Business email compromise fraud: A complete guide for Indian exporters
A finance manager at a Bengaluru IT agency received an email from their US client in early 2025. The message asked them to update the client's bank details before the next payment. The sender address matched exactly. The invoice amount was correct. The project name was right. The manager updated the records and transferred $38,000.
The client had never sent that email.
This is business email compromise, or BEC. It is one of the most financially damaging types of fraud affecting Indian exporters today. The FBI's Internet Crime Complaint Centre (IC3) reported BEC losses of about $2.9 billion in 2023, and India is frequently cited among the more heavily targeted countries for BEC-style scams. Given the scale of India's IT, consulting, BPO, and marketing exports — and the frequency of high-value international wire transfers — the exposure is substantial.
Unlike ransomware or data theft, BEC does not require technical sophistication. The weapon is a convincing email. The damage, once done, is almost always irreversible.
How a BEC attack unfolds
Most BEC attacks follow a predictable four-stage pattern. Knowing the stages helps you see where the attack can be stopped.
The entry point. The attacker either gains access to a real email account — through a phishing link, a stolen password, or a credential leaked in a data breach — or registers a lookalike domain. A domain like "acmecorp-billing.com" passes a fast visual check. Some attackers leave the display name unchanged and only alter the hidden reply-to address, which most people never inspect in a busy inbox.
The observation phase. Once inside a real inbox, attackers frequently wait and watch. They read weeks of email threads to understand payment cycles, invoice amounts, and who has the authority to approve payments. This is why BEC emails feel genuine — they are written using information only an insider would have.
The fake instruction. At a carefully chosen moment — typically just before a scheduled payment or shortly after a contract is signed — the attacker sends a payment instruction. This is usually a message asking the recipient to update bank account details or redirect a pending transfer. It is often framed as routine admin, with no obvious urgency.
The transfer. The payment leaves the account. International wire transfers settle quickly. Once funds reach an overseas account, the receiving bank has no obligation to hold or return them without a formal legal process. The window for meaningful recovery closes within hours.
BEC attacks take several forms. These three are most commonly used against Indian service exporters.
Fake invoice scam
This is the most common BEC variant affecting Indian service exporters. The attacker monitors or intercepts your email thread with a regular client. Just before a payment is due, they send an invoice that looks nearly identical to your real one — same company name, same format, same line items, same total amount — with one change: different bank account details.
The attacker may have compromised your email account, the client's account, or spoofed one of the two addresses. The client pays confidently, believing they are settling a legitimate invoice. The money reaches a mule account and is moved onward within hours. You only discover the fraud when the client asks why the payment has not arrived.
Fake purchase order scam
This variant targets exporters on the supply side. You receive an unsolicited email from a new buyer — often claiming to be a US, European, or Gulf-based company — with a large, attractive purchase order. The company name sounds established. Their website looks professional and was quietly set up a few days earlier.
Before any goods are shipped or work begins, the "buyer" requests that you pay an advance to cover logistics costs, customs bonds, or agency fees. Once you transfer the money, the buyer goes silent. Any new buyer requesting an advance before making any payment themselves is a firm red flag, regardless of how professional they appear.
Vendor impersonation
In this variant, the attacker poses as one of your existing vendors or suppliers. They send an email — from a spoofed or recently compromised address — informing you that their bank details have changed and asking you to update your records before the next payment run.
The email arrives from what appears to be a known, trusted sender. There is no urgency. The language matches previous correspondence closely. By the time your next scheduled payment goes out, the money reaches the fraudster's account rather than your actual vendor.
This variant is particularly dangerous because it exploits an established trust relationship, and the red flags are minimal.
Indian exporters face similar financial risks from other forms of payment fraud. Chargeback fraud targeting Indian exporters operates through a different mechanism but causes comparable damage, and the same operational discipline that prevents BEC also limits chargeback losses.
How to protect your business: A practical checklist
Prevention does not require expensive software. It requires consistent process discipline applied across your entire accounts function.
1. Verify every bank detail change by phone
Any email that asks you to change a payee's account number, add a new beneficiary, or redirect a payment must trigger a voice call before any action is taken. Call the sender on a number already stored in your contacts — not a number provided in that same email thread. Make this a non-negotiable written rule, not a judgment call, for every member of your accounts team.
2. Treat email as an unverified channel for payment instructions
Train your team to treat any bank detail update received by email as unconfirmed until it is verified by a second, independent channel. A phone call, a WhatsApp message to a saved number, or a brief video call all qualify. The verification channel must be completely separate from the one carrying the suspicious instruction.
3. Use one fixed account number for all inbound payments
A Winvesta Global Currency Account gives you a stable, dedicated account number for each supported currency — USD, GBP, EUR, CAD, and AUD — that never changes. Share those details once with each CV client via a secure channel, and make it clear that no updates will ever arrive by email alone. With a fixed, well-documented account number, any request to redirect a payment automatically triggers a direct call to your team.
4. Train your team to recognise BEC red flags
Warning signs include: urgency framing ("please process today — my finance team is unreachable"), slight domain variations in the sender address, a shift in tone or phrasing compared to prior emails, requests to keep the update confidential, and payment instruction changes arriving mid-project. Run a short monthly session for anyone who handles or approves payments and use a real-world example each time.
5. Set a dual-approval rule for large payments
Define a threshold — for example, ₹2 lakh or $2,500 — above which any outgoing transfer requires sign-off from two authorised people. This means that a single fraudulent email cannot cause a large financial loss without also misleading a second person. Document the threshold and review it annually.
6. Check email headers when something feels unusual
A display name like "Rahul Sharma accounts@clientco.com" can hide a fraudulent reply-to address in the full email header. Most email clients let you view the complete header in one or two clicks. If the actual sender address does not match the display name, verify through a separate channel before taking any action.
7. Register your own domain variations proactively
Attackers frequently register slight variations of your domain — yourcompany.net, yourcompany-billing.com — to impersonate you when contacting your clients. Registering the most likely variations yourself costs very little and removes those options from an attacker's toolkit.
8. Restrict access to your payment and invoice email alias
If your business uses a dedicated address for invoice and payment correspondence, limit access to it. Review access quarterly and revoke it promptly when staff leave or change roles. A smaller access list reduces both the risk of compromise and the damage if one occurs.
These same controls apply equally well to outbound payments. If your team manages both collections and supplier payments, reviewing wire fraud in international payments covers the outbound risk in more detail, along with the controls your bank expects to see before raising a recall request.
If the money has already left your account
Speed matters more than anything else. Every hour of delay narrows the recovery window.
Call your bank immediately. The moment you realise a payment has gone to the wrong account, call your bank's fraud desk and ask them to initiate a SWIFT recall or payment trace. Banks can sometimes freeze or reverse a transfer within the first 24 to 48 hours if the receiving institution cooperates. Document the call time and the name of the person you spoke to.
File a report with CERT-In and the cybercrime portal. File at cert-in.org.in to create an official cybercrime record the same day. Also,o register the incident at cybercrime.gov.in or at your nearest police cyber cell. Both are required for insurance claims, bank escalations, and cross-border legal cooperation.
Notify your AD bank formally. Your bank, as an authorised dealer under FEMA, can flag the transaction to the receiving bank through banking channels. The RBI does not have direct powers to recall funds once an international transfer has been processed, but your AD bank can raise a formal alert.
Understand what recovery actually looks like. If the funds reach the US, UK, Singapore, or UAE and law enforcement acts within the first day or two, partial recovery is sometimes possible if the receiving account has not been cleared. Where funds move through multiple intermediary accounts, the chance of meaningful recovery drops sharply. Cyber insurance policies in India increasingly cover BEC losses, though most require documented controls to have been in place at the time of the incident.
How Winvesta helps Indian exporters reduce BEC exposure
Several of the controls described above are significantly easier to enforce when your inbound payments flow through a purpose-built international collections account rather than a general bank account.
With a Winvesta Global Currency Account, you get dedicated account numbers for USD, GBP, EUR, CAD, and AUD, numbers that belong to your business and do not change. That stability is itself a fraud control: clients who know your account number has never changed will treat any request to redirect a payment as suspicious by default.
Winvesta also issues a Foreign Inward Remittance Advice (FIRA) for each inbound payment, giving you an auditable, currency-specific record of every transfer received. That documentation supports both your internal payment reconciliation and any fraud investigation that requires a payment trail.
If you are an Indian exporter handling regular cross-border collections, opening a Winvesta account takes a few minutes. Open your Winvesta Global Currency Account →
Disclaimer: The information provided in this blog is for general informational purposes only and does not constitute financial or legal advice. Winvesta makes no representations or warranties about the accuracy or suitability of the content and recommends consulting a professional before making any financial decisions.
Get paid globally. Keep more of it.
No FX markups. No GST. Funds in 1 day.
A finance manager at a Bengaluru IT agency received an email from their US client in early 2025. The message asked them to update the client's bank details before the next payment. The sender address matched exactly. The invoice amount was correct. The project name was right. The manager updated the records and transferred $38,000.
The client had never sent that email.
This is business email compromise, or BEC. It is one of the most financially damaging types of fraud affecting Indian exporters today. The FBI's Internet Crime Complaint Centre (IC3) reported BEC losses of about $2.9 billion in 2023, and India is frequently cited among the more heavily targeted countries for BEC-style scams. Given the scale of India's IT, consulting, BPO, and marketing exports — and the frequency of high-value international wire transfers — the exposure is substantial.
Unlike ransomware or data theft, BEC does not require technical sophistication. The weapon is a convincing email. The damage, once done, is almost always irreversible.
How a BEC attack unfolds
Most BEC attacks follow a predictable four-stage pattern. Knowing the stages helps you see where the attack can be stopped.
The entry point. The attacker either gains access to a real email account — through a phishing link, a stolen password, or a credential leaked in a data breach — or registers a lookalike domain. A domain like "acmecorp-billing.com" passes a fast visual check. Some attackers leave the display name unchanged and only alter the hidden reply-to address, which most people never inspect in a busy inbox.
The observation phase. Once inside a real inbox, attackers frequently wait and watch. They read weeks of email threads to understand payment cycles, invoice amounts, and who has the authority to approve payments. This is why BEC emails feel genuine — they are written using information only an insider would have.
The fake instruction. At a carefully chosen moment — typically just before a scheduled payment or shortly after a contract is signed — the attacker sends a payment instruction. This is usually a message asking the recipient to update bank account details or redirect a pending transfer. It is often framed as routine admin, with no obvious urgency.
The transfer. The payment leaves the account. International wire transfers settle quickly. Once funds reach an overseas account, the receiving bank has no obligation to hold or return them without a formal legal process. The window for meaningful recovery closes within hours.
BEC attacks take several forms. These three are most commonly used against Indian service exporters.
Fake invoice scam
This is the most common BEC variant affecting Indian service exporters. The attacker monitors or intercepts your email thread with a regular client. Just before a payment is due, they send an invoice that looks nearly identical to your real one — same company name, same format, same line items, same total amount — with one change: different bank account details.
The attacker may have compromised your email account, the client's account, or spoofed one of the two addresses. The client pays confidently, believing they are settling a legitimate invoice. The money reaches a mule account and is moved onward within hours. You only discover the fraud when the client asks why the payment has not arrived.
Fake purchase order scam
This variant targets exporters on the supply side. You receive an unsolicited email from a new buyer — often claiming to be a US, European, or Gulf-based company — with a large, attractive purchase order. The company name sounds established. Their website looks professional and was quietly set up a few days earlier.
Before any goods are shipped or work begins, the "buyer" requests that you pay an advance to cover logistics costs, customs bonds, or agency fees. Once you transfer the money, the buyer goes silent. Any new buyer requesting an advance before making any payment themselves is a firm red flag, regardless of how professional they appear.
Vendor impersonation
In this variant, the attacker poses as one of your existing vendors or suppliers. They send an email — from a spoofed or recently compromised address — informing you that their bank details have changed and asking you to update your records before the next payment run.
The email arrives from what appears to be a known, trusted sender. There is no urgency. The language matches previous correspondence closely. By the time your next scheduled payment goes out, the money reaches the fraudster's account rather than your actual vendor.
This variant is particularly dangerous because it exploits an established trust relationship, and the red flags are minimal.
Indian exporters face similar financial risks from other forms of payment fraud. Chargeback fraud targeting Indian exporters operates through a different mechanism but causes comparable damage, and the same operational discipline that prevents BEC also limits chargeback losses.
How to protect your business: A practical checklist
Prevention does not require expensive software. It requires consistent process discipline applied across your entire accounts function.
1. Verify every bank detail change by phone
Any email that asks you to change a payee's account number, add a new beneficiary, or redirect a payment must trigger a voice call before any action is taken. Call the sender on a number already stored in your contacts — not a number provided in that same email thread. Make this a non-negotiable written rule, not a judgment call, for every member of your accounts team.
2. Treat email as an unverified channel for payment instructions
Train your team to treat any bank detail update received by email as unconfirmed until it is verified by a second, independent channel. A phone call, a WhatsApp message to a saved number, or a brief video call all qualify. The verification channel must be completely separate from the one carrying the suspicious instruction.
3. Use one fixed account number for all inbound payments
A Winvesta Global Currency Account gives you a stable, dedicated account number for each supported currency — USD, GBP, EUR, CAD, and AUD — that never changes. Share those details once with each CV client via a secure channel, and make it clear that no updates will ever arrive by email alone. With a fixed, well-documented account number, any request to redirect a payment automatically triggers a direct call to your team.
4. Train your team to recognise BEC red flags
Warning signs include: urgency framing ("please process today — my finance team is unreachable"), slight domain variations in the sender address, a shift in tone or phrasing compared to prior emails, requests to keep the update confidential, and payment instruction changes arriving mid-project. Run a short monthly session for anyone who handles or approves payments and use a real-world example each time.
5. Set a dual-approval rule for large payments
Define a threshold — for example, ₹2 lakh or $2,500 — above which any outgoing transfer requires sign-off from two authorised people. This means that a single fraudulent email cannot cause a large financial loss without also misleading a second person. Document the threshold and review it annually.
6. Check email headers when something feels unusual
A display name like "Rahul Sharma accounts@clientco.com" can hide a fraudulent reply-to address in the full email header. Most email clients let you view the complete header in one or two clicks. If the actual sender address does not match the display name, verify through a separate channel before taking any action.
7. Register your own domain variations proactively
Attackers frequently register slight variations of your domain — yourcompany.net, yourcompany-billing.com — to impersonate you when contacting your clients. Registering the most likely variations yourself costs very little and removes those options from an attacker's toolkit.
8. Restrict access to your payment and invoice email alias
If your business uses a dedicated address for invoice and payment correspondence, limit access to it. Review access quarterly and revoke it promptly when staff leave or change roles. A smaller access list reduces both the risk of compromise and the damage if one occurs.
These same controls apply equally well to outbound payments. If your team manages both collections and supplier payments, reviewing wire fraud in international payments covers the outbound risk in more detail, along with the controls your bank expects to see before raising a recall request.
If the money has already left your account
Speed matters more than anything else. Every hour of delay narrows the recovery window.
Call your bank immediately. The moment you realise a payment has gone to the wrong account, call your bank's fraud desk and ask them to initiate a SWIFT recall or payment trace. Banks can sometimes freeze or reverse a transfer within the first 24 to 48 hours if the receiving institution cooperates. Document the call time and the name of the person you spoke to.
File a report with CERT-In and the cybercrime portal. File at cert-in.org.in to create an official cybercrime record the same day. Also,o register the incident at cybercrime.gov.in or at your nearest police cyber cell. Both are required for insurance claims, bank escalations, and cross-border legal cooperation.
Notify your AD bank formally. Your bank, as an authorised dealer under FEMA, can flag the transaction to the receiving bank through banking channels. The RBI does not have direct powers to recall funds once an international transfer has been processed, but your AD bank can raise a formal alert.
Understand what recovery actually looks like. If the funds reach the US, UK, Singapore, or UAE and law enforcement acts within the first day or two, partial recovery is sometimes possible if the receiving account has not been cleared. Where funds move through multiple intermediary accounts, the chance of meaningful recovery drops sharply. Cyber insurance policies in India increasingly cover BEC losses, though most require documented controls to have been in place at the time of the incident.
How Winvesta helps Indian exporters reduce BEC exposure
Several of the controls described above are significantly easier to enforce when your inbound payments flow through a purpose-built international collections account rather than a general bank account.
With a Winvesta Global Currency Account, you get dedicated account numbers for USD, GBP, EUR, CAD, and AUD, numbers that belong to your business and do not change. That stability is itself a fraud control: clients who know your account number has never changed will treat any request to redirect a payment as suspicious by default.
Winvesta also issues a Foreign Inward Remittance Advice (FIRA) for each inbound payment, giving you an auditable, currency-specific record of every transfer received. That documentation supports both your internal payment reconciliation and any fraud investigation that requires a payment trail.
If you are an Indian exporter handling regular cross-border collections, opening a Winvesta account takes a few minutes. Open your Winvesta Global Currency Account →
Disclaimer: The information provided in this blog is for general informational purposes only and does not constitute financial or legal advice. Winvesta makes no representations or warranties about the accuracy or suitability of the content and recommends consulting a professional before making any financial decisions.
Get paid globally. Keep more of it.
No FX markups. No GST. Funds in 1 day.
