Rising 'Boss Scam' threat targets senior executives: Warns Indian Cyber Crime Coordination Centre
New Delhi, June 22
The Indian Cyber Crime Coordination Centre on Monday flagged a growing cybercrime trend known as the "Boss Scam" or CEO impersonation fraud, cautioning organisations and senior officials to remain vigilant against increasingly sophisticated attacks.
As per the I4C, a specialised cyber security wing under the Ministry of Home Affairs, cybercriminals are specifically targeting high-ranking executives and decision-makers by sending malicious files disguised as urgent regulatory compliance documents.
The I4C wing's advisory mentions "These files are typically shared through email or messaging platforms such as WhatsApp, creating a sense of urgency and authority to prompt immediate action."
"Once the recipient opens the malicious archive, malware is deployed to compromise the executive's Windows device. The attack does not stop at device infiltration. It further extends to hijacking active WhatsApp Web sessions, allowing fraudsters to gain control of official communication channels used by the targeted individual," states the 14C wing.
With access to these accounts, cybercriminals impersonate the executive and send convincing messages to subordinate staff or finance teams. These messages often contain instructions to process urgent financial transactions, leading to fraudulent fund transfers without raising immediate suspicion.
Officials note that the scam's effectiveness lies in its exploitation of organisational hierarchy and trust. Employees are less likely to question directives appearing to come from top leadership, especially when conveyed through legitimate communication platforms.
The I4C has advised organisations to strengthen their cybersecurity protocols, including employee awareness, verification mechanisms for financial transactions, and secure handling of digital communications. Executives have been urged to avoid opening unsolicited attachments, even if they appear work-related, and to regularly monitor active sessions on messaging platforms.
Describing the modus operandi of these criminals, the advisory mentions "sophisticated cybercriminals contact the CEO or high-ranking official via email or WhatsApp, impersonating regulators such as the Reserve Bank of India (RBI)."
The communication falsely claims regulatory violation or mandates an urgent security improvement, demanding a response within a very short timeframe. The message contains a compressed .zip archive. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. As seen in multiple cases, the CEO forwards the message to the finance officer. When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated," points the advisory.
"The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens. Armed with access to the executive's real WhatsApp account, the fraudster contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts. In alternative scenarios, if the attacker achieves complete device takeover, they covertly modify the device's contact list, saving a fraudulent, attacker-controlled phone number under the name of the "CEO", and use that secondary number to instruct employees to transfer funds," it said.
To avoid such frauds, I4C advisory recommends taking some precautions to advise the finance departments of the companies to verify the request of any urgent financial transactions or account changes based solely on a WhatsApp text or email.
It stressed the need for a verification through a direct voice call or in-person confirmation.
It further suggested not to install executables received from unknown or unverified sources, assuring that "regulators like the RBI will never distribute mandatory software updates or security fixes via WhatsApp attachments."
It suggested that "system administrators should enforce strict software restriction policies (SRP) configurations to block the execution of unknown .exe and .dll files originating from the user profile directories."
The 14C wing is to use regularly audit authorised devices within the mobile WhatsApp application (Settings Linked Devices) and proactively log out of any Web WhatsApp sessions that are no longer actively monitored.
It further suggested that Windows endpoints are equipped with up-to-date solutions that detect malware.
And finally, the advisory asked to report any fraudulent applications or any scam incident immediately to 1930 or www.cybercrime.gov.in.
— ANI
Reader Comments
This is surprisingly sophisticated. The fact that they're hijacking WhatsApp Web sessions to impersonate CEOs makes it really dangerous. In my company, we've now made it mandatory to have a secondary confirmation via phone call for any urgent financial transfer. Common sense can save crores.
Honest opinion: I think the article places too much blame on employees falling for scams. Companies should invest more in robust IT infrastructure and mandatory training sessions. In Bangalore, I know startups where even basic cyber hygiene like 2FA isn't enforced. Government advisory is good, but corporate India needs to wake up. 👍
😅 Meanwhile my MD uncle still opens every attachment without thinking. I've tried telling him 100 times! This scam targeting senior officials through WhatsApp is especially dangerous because everyone uses it for work these days. RBI will never send files via zip - yeh basic rule sabko yaad rakhna chahiye.
Having worked in cybersecurity compliance in the US, I can confirm these CEO frauds are growing globally. But I appreciate I4C issuing such a detailed advisory with actionable steps - especially the part about blocking .exe and .dll files in user directories. Every Indian company should implement these controls immediately.
"Boss Scam" - kya naam hai! 😂 But seriously, this is no joke. My company in Hyderabad lost ₹5 lakhs last year to a similar fraud where someone posed as our MD on WhatsApp. The finance team was too scared to question
We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.