NE Times
Technology

I4C Warns Companies About Malware-Driven 'Boss Scam' Targeting Executives

India's cybercrime coordination body has flagged a 'Boss Scam' in which fraudsters impersonate senior executives, hijack WhatsApp sessions and push finance teams into urgent money transfers.

The NE Times Technology Desk

Commentary & Analysis ·

3 min read
A finance employee reviewing a suspicious WhatsApp payment instruction on a laptop, illustrating the I4C warning about the malware-driven Boss Scam targeting Indian companies.
A finance employee reviewing a suspicious WhatsApp payment instruction on a laptop, illustrating the I4C warning about the malware-driven Boss Scam targeting Indian companies. · Picture: The NE Times

The Indian Cyber Crime Coordination Centre (I4C) has warned companies about a 'Boss Scam' in which fraudsters impersonate senior executives or regulators to pressure staff into urgent money transfers. Reports on 22 June 2026 said the fraud blends social engineering, malware and workplace hierarchy into a single, fast-moving attack.

How the scam works

According to the advisory, attackers may send malicious archive files through email or WhatsApp, disguising them as compliance or official documents. Once a target opens the file, the malware can compromise Windows devices and hijack active Web WhatsApp sessions.

From inside a hijacked account, the criminals message finance teams while appearing to be a genuine senior official, lending the request the authority of the chain of command and making a hurried transfer feel routine.

Why companies are vulnerable

The danger lies in the combination. Technical compromise gives the attacker a trusted identity, while the psychology of hierarchy discourages a junior employee from questioning what looks like a direct instruction from the top. Urgency is engineered deliberately to short-circuit normal checks.

Finance and accounts teams are the prime targets because they can authorise payments, and a single unverified transfer can move large sums before anyone notices the deception.

How to protect against it

The I4C has urged firms to build verification habits that do not depend on a single channel, and to treat unexpected payment instructions, however senior the apparent source, with caution.

  • Verify all payment instructions through a second, independent channel.
  • Avoid opening unknown executable or archive files from email or WhatsApp.
  • Train finance and accounts teams to recognise urgency-based pressure.
  • Secure and regularly review Web WhatsApp and other active sessions.
  • Report suspected cybercrime quickly through official channels.

Firms are being urged to verify payment instructions through a second channel and to report suspicious activity quickly.

I4C advisory, as reported

As impersonation tactics grow more technically sophisticated, the most reliable defence remains procedural: a culture in which verifying an unusual payment request is expected rather than awkward. For Indian companies, the I4C warning is a prompt to harden both their software and their habits.

The NE Times View

The 'Boss Scam' weaponises hierarchy itself, exploiting the instinct to obey a senior's urgent order. As fraud shifts from crude phishing to hijacked WhatsApp sessions, India's real vulnerability is cultural as much as technical: finance teams trained to comply, not question. I4C's alert is useful, but defence lies in dull discipline, payment verification protocols, callback rules and a workplace where double-checking the CEO is rewarded, not punished.

This article is original commentary and analysis by The NE Times. Background facts were referenced from NDTV and The Economic Times.

Share

You may also like to read

More from this section

More