Dr Reddy’s Laboratories Faces ₹2.16 Crore Cyber-Fraud: How Hackers Exploited Email Communication Channels
Introduction
In a major cybersecurity breach that shocked the Indian pharmaceutical industry, Dr Reddy’s Laboratories, one of India’s largest drug manufacturers, became the latest victim of a business email compromise (BEC) attack.
Hackers successfully intercepted financial correspondence between Dr Reddy’s and one of its vendors, Group Pharmaceuticals, redirecting a legitimate payment of ₹2.16 crore into a fraudulent account.
The incident highlights how even the most security-conscious organisations remain vulnerable to social engineering and email spoofing attacks.
What Happened
According to reports from India Today and The Economic Times, the breach occurred in early November 2025.
Cybercriminals managed to gain unauthorized access to email exchanges between Dr Reddy’s Laboratories and Group Pharmaceuticals — the latter based in Bengaluru.
After infiltrating or spoofing the email chain, the attackers sent fake payment instructions to Dr Reddy’s accounts department, posing as Group Pharmaceuticals officials. Believing the email to be genuine, the company processed a payment of ₹2.16 crore to a bank account controlled by the fraudsters.
Shortly after the transaction, the vendors noticed that they had not received the payment. Upon verification, it was discovered that the bank details had been altered — a classic signature of a BEC fraud.
Investigation and Response
Once the fraud came to light, Dr Reddy’s immediately alerted its banking partners and filed a complaint with the Bengaluru Cyber Crime Police Station.
An FIR was registered on November 5 under the Information Technology Act and relevant sections of the Bharatiya Nyaya Sanhita (cheating and impersonation).
Investigators traced the fraudulent bank account to Vadodara, Gujarat, and successfully froze the primary account to prevent further fund transfers. However, some of the stolen money had already been dispersed into secondary accounts.
In an official statement, Dr Reddy’s Laboratories clarified that due to swift detection and action, there was no financial loss to either the company or its vendor — a testament to quick incident-response coordination between corporate teams and law enforcement.
Technical & Social Engineering Angle
While the exact attack vector has not been disclosed, cybersecurity experts suggest the following possible methods:
- Email account compromise — attackers may have obtained credentials via phishing or reused passwords from past data breaches.
- Email spoofing — hackers could have used look-alike domains or altered “reply-to” headers to impersonate legitimate vendor emails.
- Thread hijacking — copying or replying within a genuine email chain to gain trust before injecting fraudulent payment details.
This pattern aligns with the rising trend of business email compromise globally — a type of fraud that relies more on deception and human error than malware or code exploits.
Industry Impact
The attack on Dr Reddy’s is part of a broader pattern targeting the pharmaceutical and healthcare sector in India, which has seen an increase in ransomware, fraud, and data-exfiltration cases over the past year.
Cybercriminals often target pharma firms because of their:
- High transaction volumes
- Complex supply chains
- Dependence on digital communications for vendor management
The incident serves as a wake-up call for pharma and healthcare enterprises to invest in robust cyber hygiene and vendor-security practices.
Conclusion
The Dr Reddy’s Laboratories cyber-fraud case demonstrates that no organization is immune from the growing menace of business email compromise.
Even without sophisticated malware, attackers can inflict financial and reputational damage by exploiting trust in digital communication.
Fortunately, in this instance, timely intervention prevented losses — but it reinforces the urgent need for multi-layered cybersecurity, staff training, and zero-trust communication policies across corporate India.