Cyber Incident Victim: Nykaa
Date:
Mar 2020
Location:
India
Summary
Nykaa, an Indian beauty and fashion retailer, fell victim to a business email compromise attack where cybercriminals impersonated its Italian supplier through email spoofing. The fraudsters redirected a payment of approximately Rs 60 lakh intended for legitimate vendor invoices to a fraudulent bank account by exploiting pandemic-related supply chain disruptions. The deception was discovered weeks later when the authentic supplier inquired about unpaid invoices, revealing the account details didn't match their records. The company filed a police complaint under cheating, impersonation, and IT Act provisions, initiating an investigation while confirming no customer data systems were breached during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2019, Nykaa, an Indian beauty and fashion retailer, placed an order valued at 71,000 euros (approximately Rs 62 lakh) with an Italian supplier for raw materials. On March 20, 2020, the supplier notified Nykaa via email that the materials were ready and provided an invoice. Due to COVID-19-related flight suspensions, Nykaa informed the supplier in April 2020 that it could not receive the shipment. During this period, Nykaa received a fraudulent email appearing to originate from the supplier’s authentic address, instructing payment redirection to a different bank account citing taxation reasons. The email promised follow-up details, which arrived the next day with a new account number and a directive to use it for all future transactions. Nykaa processed the payment and notified the supplier.
Days later, the legitimate supplier inquired about the overdue payment. Upon sharing transaction details, Nykaa learned the provided bank account and emails were fraudulent. The company confirmed it had been deceived via email spoofing, where attackers forged the supplier’s address to mimic authenticity. Nykaa initiated an internal investigation and filed an FIR with NM Joshi Marg police, citing cheating, impersonation, and IT Act violations. Police confirmed the attackers used an identical-looking email ID to impersonate the vendor. Nykaa stated no customer data was compromised and cooperated with law enforcement. The financial impact amounted to the full invoice value of Rs 60 lakh, transferred irrevocably to the fraudulent account.