The Securities and Exchange Board of India has warned regulated entities and listed companies about an emerging cybercrime trend known as the Boss Scam, or CEO and managing director impersonation fraud, after being alerted by the Indian Cyber Crime Coordination Centre. The fraud involves impersonation of senior executives through email, WhatsApp, Microsoft Teams and other social media channels to pressure subordinates or counterparts into transferring funds to fraudsters' mule accounts. SEBI described two main attack patterns. One uses deepfakes, including voice cloning, artificial intelligence-enabled video impersonation and fake social media groups, to issue transfer instructions, sometimes coupled with directions not to disclose the transaction on the pretext that it may involve unpublished price sensitive information. The other uses a compressed ZIP archive containing malicious executable and DLL files. If opened on a Windows device, the malware can hijack active WhatsApp Web session tokens or enable broader device takeover, allowing fraudsters to contact finance staff from the compromised account or to replace contact details so their number appears under the name of the CEO or managing director. SEBI advised firms to verify requests by calling senior officials, avoid transferring funds solely on the basis of social media instructions, not install executables without verifying the sender, log out unused WhatsApp Web sessions and report incidents through the national cybercrime reporting channels.
Securities & Exchange Board of India2026-07-17
Securities and Exchange Board of India cautions regulated entities and listed companies on Boss Scam CEO impersonation fraud
The Securities and Exchange Board of India has warned regulated entities and listed companies about the Boss Scam, in which fraudsters impersonate CEOs or other senior officials to trigger unauthorized fund transfers. SEBI highlighted deepfake-based impersonation and malware-laden ZIP files that can hijack WhatsApp accounts or devices. Firms were told to verify requests by phone, avoid acting solely on social media messages and report incidents promptly.