Subtle Email Switch: Pune Firm Duped of 24,000 Euros in Deceptive ‘Man-in-the-Middle’ Attack
A Pune-based company faced a significant setback, losing 24,000 Euros to a clever email fraud in a transaction with a French firm. The underhanded scam was made possible by a mere single-letter change in an email address, which the unsuspecting Pune executives failed to notice.
In a classic case of a “man-in-the-middle” attack, cyber-criminals cunningly interjected themselves into a professional email correspondence between the Indian company and their French partners. As a result, a hefty sum initially intended to purchase equipment ended up in a fraudulent bank account, set up by the perpetrators in Portugal.
Earlier this year, the engineering supplies company based in Pune placed a significant order worth more than 51,000 Euros with their French counterparts, with whom they’d had a long-standing professional relationship. An invoice to confirm the order was sent to the French firm’s sales manager’s email, as per usual procedure.
Shortly after, the Pune firm received an alarming email notification. The message explained that the Paris-based bank account usually used for transactions was inaccessible. Instead, they were directed to transfer funds to an alternative account in Lisbon. Without questioning the authenticity of the email, the Pune firm complied, sending an advance of 24,589 Euros to the Portuguese bank account.
Suspicions were raised only weeks later when the French firm reported non-receipt of the payment for the ordered equipment. Upon rechecking the correspondence, the Pune firm was stunned to discover the email directive to change the bank account was a fraud. The difference was subtle yet significant – a single letter, ‘a’ instead of ‘e’.
Immediately alerting the Pune City police and filing a formal complaint, the case has been taken up for investigation. According to Pune City police investigators, the scam was an elaborate cybercrime technique known as a “man-in-the-middle” attack. The scammers infiltrated the email accounts of both parties, hijacked ongoing transaction details, created a look-alike email address, and successfully tricked the Pune firm into transferring the funds into a hacker-controlled bank account.
This incident serves as a cautionary tale about the perils of not rigorously checking the legitimacy of professional email communications, especially those involving financial transactions. Cybercriminals continue to advance their deceptive practices, calling for even more stringent online safety measures by businesses globally.