What to do if I shared my bank details in a phishing scam?

Immediately contact your bank using their helpline (SBI 1800-11-1109, HDFC 1800-202-6161) to block your account and prevent further losses.

How can I identify an email account compromise?

Look for payment update requests to unknown accounts, missing emails, and sudden changes in email forwarding rules.

How to report this type of scam in India?

You can report such scams to the cybercrime helpline at 1930 or file a complaint online at cybercrime.gov.in.

What are the steps to recover my money after this scam?

Contact your bank immediately to report the fraud and follow their recovery process. Additionally, file a report with the Cyber Cell for further assistance.

Email Account Compromise for Export Payment Diversion

Verdict: Suspicious | Risk Score: 8/10 | Severity: high

Category: Phishing

How Email Account Compromise for Export Payment Diversion Works

Overview: This scam involves cybercriminals hacking into the work emails of accounting or billing staff in Indian exporting or manufacturing companies. Once inside, attackers monitor conversations and wait for high-value payment cycles. Then, posing as legitimate staff, they change payment instructions sent to overseas buyers, rerouting funds destined for Indian companies to fraudulent accounts abroad. Such schemes cause immense financial loss and reputational damage—even a single successful attack can wipe out a small exporter’s profits for a year. How It Works: 1. Attackers use phishing links or exploit vulnerabilities in popular email platforms (like Outlook, Microsoft 365, Zoho) to gain account access. 2. Once inside, they silently set up auto-forwarding rules to monitor all incoming and outgoing emails. 3. When it’s time to collect payments from a foreign client, scammers send a message from the compromised employee’s email, requesting payment to a new bank account—usually claiming new banking arrangements or compliance reasons. 4. The client, seeing the email as genuine, remits funds to the attacker-controlled account (often outside India) instead of the exporter’s real bank. 5. Attackers may delete or hide sent messages so internal teams don’t immediately notice. India Angle: Indian manufacturers, exporters, software service providers, and even education consultancies dealing with international clients are the main targets. States with export hubs like Tamil Nadu, Gujarat, West Bengal, and Delhi NCR are especially vulnerable. Attackers often target staff known to handle billing or payments, and pitches are sent in English but sometimes also regional languages for added trust. Real Examples: - A textile exporter’s finance officer’s email is hacked. The attacker replies on an existing chain with a US buyer: 'Please note, due to new RBI guidelines, kindly remit the pending $110,000 to our new CitiBank Singapore account.' - A tech company’s billing team’s mailbox is compromised and clients receive fake payment notifications matching past billing templates. Red Flags: - Clients receive last-minute requests to update payment instructions to foreign bank accounts - Unexpected auto-forwarding or mailbox rule changes found in employee accounts - Login history shows unusual access times or foreign IP addresses - Clients report confirmation emails for payments the company is unaware of Protective Measures: - Enable two-factor authentication (2FA) on all company email accounts - Regularly audit mailbox forwarding rules and login logs - Train staff to report phishing attempts and suspicious password resets - Advise clients to always confirm payment changes via known company phone numbers If Victimised: - Quickly inform clients about the compromise to stop further fraudulent payments - Contact your bank and Interpol liaison if funds were sent overseas - Report incident to 1930, cybercrime.gov.in, and share details with company IT and legal teams - Change all compromised passwords and review email access logs Related Scams: - Vendor Email Compromise (supply chain redirection) - Phishing attacks on employees - Cloud account takeovers and invoice fraud

How This Scam Works — Detailed Explanation

In the digital age, email is a crucial tool for communication in business, especially for Indian exporting and manufacturing companies. Cybercriminals often employ sophisticated techniques to compromise email accounts of accounting or billing staff, which are prime targets due to their involvement in financial transactions. These scammers scout for targets on social media platforms like LinkedIn or expose themselves through job inquiries or unsolicited emails that can be seemingly legitimate. Once they identify their victims, they initiate attacks by exploiting phishing techniques to gain access to work emails, often using commonly known vulnerabilities in email systems or insecure office networks.

Once the scammers gain access, they carefully monitor the conversations and understand the payment cycles of the targeted company. They often wait for high-value transactions that involve transferring substantial amounts of money to overseas accounts. By impersonating legitimate staff, they can manipulate the flow of information. This may involve sending emails that appear authentic, asking clients to update payment instructions to a different bank account. Such emails often include fake signatures and logos that mimic official correspondence, making it difficult for recipients to distinguish them from genuine communication.

For instance, a company in Mumbai might be expecting a large payment from a foreign buyer. The scammers, who have been monitoring backend email threads and transactions, seize the opportunity. They send an email from the compromised account, instructing the buyer to redirect the payment to a different account, which is actually controlled by the criminals. The unsuspecting buyer complies, believing it is a legitimate request, leading to the company losing a significant amount of money, exemplified by losses ranging from ₹50 lakh to ₹10 crore depending on the transaction size.

The impact of such scams extends beyond financial losses. Businesses face a severe reputational hit, which can affect client trust and ongoing relationships. According to cybersecurity reports, India has seen a rise in such scams with cumulative losses amounting to over ₹200 crore in the last year alone. The Ministry of Home Affairs (MHA) and RBI have addressed the growing threat of these attacks, urging businesses to adopt stronger security measures and adhere to guidelines issued by CERT-In to protect sensitive financial transactions.

Identifying an email account compromise for export payment diversion may not always be straightforward. However, certain red flags can help spot potential scams. Be cautious about payment update requests to unknown overseas accounts, observe unusual login locations in company email logs, and be wary if staff notice rules set up for automatic email forwarding that they did not create. Additionally, missing or deleted emails that pertain to payments should raise red flags, as they might indicate tampering by the attackers. Always verify payment instructions through alternative communication channels before processing any payment. By practicing due diligence, companies can mitigate risks and safeguard against such debilitating frauds.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Email Account Compromise for Export Payment Diversion Target?

General public across India

Red Flags — How to Identify Email Account Compromise for Export Payment Diversion

Payment update requests to unknown overseas accounts
Unusual login locations in company email logs
Forwarding rules set up without staff knowledge
Clients receiving suspicious payment instructions
Missing or deleted emails relating to payments

What To Do If You Encounter Email Account Compromise for Export Payment Diversion

Report any suspicious email or payment instruction to the cybercrime helpline at 1930 or visit cybercrime.gov.in.
Notify your bank immediately if you suspect any fraudulent activity on your account.
Update email passwords and enable two-factor authentication to enhance security.
Educate your staff on recognizing phishing attempts and the importance of verifying unusual payment instructions.
Consult with your IT department about implementing stricter email security measures.
Regularly monitor company email traffic for unusual activity or login attempts.

How to Report Email Account Compromise for Export Payment Diversion in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my bank details in a phishing scam?: Immediately contact your bank using their helpline (SBI 1800-11-1109, HDFC 1800-202-6161) to block your account and prevent further losses.
How can I identify an email account compromise?: Look for payment update requests to unknown accounts, missing emails, and sudden changes in email forwarding rules.
How to report this type of scam in India?: You can report such scams to the cybercrime helpline at 1930 or file a complaint online at cybercrime.gov.in.
What are the steps to recover my money after this scam?: Contact your bank immediately to report the fraud and follow their recovery process. Additionally, file a report with the Cyber Cell for further assistance.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.