Capital markets regulator Securities and Exchange Board of India (SEBI) has issued a warning to listed companies and regulated entities about a new cyber fraud called the “Boss Scam.” This scam involves cybercriminals pretending to be CEOs, managing directors, or other top officials to deceive employees into transferring funds. The Indian Cyber Crime Coordination Centre (I4C) highlighted a surge in CEO and MD impersonation frauds targeting organizations through various platforms like email, WhatsApp, and Microsoft Teams.
Fraudsters, posing as senior executives, send urgent messages or make calls to finance or accounts staff instructing them to transfer money to specified bank accounts. SEBI emphasized that these criminals use email, WhatsApp, Microsoft Teams, and other social media platforms to communicate with subordinates or counterparts, directing them to transfer funds. In some instances, cybercriminals employ tools like voice cloning and deepfake video calls to make their impersonation more convincing.
Another tactic mentioned by SEBI involves fraudsters sending a compressed ZIP file containing malicious software. When opened on a Windows device, this malware can take over an active WhatsApp Web session, allowing cybercriminals to access the victim’s account and send fraudulent payment instructions to finance teams. The regulator also cautioned about fraudsters manipulating contact lists on compromised devices by saving their own numbers under the names of CEOs or managing directors to make their calls or messages seem legitimate.
To prevent such scams, SEBI advised listed entities and regulated organizations to verify all fund transfer requests received via email, WhatsApp, or other social media platforms by directly contacting the senior official through a trusted channel. Organizations were also urged not to authorize fund transfers solely based on social media messages and to refrain from opening executable or compressed files without verifying the sender’s identity. Additionally, SEBI recommended regularly logging out of inactive WhatsApp Web sessions to reduce the risk of account compromise.
