India cyber fraud: Dr Reddy’s loses ₹2.16 crore in email impersonation scam

Police in the southern Indian city of Bengaluru have begun an investigation into an alleged case of business email compromise involving Dr Reddy’s Laboratories, one of India’s largest pharmaceutical companies. The complaint was lodged on 5 November by an official representing Group Pharmaceuticals Ltd., a Bengaluru-based firm that supplies goods to Dr Reddy’s.

According to the First Information Report (FIR), Group Pharmaceuticals had been expecting a payment of ₹2.16 crore from Dr Reddy’s Laboratories as part of an ongoing commercial transaction. Investigators were told that unknown hackers gained unauthorised access to email exchanges between the two companies in the days leading up to the scheduled transfer.

The report states that on 3 November, the perpetrators sent a spoofed message to the finance department of Dr Reddy’s Laboratories, using an email address designed to resemble that of a senior executive at Group Pharmaceuticals. The fraudulent address swapped characters in the domain to create a near-identical version of the legitimate account.

The email allegedly instructed Dr Reddy’s to route the pending payment to a new Bank of Baroda account. Believing the instructions to be legitimate, the company transferred the full amount on 4 November. It was only later that Group Pharmaceuticals informed police that the message had not originated from its systems.

The FIR notes that the suspected bank account is registered in Vadodara, a city in the western Indian state of Gujarat. Police have been asked to urgently freeze the account and attempt to recover the diverted funds before they are withdrawn.

Officers from the Bengaluru City Cyber Crime Police Station have registered the case under provisions of India’s Information Technology Act, including Section 66(C) relating to identity theft and Section 66(D), which addresses cheating by personation through electronic means. Relevant sections of the Bharatiya Nyaya Sanhita, India’s updated criminal code, have also been invoked.

A police official told local media that the fraud appears to be a sophisticated example of email infiltration, where attackers monitor exchanges between two parties before inserting false instructions at precisely the moment a payment is due. “The complainant has said that the domain was manipulated to deceive the recipient,” the FIR states.

Business email compromise, also known as BEC, has become a growing cyber security concern for corporations in India, particularly in sectors that manage high-value transactions such as pharmaceuticals and manufacturing. Such attacks typically involve credential theft, domain spoofing or unauthorised access to email servers, allowing criminals to impersonate senior staff and alter financial instructions.

Neither Dr Reddy’s Laboratories nor Group Pharmaceuticals has publicly commented on the incident. Police say efforts are under way to trace the origin of the hack, identify the individuals involved and determine how the attackers gained access to internal communications.

Context

India has seen a sharp rise in digital fraud cases as more companies shift to cloud-based operations and remote financial processes. The Indian Computer Emergency Response Team (CERT-In) has repeatedly warned firms about vulnerabilities in business email systems, urging regular authentication checks, domain monitoring and multi-factor verification for all financial instructions.

Pharmaceutical companies, which routinely manage large inter-company payments and international supply chains, have been identified as high-risk targets. Recent industry assessments suggest that attackers increasingly rely on small alterations in domain names or insider-style language to bypass corporate safeguards.

The investigation into the Dr Reddy’s case is ongoing. Authorities have not yet confirmed whether the attackers operated from within India or overseas.