Rising 'Boss Scam' threat targets senior executives: Warns Indian Cyber Crime Coordination Centre

New Delhi [India], June 22 : The Indian Cyber Crime Coordination Centre (I4C) on Monday flagged a growing cybercrime trend known as the "Boss Scam" or CEO impersonation fraud, cautioning organisations and senior officials to remain vigilant against increasingly sophisticated attacks.
As per the I4C, a specialised cyber security wing under the Ministry of Home Affairs, cybercriminals are specifically targeting high-ranking executives and decision-makers by sending malicious files disguised as urgent regulatory compliance documents.
The I4C wing's advisory mentions "These files are typically shared through email or messaging platforms such as WhatsApp, creating a sense of urgency and authority to prompt immediate action."
"Once the recipient opens the malicious archive, malware is deployed to compromise the executive's Windows device. The attack does not stop at device infiltration. It further extends to hijacking active WhatsApp Web sessions, allowing fraudsters to gain control of official communication channels used by the targeted individual," states the 14C wing.
With access to these accounts, cybercriminals impersonate the executive and send convincing messages to subordinate staff or finance teams. These messages often contain instructions to process urgent financial transactions, leading to fraudulent fund transfers without raising immediate suspicion.
Officials note that the scam's effectiveness lies in its exploitation of organisational hierarchy and trust. Employees are less likely to question directives appearing to come from top leadership, especially when conveyed through legitimate communication platforms.
The I4C has advised organisations to strengthen their cybersecurity protocols, including employee awareness, verification mechanisms for financial transactions, and secure handling of digital communications. Executives have been urged to avoid opening unsolicited attachments, even if they appear work-related, and to regularly monitor active sessions on messaging platforms.
Describing the modus operandi of these criminals, the advisory mentions "sophisticated cybercriminals contact the CEO or high-ranking official via email or WhatsApp, impersonating regulators such as the Reserve Bank of India (RBI)."
The communication falsely claims regulatory violation or mandates an urgent security improvement, demanding a response within a very short timeframe. The message contains a compressed .zip archive. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. As seen in multiple cases, the CEO forwards the message to the finance officer. When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated," points the advisory.
"The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens. Armed with access to the executive's real WhatsApp account, the fraudster contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts. In alternative scenarios, if the attacker achieves complete device takeover, they covertly modify the device's contact list, saving a fraudulent, attacker-controlled phone number under the name of the "CEO", and use that secondary number to instruct employees to transfer funds," it said.
To avoid such frauds, I4C advisory recommends taking some precautions to advise the finance departments of the companies to verify the request of any urgent financial transactions or account changes based solely on a WhatsApp text or email.
It stressed the need for a verification through a direct voice call or in-person confirmation.
It further suggested not to install executables received from unknown or unverified sources, assuring that "regulators like the RBI will never distribute mandatory software updates or security fixes via WhatsApp attachments."
It suggested that "system administrators should enforce strict software restriction policies (SRP) configurations to block the execution of unknown .exe and .dll files originating from the user profile directories."
The 14C wing is to use regularly audit authorised devices within the mobile WhatsApp application (Settings Linked Devices) and proactively log out of any Web WhatsApp sessions that are no longer actively monitored.
It further suggested that Windows endpoints are equipped with up-to-date solutions that detect malware.
And finally, the advisory asked to report any fraudulent applications or any scam incident immediately to 1930 or www.cybercrime.gov.in.