NE Times
Technology

I4C Warns Indian Companies of Rising 'Boss Scam' CEO-Impersonation Cyber Fraud

India's cybercrime coordination agency has flagged an emerging 'Boss Scam' in which fraudsters impersonate regulators and executives to push urgent, fraudulent money transfers at companies.

The NE Times Technology Desk

Commentary & Analysis ·

3 min read
Illustration of a CEO impersonation cyber fraud warning issued by India's I4C to companies over the Boss Scam
Illustration of a CEO impersonation cyber fraud warning issued by India's I4C to companies over the Boss Scam · Picture: The NE Times

The Indian Cyber Crime Coordination Centre (I4C), which operates under the Union Home Ministry, has issued a warning to companies about an emerging fraud it calls the 'Boss Scam', a form of CEO-impersonation attack aimed squarely at senior executives and the businesses they run. The advisory describes a scheme that blends social engineering with malware to engineer fraudulent financial transfers.

How the scam works

According to the advisory, cybercriminals pose as regulators, including by invoking the name of bodies such as the Reserve Bank of India, and send urgent compliance-themed messages over email or WhatsApp. The pressure of an apparently official, time-sensitive demand is designed to short-circuit the normal checks an employee would otherwise apply.

The technical hook is a malicious archive file. Once opened, it can compromise Windows devices and hijack active Web WhatsApp sessions, allowing fraudsters to message colleagues from what looks like a trusted account and push through fraudulent transfers before anyone verifies the request.

Why executives are the target

Senior leaders are attractive marks because their instructions carry weight: a payment request that appears to come from a chief executive is more likely to be actioned quickly and questioned less. By impersonating a boss or a regulator, attackers exploit hierarchy and urgency together, two of the most reliable levers in financial fraud.

What companies are advised to do

The advisory places verification of urgent financial requests, endpoint security and staff awareness at the centre of corporate cyber safety. In practice that means treating any out-of-band payment instruction as suspect until confirmed through a separate, trusted channel, and not relying on the messaging app the request arrived through.

  • Fraudsters impersonate regulators such as the RBI and senior executives.
  • Urgent compliance-themed lures arrive via email or WhatsApp.
  • Malicious archive files can compromise Windows devices and Web WhatsApp sessions.
  • Verify all urgent financial requests through a separate trusted channel.
  • Strengthen endpoint security and run regular staff awareness training.

Verification of urgent financial requests, endpoint security and staff awareness are central to corporate cyber safety.

I4C advisory

The warning lands amid a broader rise in socially engineered fraud targeting organisations rather than individuals, where a single compromised session can expose an entire company's payment workflows. As remote work and messaging apps blur the line between personal and corporate communication, the attack surface for impersonation grows.

For Indian firms, the practical takeaway is cultural as much as technical: building a workplace where pausing to verify a 'boss's' urgent instruction is encouraged, not penalised, may prove the strongest defence against the Boss Scam.

The NE Times View

The 'boss scam' works because it exploits hierarchy and urgency, the instinct to comply when authority demands speed, which no firewall can patch. I4C's alert is timely, but advisories alone won't stop it; Indian firms need mandatory verification protocols for high-value transfers and finance staff trained to slow down under pressure. As deepfake voice and video tools spread, impersonation will only get more convincing, and the weakest link remains human.

This article is original commentary and analysis by The NE Times. Background facts were referenced from The Economic Times and I4C.

Share

You may also like to read

More from this section

More