Business Email Account Takeover Attacks

How Business Email Account Takeover Attacks Works

Overview: Business Email Account Takeovers (EATO) are a growing menace for Indian firms, especially in sectors like IT, BPO, HR, and finance. These attacks begin by stealing email credentials and then silently exploiting internal accounts to steal salary, payroll, or business data—or even spread ransomware. The damage includes both financial loss and data breaches, which can affect employee trust and regulatory compliance. How It Works: Attackers often start with a targeted phishing email—disguised as a basic work message or HR announcement—prompting the victim to log in to a fake portal or share a one-time password. Once inside the mailbox, scammers set rules to forward or hide emails related to payroll or invoices. They can approve fake vendor payments, divert salaries to their own accounts, or steal sensitive documents. Advanced scams use OAuth apps or exploit vulnerabilities in Microsoft 365/Exchange or Google Workspace, maintaining access even if the password is changed. India Angle: Indian IT and BPO firms are heavily targeted, with scam operations noted in major tech hubs like Bengaluru, Hyderabad, Noida, and Pune. HR and payroll teams are a top focus, especially during annual bonus cycles or bulk salary disbursement periods. Attackers are known to pivot from mailbox control to extracting Aadhaar, PF, and ESIC lists, creating risks for both employees and the company. Stolen data is sometimes used for ransom or identity theft via local crypto exchanges. Real Examples: In a Bengaluru BPO, an HR executive received a convincingly branded ‘SharePoint’ link. After entering credentials, their mailbox was taken over. Payroll requests were redirected to fraudulent bank accounts, with HR only discovering the breach after several employees reported missing salaries. In another scenario, a compromised account allowed attackers to divert sensitive PF roster emails to an external Gmail address. Red Flags: 1. Unexpected emails requesting login or password resets. 2. Changes in mailbox forwarding or auto-delete rules. 3. New OAuth app permissions in Outlook or Google Workspace seen during security audits. 4. Salary disputes or vendors claiming non-receipt of payments. 5. Login alerts from locations like Nigeria or Philippines. Protective Measures: Enable multi-factor authentication (MFA) or hardware security tokens for all business email accounts. Train staff to detect phishing and not click suspicious links. Regularly audit for new mailbox rules and unfamiliar app permissions. Use security tools to flag logins from foreign IP addresses. Backup sensitive HR/payroll data and set policies for data access and sharing. If Victimised: Immediately reset compromised passwords and revoke suspicious app permissions. Notify your company’s IT/SOC team. Report to 1930 and cybercrime.gov.in. Inform the impacted employees. Contact your bank if fraudulent payments were made, and escalate major cases to RBI’s fraud department. Related Scams: Pay Slip/PF Data Phishing—attackers collect employee data for identity theft; Ransomware Attacks—using stolen access to lock or destroy business files; Fake Admin Support Calls—phishing for OTPs by pretending to be company IT.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Business Email Account Takeover Attacks Target?

General public across India

Red Flags — How to Identify Business Email Account Takeover Attacks

• Phishing emails demanding login or password reset
• Unusual mailbox rules (auto-forwards/auto-deletes)
• New app permissions in Google or Microsoft Workspaces
• Salary or vendor payment irregularities
• Foreign login alerts on company accounts

What To Do If You Encounter Business Email Account Takeover Attacks

1. Do not click any links or share personal information
2. Block and report the sender immediately
3. Report at cybercrime.gov.in or call 1930
4. Inform your bank if financial details were shared

How to Report Business Email Account Takeover Attacks in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What is Business Email Account Takeover Attacks?

Overview: Business Email Account Takeovers (EATO) are a growing menace for Indian firms, especially in sectors like IT, BPO, HR, and finance. These attacks begin by stealing email credentials and then silently exploiting internal accounts to steal salary, payroll, or business data—or even spread ransomware. The damage includes both financial loss and data breaches, which can affect employee trust and regulatory compliance. How It Works: Attackers often start with a targeted phishing email—disgu

How does Business Email Account Takeover Attacks work?

Overview: Business Email Account Takeovers (EATO) are a growing menace for Indian firms, especially in sectors like IT, BPO, HR, and finance. These attacks begin by stealing email credentials and then silently exploiting internal accounts to steal salary, payroll, or business data—or even spread ransomware. The damage includes both financial loss and data breaches, which can affect employee trust

How to protect yourself from Business Email Account Takeover Attacks?

Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared

How to report Business Email Account Takeover Attacks in India?

Report to cybercrime.gov.in or call 1930 (National Cyber Crime Helpline). You can also contact your local police station's cyber cell.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.