The Indian Cyber Crime Coordination Centre (I4C) on Monday issued an advisory warning companies about a growing cyber fraud known as the “Boss Scam” and cautioned organisations and senior executives to stay vigilant.
What is Boss Scam?
Also known as CEO impersonation fraud, the Boss Scam is a form of cyber-enabled financial fraud in which criminals pose as senior executives to trick employees into making unauthorised payments or sharing sensitive information. In this scam, fraudsters exploit organisational hierarchy and convince employees to process transactions by making them believe the instructions have come from their senior management.
According to the I4C advisory, the latest variant of the scam begins with cybercriminals impersonating regulators such as the Reserve Bank of India (RBI) and sending urgent messages to CEOs or other senior officials via email or WhatsApp. The messages claim a regulatory violation or mandate an immediate security update and contain a malicious file disguised as a compliance document.
How do fraudsters execute Boss Scam?
The message contains a compressed ZIP archive that appears legitimate but includes malware.
“The message contains a compressed .zip archive. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. As seen in multiple cases, the CEO forwards the message to finance officer.”
Once the file is opened on a Windows device, the malware gains access to the system and can hijack active WhatsApp Web sessions, allowing fraudsters to gain control of official communication channels used by the targeted individual.
How does Boss Scam differ from traditional phishing attacks?
Cybersecurity experts say Boss Scam attacks are more targeted and sophisticated than conventional phishing campaigns.
“The recent advisory highlights how cybercriminals are increasingly exploiting trust and human behaviour rather than technical vulnerabilities,” said Dr Sanjay Katkar, Joint Managing Director at Quick Heal Technologies.
Unlike traditional phishing attacks, which typically involve sending large volumes of generic messages to a wide range of users, Boss Scams are highly targeted and often unfold in real time through channels such as email, WhatsApp and other messaging platforms.
Katkar noted that while conventional Business Email Compromise (BEC) attacks often rely on compromised email threads and fake invoices, Boss Scams go a step further by blending email, messaging apps and even social media to mimic urgent instructions from senior executives.
A spokesperson from Fortinet said Boss Scam is essentially a variant of Business Email Compromise but is distinguished by its exploitation of organisational hierarchy and urgency. “Attackers impersonate a senior executive, such as a CEO or CFO, and pressure employees to act quickly, often requesting confidential payments, gift cards or data transfers,” the spokesperson said.
Because these messages frequently avoid suspicious links or attachments and instead rely on social engineering and authority, they can bypass traditional security controls and appear more credible to employees, experts noted.
According to Katkar, attackers are increasingly leveraging lookalike domains, fake executive profiles and AI-generated communications to make fraudulent requests appear legitimate. As organisations increasingly use messaging platforms for workplace communication and quick approvals, WhatsApp-based corporate fraud has emerged as a recurring pattern, particularly targeting finance teams and decision-makers.
How to prevent Boss Scam?
In its advisory, the I4C asked organisations to adopt stricter verification and cybersecurity practices to guard against Boss Scam attacks. It directed that finance teams should independently verify any request for urgent payments or account changes received through WhatsApp or email, preferably through a direct phone call or in-person confirmation.
The agency also cautioned executives and employees against downloading or installing files received from unknown sources, noting that regulators such as the RBI do not distribute software updates or security fixes through WhatsApp attachments.
What is the single most effective way to prevent Boss Scam attacks?
According to experts, the most effective defence against Boss Scam attacks is to establish a strict verification process for all financial transactions, regardless of who appears to be making the request.
“If I had to highlight a single most effective control, it would be a strict maker-checker and out-of-band verification policy for all payment or sensitive-data requests, including those that appear to come from the CEO or board,” said Katkar and added that no transaction should be executed solely based on an email or message, no matter how urgent or authoritative it appears.
According to Katkar, organisations should require employees to verify unusual payment requests through a secondary communication channel, such as a phone call or in-person confirmation, and implement multi-level approval mechanisms for high-value transactions.
The Fortinet spokesperson said organisations should also strengthen their “human defence layer” through user-awareness measures. Visible warning banners on suspicious emails and real-time alerts such as “External sender impersonating executive” or “Payment request requires verification” can encourage employees to pause, question the request and reassess the urgency before taking action.
As attackers increasingly use social engineering tactics rather than malware, experts say employee awareness and verification protocols remain among the strongest defences against executive impersonation fraud.
