India’s cyber agency warned firms about rising Boss Scam where fraudsters impersonate executives for fraud
I4C said the scam is becoming more advanced, targeting senior staff with urgent-looking fake messages
Attackers impersonate senior officials and pressure employees into payments or sharing sensitive data without verification
India’s cyber security agency has issued a fresh warning to companies over a rising digital fraud pattern known as the “Boss Scam”, where criminals impersonate senior executives to push employees into unauthorised payments or data sharing.
The Indian Cyber Crime Coordination Centre (I4C) said on Monday that the scam is becoming more advanced and is now targeting top management and finance teams through urgent-looking messages that appear genuine.
In this fraud, attackers pose as senior company officials and send instructions that pressure employees into processing payments or sharing sensitive details without verification.
1 June 2026
Get the latest issue of Outlook Business
What Is Boss Scam ?
The latest version of the scam often starts with cybercriminals pretending to be regulators, including the Reserve Bank of India (RBI). These messages are sent to CEOs or senior officials through email or WhatsApp, claiming urgent compliance issues or regulatory alerts.
The messages usually carry a file that appears to be an official document. However, I4C said these attachments often hide malware designed to infect systems once opened.
Once installed on a Windows device, the malware can give attackers access to the system and allow them to take over active WhatsApp Web accounts, letting them use official company conversations.
In some cases, attackers go further and fully control the device. They also quietly change contact details, saving a fake number under the CEO’s name and using it to instruct employees to transfer funds.
How Companies Can Stay Safe
The agency said the scam works by exploiting workplace trust and the tendency of employees to act quickly on instructions from senior leadership.
To prevent such attacks, I4C has advised companies to introduce stricter checks for urgent payment requests and banking changes.
It recommended that all such instructions should be verified through direct phone calls or in-person confirmation before any action is taken.
The agency also warned against downloading files from unknown sources, noting that regulators like the RBI do not send software updates or security files through messaging apps.
I4C further advised organisations to monitor linked devices on communication apps, strengthen malware protection systems, and block unauthorised software execution on office systems.
Cyber experts said such scams are rising as attackers combine technical hacking tools with social engineering techniques to exploit urgency and hierarchy inside organisations.
Authorities have urged companies to stay alert and ensure all financial approvals go through verified internal processes to avoid falling victim to such frauds.
