CyberSek
← Back to Blog
Threat Intelligence9 min read

BEC Attacks Targeting Indian Finance Teams — A Complete Prevention Guide

Business Email Compromise cost $2.77 billion globally in 2024. Indian finance teams are prime targets. This guide covers exactly how BEC attacks work in India and how to protect your organisation.

Namita Kumari
Director of Growth & Partnerships
31 May 2026

A finance manager at a mid-sized Indian IT company received an urgent WhatsApp message from the CEO's personal number. The CEO was travelling abroad and needed a vendor payment of ₹47 lakh processed immediately — the vendor's contract was at risk. The finance manager, not wanting to delay an executive decision, processed the transfer.

The CEO's number had been spoofed. The vendor was fictional. The money was gone within hours.

This is Business Email Compromise (BEC) — and it is the most financially damaging form of cybercrime targeting Indian businesses today. The FBI reported $2.77 billion in BEC losses from 21,442 complaints in 2024 alone. In India, deepfake-enhanced BEC attacks using AI-generated voice recordings of executives surged dramatically through 2025.

What is Business Email Compromise?

Business Email Compromise is a sophisticated social engineering attack in which criminals impersonate a trusted individual — typically a senior executive, finance leader, or vendor — to trick employees into transferring money or sensitive information.

Unlike malware-based attacks, BEC does not require technical exploits. It exploits human psychology: authority, urgency, trust, and the reluctance to question superiors. This is what makes it so effective — and so difficult to stop with technical controls alone.

The FBI identifies five main types of BEC:

1. CEO/Executive Fraud: A fake email from the CEO or CFO instructing a finance employee to transfer funds urgently, often citing a confidential acquisition, regulatory requirement, or time-sensitive deal.

2. Vendor Impersonation: Attackers compromise or spoof a vendor's email to change bank account details on a legitimate invoice. The company pays the correct amount — to the wrong account.

3. Account Compromise: A real employee's email account is hacked. Attackers then use the legitimate account to request wire transfers or redirect payroll.

4. Attorney/Legal Impersonation: Fake messages from lawyers or legal firms claiming confidential matters requiring urgent fund transfers.

5. Data Theft: Instead of money, attackers request sensitive employee information — W2s, salary data, personal records — to enable further fraud.

Why Indian Finance Teams Are Prime Targets

Several factors make Indian finance teams particularly vulnerable to BEC:

Cultural hierarchy: Indian workplace culture places high value on responding quickly to executive requests without questioning them. An email from the Managing Director carries implicit authority that employees are reluctant to challenge.

Rapid digital transformation: Many Indian mid-market companies have moved to digital payments and approvals rapidly, without building matching security controls and verification procedures.

UPI and NEFT speed: India's instant payment infrastructure means funds can be moved and withdrawn within minutes — leaving no window for recall once a BEC transfer is initiated.

Limited verification procedures: Most Indian SMEs and mid-market companies do not have formal callback verification procedures for high-value payments. A phone call to the CEO's known number takes 30 seconds — but few companies make it mandatory.

AI deepfake acceleration: By 2025 and 2026, attackers began using AI-generated voice clones of Indian executives to conduct voice BEC attacks. The audio quality makes them indistinguishable from the real person.

How Attackers Research Your Organisation

Modern BEC attacks begin with reconnaissance, not technology. Before sending a single email, attackers spend days or weeks researching your organisation:

LinkedIn: Executive names, job titles, reporting relationships, organisational structure, finance team members' names, recent promotions, and professional history.

Company website: Leadership pages, press releases mentioning acquisitions or fundraising, investor relations content, "About Us" pages.

Social media: Executive travel posts, conference attendance, board meeting announcements — all establish when the CEO is "unavailable" for direct verification.

Corporate registry (MCA): Director details, registered addresses, filing history.

Financial filings: Revenue, major vendors, banking relationships.

By the time the attack email arrives, the attacker knows your CEO's name, their travel schedule, your CFO's name, and which finance manager approves transfers. The email is hyper-personalised. Generic security awareness about "suspicious emails" does not prepare employees for this level of targeting.

The Anatomy of a BEC Attack on an Indian Company

Day 1-7 (Reconnaissance): Attacker researches the target organisation using publicly available information.

Day 8 (Setup): Attacker registers a lookalike domain — `company-in.com` instead of `company.in`, or `ceo@company-corp.com` instead of `ceo@company.com`. Alternatively, they compromise a real vendor's email account.

Day 9 (Timing): Attacker identifies an opportunity — the CEO is at a conference (from LinkedIn), the CFO is on leave (from an out-of-office reply), month-end pressure is on the finance team.

Day 10 (Strike): The BEC email arrives. "I am in back-to-back meetings and cannot be reached by phone. This payment is urgent and confidential — please process before end of day and confirm via this email only."

Day 10 (Transfer): Finance team, under time pressure and authority pressure, processes the transfer.

Day 11 (Discovery): The real CEO arrives in office. The money is gone. Recovery probability: low.

Prevention: What Actually Works

1. Mandatory Callback Verification

For any wire transfer above a defined threshold (suggest: ₹5 lakh), a phone call to the requester's known number is mandatory. Not a reply to the email. Not a WhatsApp message. A voice call to the number in your contact system.

This single control stops the vast majority of BEC attacks. It must be a policy — not a suggestion — and finance teams must be supported when they push back on executives who want to bypass it.

2. Two-Person Authorisation

No single person should be able to initiate and approve a high-value transfer. Two-person authorisation ensures that a BEC email cannot succeed even if one person is deceived.

3. Domain Authentication (Technical)

Configure DMARC, DKIM, and SPF on your email domain. These technical controls prevent your domain from being spoofed. They do not prevent lookalike domain attacks but significantly reduce impersonation risk.

4. Vendor Payment Change Verification

Any request to change vendor bank account details must be verified via a direct phone call to a contact established independently — not to any number provided in the email requesting the change. This is the single most effective control for vendor impersonation BEC.

5. Verbal Code Words for Urgent Requests

Establish a verbal code word known only to senior leadership. Any urgent financial instruction call that does not include the code word is not actioned until independently verified. This stops deepfake voice attacks cold.

6. Security Awareness Training

Finance teams, executives, and anyone with payment authorisation must receive specific BEC awareness training — not just generic phishing training. They need to understand:
  • How attackers research their targets
  • Why urgency and authority are manipulation tactics
  • The verification procedure for every payment type
  • That following the procedure protects them — not questioning it

    • 7. Cyber Insurance with Social Engineering Coverage

    Ensure your cyber insurance policy specifically covers social engineering and BEC losses. Many standard cyber policies exclude these. Review your policy with your broker.

    What to Do If You Have Been a BEC Victim

      Immediately (within minutes):
    1. Call your bank — request an emergency hold on the transaction
    2. File a complaint with your bank's fraud team
    3. Contact the recipient bank if known
      Within 24 hours:
    1. File a complaint with CERT-In (India Computer Emergency Response Team) at cert-in.org.in
    2. Report to your local Cyber Crime police station (or cybercrime.gov.in)
    3. File with the FBI's IC3 (ic3.gov) if the transfer went to a US bank
    4. Engage a cyber incident response firm

    Recovery reality: BEC fund recovery is possible but time-critical. The faster you act, the higher the probability of recovery. After 72 hours, international wire transfers are extremely difficult to recover.

    Building a BEC-Resistant Finance Team

    BEC is primarily a people and process problem, not a technology problem. The finance teams that are most resistant to BEC share these characteristics:

  • Clear, written procedures for payment authorisation at every threshold level
  • Regular training on current BEC tactics — not annual, but monthly
  • Psychological safety to question unusual requests without fear of reprimand
  • Experience with simulated BEC attacks — they have seen fake CEO emails before
  • A culture where "verify before paying" is celebrated, not questioned

    • The MD who complains that finance is "slowing down" a payment request is undermining the very control that protects the company. BEC prevention requires cultural as well as procedural change.

    Written by Namita Kumari | Security Awareness Specialist at CyberSek

    CyberSek's BEC awareness training is built on real attack intelligence from our VAPT practice. Train your finance team in under 15 minutes. Start your free 7-day trial.

    Namita Kumari
    Director of Growth & Partnerships - CyberSek

    Namita drives CyberSek's growth strategy and builds the partnerships that extend our reach across India and beyond. She connects organisations with the training programmes that match their compliance needs.

    Related Articles
    Threat Intelligence
    Top 10 Phishing Attacks Targeting India in 2025 — And How to Stop Them
    ← Previous
    CyberSek vs KnowBe4 — Why Indian Companies Are Choosing a Homegrown Alternative

    Ready to train your team?

    Start free. No credit card. Deploy AI-powered security training in under 10 minutes.