Imagine getting an urgent message from your CEO or a financial regulator demanding an immediate wire transfer or a software patch. Before you click, take a breath. The Indian Cyber Crime Coordination Centre (I4C) has issued an urgent advisory warning companies against a sophisticated new corporate fraud dubbed the “Boss Scam.”
Run by the National Cybercrime Threat Analytics Unit (NCTAU), the warning highlights how cybercriminals are using a mix of psychological manipulation—called social engineering—and targeted malware to break into corporate bank accounts.
Anatomy of the Attack
This isn’t your typical phishing email. It is a highly coordinated, multi-step attack that target senior executives and finance departments. Here is exactly how the scam unfolds:
1.The Initial Hook:Impersonation.
Why Finance Departments are Falling For It
Finance teams are built to follow executive directives, which makes them prime targets. The table below outlines why this specific scam bypasses traditional corporate defenses:
| Scam Vector | Why It Works | The Reality |
| Artificial Urgency | Panic causes employees to bypass standard approval protocols. | Regulators like the RBI never issue mandatory software updates via text. |
| True Account Takeover | The message originates from the executive’s actual WhatsApp profile. | The device has been compromised via a desktop web session. |
| Altered Contact Lists | The sender name displays as “CEO” or “Managing Director.” | The telephone number underneath has been secretly swapped out. |
How to Protect Your Organisation
The Golden Rule: Never rely solely on a text message or email for high-value financial transactions. Always implement a “Two-Man Rule” requiring secondary, independent verification.
To shield your business from the Boss Scam, the I4C recommends implementing these corporate safeguards immediately:
-
Voice or Visual Verification: Always verify urgent payment requests or major account changes through a direct voice call or face-to-face confirmation.
-
Restrict Executables: Enforce strict software restriction policies across all corporate endpoints. Employees should be blocked from installing unapproved
.exefiles, especially from unknown sources. -
Audit Linked Devices: Regularly audit active sessions in WhatsApp and other communication tools to ensure unauthorized desktop browsers haven’t logged into executive accounts.
-
Keep Defenses Updated: Ensure all Windows systems are equipped with robust, up-to-date anti-malware and endpoint detection solutions.
If your company falls victim to this scam or detects suspicious activity, report it immediately by calling the national cybercrime helpline at 1930 or logging onto the National Cyber Crime Reporting Portal.

