SEBI warns listed firms against 'Boss Scam' targeting CEOs, MDs
Synopsis
Key Takeaways
Capital markets regulator Securities and Exchange Board of India (SEBI) on Friday, 17 July issued a formal advisory cautioning listed companies and regulated entities against a rapidly spreading cyber fraud dubbed the 'Boss Scam' — a scheme in which cybercriminals impersonate chief executive officers (CEOs), managing directors (MDs), and other senior officials to dupe employees into transferring funds to fraudulent accounts. The warning follows a specific alert raised by the Indian Cyber Crime Coordination Centre (I4C) about a surge in such impersonation attacks.
How the Boss Scam Works
Fraudsters contact finance or accounts personnel via email, WhatsApp, Microsoft Teams, or other social media platforms, posing as top executives and issuing urgent instructions to move money to designated bank accounts. The communications are crafted to appear time-sensitive, exploiting the instinct of employees to comply quickly with orders from senior management.
In more sophisticated variants, cybercriminals deploy artificial intelligence-based tools — including voice cloning and deepfake video calls — to make the impersonation convincingly authentic. SEBI noted in its advisory: 'Fraudsters are targeting CEO or high ranking official via email or WhatsApp by impersonating them. The communication through email/WhatsApp/Microsoft Teams/other social media platforms with their subordinates or counterparts, directs them to carry out instructions given to them resulting in transfer of funds to fraudsters.'
The Malware Vector
SEBI also flagged a separate but related attack method in which fraudsters send compressed ZIP files containing malicious software to employees. Once opened on a Windows device, the malware can hijack an active WhatsApp Web session — giving cybercriminals access to the victim's account and enabling them to dispatch fraudulent payment instructions directly to finance teams.
Additionally, the regulator warned that fraudsters may manipulate contact lists on compromised devices by saving their own numbers under the names of CEOs or MDs, making fraudulent calls and messages appear to originate from genuine senior officials.
SEBI's Preventive Directives
The regulator has advised listed entities and regulated organisations to independently verify all fund transfer requests received via email, WhatsApp, or social media by contacting the concerned senior official through a trusted, pre-established communication channel. Organisations have been urged not to authorise transfers solely on the basis of social media messages and to refrain from installing executable or compressed files without first confirming the sender's identity.
SEBI also recommended that organisations regularly log out of inactive WhatsApp Web sessions to reduce the risk of account compromise — a simple but often overlooked security hygiene measure.
Why This Advisory Matters
The Boss Scam is not new globally, but its increasing sophistication — particularly the use of AI-generated voice and video — marks a qualitative escalation in threat level for Indian corporates. Listed companies, which handle large volumes of institutional fund flows, are especially attractive targets. This is the first formal SEBI advisory specifically addressing this fraud typology, signalling that regulators now consider it a systemic risk to market infrastructure. With I4C having already flagged a rise in such incidents, the advisory effectively puts boards and compliance officers on notice that failure to implement basic verification protocols could constitute a governance lapse.