in. Additionally, contact your bank to report any associated fraud.

What steps can I take to recover money or protect my accounts after falling victim to such a scam?

Inform your bank right away, as they may help recover funds if contacted swiftly. Change passwords for all accounts and consider freezing or monitoring your account for suspicious activity.

Related Scams in India

• Southeast Asian Job Offer Human Trafficking Trap
• Digital Arrest Scam Using Dark Web Data
• Forced-Task Scam Recruiting Indians
• Deep-Fake Emergency SWIFT Payment Scam
• Digital Arrest: Fake Police Call Extortion

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.