Pharmaceutical major Dr. Reddy’s Laboratories Ltd. has fallen victim to a sophisticated cyber fraud involving email spoofing, resulting in a financial loss of ₹2.16 crore. According to a complaint filed with the Bengaluru City Cyber Crime Police on November 5, the attackers impersonated a senior executive from a supplier company and manipulated a legitimate payment transaction.
The incident came to light after Group Pharmaceuticals Ltd., one of Dr. Reddy’s vendors, reported that the funds expected from the pharmaceutical firm had been fraudulently diverted to an unauthorized bank account.
How the Fraud Unfolded
Investigators said hackers intercepted ongoing email communications between the two companies and crafted a convincing fake email from a near-identical domain — “KKeshav@Grouppharma.in” instead of the official “kkeshav@grouppharma.in.” The message instructed Dr. Reddy’s finance department to transfer the payment to a new Bank of Baroda account, which was later found to be fraudulent.
Believing the correspondence to be genuine, the finance team processed the transfer on November 3, completing the ₹2.16 crore payment. The fraud was detected only after Group Pharmaceuticals followed up on the delayed confirmation and discovered that the intended payment had been misdirected.
Following the discovery, Group Pharmaceuticals contacted authorities and requested that the fraudulent account be frozen to recover the funds.
Investigation and Legal Action Underway
Police have registered a case under Sections 66(C) and 66(D) of the Information Technology Act, covering identity theft and impersonation, along with provisions of the Bharatiya Nyaya Sanhita. The accused are believed to be based in Vadodara, Gujarat, though their identities have not yet been confirmed.
Cybercrime officials are currently tracing the money trail and examining communication logs to determine how the attackers gained access to internal correspondence. Early indications suggest that either email compromise or phishing was used to monitor the conversation thread before executing the fraudulent instruction.
Experts say this incident reflects a growing wave of Business Email Compromise (BEC) scams targeting corporate finance teams. “Spoofed domains and realistic phishing messages can easily bypass basic verification systems when companies don’t have multi-step authentication for vendor communication,” said a cybersecurity analyst familiar with the case.
Corporate Vulnerabilities and Rising BEC Incidents
BEC-related financial losses have become one of the most common forms of corporate cyber fraud globally. The FBI’s Internet Crime Complaint Center (IC3) reported that such scams accounted for over $2.9 billion in losses in 2023, often involving payment diversions similar to the Dr. Reddy’s case.
Industry experts urge companies to establish multi-level payment verification protocols, conduct domain authenticity checks, and implement real-time transaction monitoring to prevent such targeted frauds.
