SEBI warns listed firms against 'Boss Scam' targeting CEOs, MDs

Share:
Audio Loading voice…
SEBI warns listed firms against 'Boss Scam' targeting CEOs, MDs

Synopsis

SEBI has formally warned Indian listed companies about the 'Boss Scam' — a cyber fraud where criminals impersonate CEOs and MDs using AI voice cloning and deepfake video to trick finance teams into transferring funds. The advisory, triggered by an I4C alert, marks the first time SEBI has treated this fraud typology as a systemic corporate governance risk.

Key Takeaways

SEBI issued a formal advisory on 17 July warning listed companies against the 'Boss Scam' cyber fraud.
Fraudsters impersonate CEOs and MDs via email , WhatsApp , Microsoft Teams , and other platforms to order fraudulent fund transfers.
More advanced attacks use AI-based voice cloning and deepfake video calls to make impersonation appear authentic.
A separate malware vector involves ZIP files that hijack WhatsApp Web sessions on Windows devices .
The Indian Cyber Crime Coordination Centre (I4C) had flagged a rise in such incidents, prompting SEBI's intervention.
SEBI recommends independent verification of all fund transfer requests and regular logout from inactive WhatsApp Web sessions.

Capital markets regulator Securities and Exchange Board of India (SEBI) on Friday, 17 July issued a formal advisory cautioning listed companies and regulated entities against a rapidly spreading cyber fraud dubbed the 'Boss Scam' — a scheme in which cybercriminals impersonate chief executive officers (CEOs), managing directors (MDs), and other senior officials to dupe employees into transferring funds to fraudulent accounts. The warning follows a specific alert raised by the Indian Cyber Crime Coordination Centre (I4C) about a surge in such impersonation attacks.

How the Boss Scam Works

Fraudsters contact finance or accounts personnel via email, WhatsApp, Microsoft Teams, or other social media platforms, posing as top executives and issuing urgent instructions to move money to designated bank accounts. The communications are crafted to appear time-sensitive, exploiting the instinct of employees to comply quickly with orders from senior management.

In more sophisticated variants, cybercriminals deploy artificial intelligence-based tools — including voice cloning and deepfake video calls — to make the impersonation convincingly authentic. SEBI noted in its advisory: 'Fraudsters are targeting CEO or high ranking official via email or WhatsApp by impersonating them. The communication through email/WhatsApp/Microsoft Teams/other social media platforms with their subordinates or counterparts, directs them to carry out instructions given to them resulting in transfer of funds to fraudsters.'

The Malware Vector

SEBI also flagged a separate but related attack method in which fraudsters send compressed ZIP files containing malicious software to employees. Once opened on a Windows device, the malware can hijack an active WhatsApp Web session — giving cybercriminals access to the victim's account and enabling them to dispatch fraudulent payment instructions directly to finance teams.

Additionally, the regulator warned that fraudsters may manipulate contact lists on compromised devices by saving their own numbers under the names of CEOs or MDs, making fraudulent calls and messages appear to originate from genuine senior officials.

SEBI's Preventive Directives

The regulator has advised listed entities and regulated organisations to independently verify all fund transfer requests received via email, WhatsApp, or social media by contacting the concerned senior official through a trusted, pre-established communication channel. Organisations have been urged not to authorise transfers solely on the basis of social media messages and to refrain from installing executable or compressed files without first confirming the sender's identity.

SEBI also recommended that organisations regularly log out of inactive WhatsApp Web sessions to reduce the risk of account compromise — a simple but often overlooked security hygiene measure.

Why This Advisory Matters

The Boss Scam is not new globally, but its increasing sophistication — particularly the use of AI-generated voice and video — marks a qualitative escalation in threat level for Indian corporates. Listed companies, which handle large volumes of institutional fund flows, are especially attractive targets. This is the first formal SEBI advisory specifically addressing this fraud typology, signalling that regulators now consider it a systemic risk to market infrastructure. With I4C having already flagged a rise in such incidents, the advisory effectively puts boards and compliance officers on notice that failure to implement basic verification protocols could constitute a governance lapse.

Point of View

Or whether it remains a non-binding caution that boards can quietly shelve.
NationPress
17 Jul 2026

Frequently Asked Questions

What is the 'Boss Scam' that SEBI has warned against?
The Boss Scam is a cyber fraud in which criminals impersonate CEOs, MDs, or other senior officials via email, WhatsApp, or Microsoft Teams to instruct finance employees to transfer funds to fraudulent accounts. SEBI issued a formal advisory about it on 17 July, following alerts from the Indian Cyber Crime Coordination Centre.
How do fraudsters make Boss Scam communications appear genuine?
Fraudsters use AI-based tools including voice cloning and deepfake video calls to mimic senior executives convincingly. They may also manipulate contact lists on compromised devices to make calls and messages appear to come from legitimate CEO or MD numbers.
What is the malware threat SEBI flagged alongside the Boss Scam?
SEBI warned that fraudsters are sending compressed ZIP files containing malicious software. When opened on a Windows device, the malware hijacks an active WhatsApp Web session, allowing criminals to access the victim's account and send fraudulent payment instructions to finance teams.
What steps has SEBI advised companies to take?
SEBI has advised organisations to independently verify all fund transfer requests through trusted communication channels, avoid authorising transfers based solely on social media messages, refrain from opening unverified executable or compressed files, and regularly log out of inactive WhatsApp Web sessions.
Which organisations are most at risk from the Boss Scam?
SEBI's advisory is directed at listed companies and regulated entities — organisations that handle significant fund flows and often have finance teams conditioned to act quickly on executive instructions, making them particularly vulnerable to urgency-based social engineering attacks.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 3 weeks ago
  2. 1 month ago
  3. 2 months ago
  4. 2 months ago
  5. 4 months ago
  6. 8 months ago
  7. 1 year ago
  8. 1 year ago
Google Prefer NP
On Google