India's cybercrime watchdog has warned businesses about a growing fraud scheme in which cybercriminals impersonate chief executives and regulatory authorities to manipulate employees into making high-value financial transfers.
In an advisory issued on Monday, the Indian Cyber Crime Coordination Centre (I4C) said the scam, commonly referred to as the "boss scam", targets senior executives through emails and WhatsApp messages designed to appear as legitimate communications from regulators such as the Reserve Bank of India (RBI).
According to the advisory, attackers use a combination of social engineering, malware and identity impersonation to gain access to executives' devices and exploit trust within organisations. The warning was issued by the National Cybercrime Threat Analytics Unit (NCTAU), which operates under I4C.
How the scam unfolds
The advisory said fraudsters typically send messages claiming an organisation has breached regulatory requirements or must urgently install security updates.
These messages often include a compressed ZIP file presented as a compliance document or software update.
Once the file is downloaded and executed on a Windows device, malware is installed on the system. The malicious software can compromise the executive's computer and hijack active WhatsApp Web sessions, allowing attackers to gain access to the executive's genuine WhatsApp account.
With control of the account, criminals can communicate directly with employees while appearing to be legitimate company leaders.
The advisory noted that attackers may also manipulate contact information on compromised devices by saving attacker-controlled numbers under the name of the CEO or another senior executive, making fraudulent instructions appear authentic.
Finance teams in the firing line
According to I4C, finance and accounts departments are particularly vulnerable because payment requests often appear to originate from trusted senior leaders.
Using compromised executive accounts, fraudsters reportedly instruct employees to transfer funds to bank accounts controlled by criminals. The urgency of the requests and the apparent legitimacy of the sender can increase the likelihood of employees acting without additional verification.
Key elements of the scam include:
- Impersonation of regulators, including the RBI
- Fake compliance or security-related messages
- Malicious ZIP files carrying malware
- Hijacking of active WhatsApp Web sessions
- Use of compromised executive accounts to issue payment instructions
- Manipulation of contact lists to make fraudulent messages appear genuine
What organisations should do next
I4C has urged organisations to strengthen verification processes for financial transactions and avoid relying solely on digital messages when approving payments.
The agency recommended:
- Independently verifying urgent payment requests through voice calls or face-to-face confirmation
- Confirming any bank account changes through established internal procedures
- Avoiding installation of executable files received from unknown or unverified sources
- Regularly reviewing linked WhatsApp devices and active sessions
- Enforcing software restriction policies across corporate systems
- Ensuring Windows devices are protected with updated malware-detection tools
The advisory also stressed that regulators such as the RBI do not distribute mandatory software updates through WhatsApp attachments.
Growing focus on cyber resilience
The warning highlights how cybercriminals are increasingly combining technical attacks with human psychology to target organisations. Rather than breaching financial systems directly, attackers are exploiting trust, authority and urgency to bypass internal controls.
As businesses accelerate digital communication and collaboration, cyber experts and regulators continue to emphasise the need for stronger verification practices, employee awareness and layered security controls.
I4C has urged organisations and individuals to report suspected cyber fraud immediately through the national cybercrime helpline 1930 or the National Cyber Crime Reporting Portal, warning that swift action can improve the chances of preventing financial losses and aiding investigations.