New Delhi: The Securities and Exchange Board of India (SEBI) has issued a cybersecurity advisory warning listed companies and all regulated entities against a rapidly growing fraud known as the “Boss Scam.” In this scheme, cybercriminals impersonate Chief Executive Officers (CEOs), Managing Directors (MDs) or other senior executives to deceive finance and accounts personnel into making fraudulent fund transfers. SEBI has advised organisations to independently verify every payment instruction before acting on it.
The advisory follows an alert issued by the Indian Cyber Crime Coordination Centre (I4C), which has observed a rise in cases where cybercriminals impersonate senior corporate executives through email, WhatsApp, Microsoft Teams and other social media platforms to target organisations.
According to SEBI, fraudsters first study the identities and communication styles of senior executives before sending urgent payment requests or confidential financial instructions using their names and profiles. In many cases, the messages claim that the transaction is highly confidential and must be completed immediately, prompting employees to transfer funds without proper verification.
The market regulator has also warned that cybercriminals are increasingly using Artificial Intelligence (AI) technologies such as voice cloning and deepfake video calls to make their impersonation appear authentic. These technologies make it significantly more difficult for employees to distinguish genuine instructions from fraudulent ones.
SEBI also highlighted another attack method in which fraudsters send a ZIP file containing malicious software. If the file is opened on a Windows device, the malware can hijack the victim’s active WhatsApp Web session. Once access is gained, cybercriminals can use the compromised WhatsApp account to send fake payment instructions to finance or accounts personnel.
In some cases, fraudsters may also manipulate the contact list on a compromised device by saving their own mobile number under the name of the CEO or Managing Director. As a result, messages sent from the fraudster’s number appear to originate from a legitimate senior executive, increasing the likelihood of successful financial fraud.
According to renowned cybercrime expert and former IPS officer Prof. Triveni Singh, AI-powered impersonation attacks have emerged as one of the most serious cyber threats facing the corporate sector. He said organisations should never rely solely on WhatsApp messages, emails, video calls or voice communications when authorising financial transactions. Every high-value payment request should be independently verified through an official communication channel before execution.
According to a Researcher at Algoritha Security, organisations should implement multi-layered verification mechanisms, including callback verification, multi-factor authentication, secure email systems, endpoint security and regular cybersecurity awareness training for employees. With the rise of AI-enabled fraud, visual or voice-based verification alone is no longer sufficient to establish authenticity.
SEBI has advised all listed companies and regulated entities not to transfer funds solely on the basis of instructions received through WhatsApp, email or social media platforms. Any suspicious request should be verified directly with the concerned senior official. The regulator has also advised organisations to avoid downloading or installing ZIP files or other executable files from unverified sources and to log out of inactive WhatsApp Web sessions immediately.
The regulator further urged organisations to report any suspected cyber fraud without delay through India’s National Cyber Crime Helpline (1930) or the National Cyber Crime Reporting Portal, enabling authorities to respond quickly and minimise potential financial losses.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
