New Delhi: The Indian Cyber Crime Coordination Centre (I4C) has issued a nationwide alert over a growing cyber fraud known as the “Boss Scam,” where cybercriminals impersonate regulators and top corporate executives to deceive organizations into transferring large sums of money.
According to an advisory released by the National Cybercrime Threat Analytics Unit (NCTAU) under I4C, fraudsters are increasingly targeting CEOs, directors, and senior management officials through deceptive emails and WhatsApp messages that appear to originate from regulatory authorities, including the Reserve Bank of India (RBI), or from company leadership.
How the Boss Scam Operates
Investigators have found that cybercriminals typically send urgent messages claiming that a company has violated regulatory norms, failed compliance requirements, or needs immediate security upgrades. These communications often create a sense of urgency and pressure recipients to act quickly.
The fraudulent messages usually contain a ZIP file that is presented as an important compliance document or software update. Once the file is downloaded and opened on a Windows-based system, malicious software is secretly installed.
The malware can compromise the victim’s computer and gain access to active WhatsApp Web sessions, allowing criminals to take control of the executive’s legitimate WhatsApp account without their knowledge.
Hijacked Accounts Used for Financial Fraud
After gaining access to an executive’s account, fraudsters use the trusted identity of the senior official to contact finance and accounts teams. Employees then receive seemingly authentic instructions directing them to transfer funds to designated bank accounts controlled by the attackers.
In some cases, cybercriminals reportedly manipulate contact lists by saving their own numbers under the name of the CEO or another senior executive. As a result, fraudulent payment requests appear genuine, making it difficult for employees to identify the deception.
Cybersecurity experts note that finance departments are particularly vulnerable because urgent financial instructions from senior management are often treated as high-priority requests.
Growing Threat to Businesses
The advisory highlights that the Boss Scam combines malware attacks with social engineering techniques, making it one of the more sophisticated forms of corporate cyber fraud currently emerging in India.
By exploiting trust within organizations and leveraging compromised communication channels, attackers can bypass traditional security measures and directly target company finances.
Officials warn that businesses of all sizes—from startups and MSMEs to large corporations—could be at risk if proper verification procedures are not followed.
I4C Issues Preventive Guidelines
To protect organizations from such attacks, I4C has advised companies to adopt strict verification mechanisms for financial transactions and account changes.
Key recommendations include:
- Independently verify all urgent payment instructions through direct voice calls or face-to-face confirmation.
- Avoid relying solely on WhatsApp messages, emails, or digital communications for high-value transactions.
- Do not download or execute ZIP files or software received from unknown or unverified sources.
- Remember that regulatory authorities such as the RBI do not distribute mandatory software updates through WhatsApp attachments.
- Implement software restriction policies across corporate systems.
- Regularly review and monitor linked WhatsApp Web devices.
- Keep Windows systems protected with updated antivirus and malware-detection solutions.
- Conduct employee awareness programs to identify phishing and social-engineering attacks.
Immediate Reporting Encouraged
The cybercrime agency has urged citizens, businesses, and institutions to report any suspected cyber fraud without delay. Victims or those who identify suspicious activity can contact the National Cybercrime Helpline at 1930 or file complaints through the National Cyber Crime Reporting Portal.
Rising Need for Cyber Awareness
As digital communication becomes central to business operations, cybercriminals are increasingly exploiting trusted platforms such as WhatsApp and email to conduct financial fraud. Authorities emphasize that awareness, verification, and strong cybersecurity practices remain the most effective defenses against these evolving threats.
The latest warning from I4C serves as a reminder that even senior executives can become targets, and a single compromised device or account can expose an entire organization to significant financial losses.
