'Boss Scam' On WhatsApp: New CEO Fraud Bypasses Traditional Cybersecurity Checks

A new and more sophisticated form of cyber fraud is targeting corporate employees by exploiting one of the most trusted communication channels inside organisations—WhatsApp.

In what cybersecurity officials describe as a major evolution of CEO impersonation fraud, attackers are now able to use or replicate a CEO’s real WhatsApp identity to request urgent and confidential financial transfers.

India’s Indian Cyber Crime Coordination Centre (I4C) has issued an alert on this emerging threat, calling it the “Boss Scam” or advanced CEO fraud.

The agency has warned companies that this attack combines malware, social engineering techniques, and executive impersonation to deceive employees into transferring money to fraudulent accounts.

Traditionally, such cybercrimes fell under business email compromise (BEC), where criminals impersonated senior executives using fake email IDs or spoofed messages.

Employees were trained to look for tell-tale signs such as suspicious domains, spelling errors, or unusual sender addresses.

However, the latest variant eliminates many of those warning signals by leveraging the executive’s genuine WhatsApp account.

According to I4C, attackers typically begin the operation by contacting CEOs or senior executives through email or WhatsApp while posing as regulatory authorities such as the Reserve Bank of India (RBI).

These messages often claim that there is an urgent compliance or regulatory issue requiring immediate action.

The attackers then send a malicious attachment, usually a compressed ZIP file containing executable (.exe) and Dynamic Link Library (.dll) files.

If the executive opens and runs the file on a Windows system, malware is installed on their device.

I4C explains that this malware functions as a Trojan dropper, enabling attackers to maintain persistent access to the system.

More critically, it is capable of hijacking active Web WhatsApp session tokens.

This allows cybercriminals to take control of the executive’s WhatsApp account without physically accessing their phone or knowing the login credentials.

Once control is established, fraudsters begin sending messages directly from the CEO’s authentic WhatsApp account.

These messages are typically directed at finance, accounting, or payroll teams, instructing them to urgently transfer funds to specified bank accounts.

Because the request appears to originate from a legitimate senior leader, employees often comply without verification.

Cybersecurity experts note that the success of such frauds is driven less by technical sophistication and more by psychological manipulation.

Attackers deliberately create urgency, secrecy, and authority in their communication. Phrases such as “handle this immediately,” “do not escalate,” or “I am unavailable for calls” are commonly used to discourage verification.

The scam also exploits fear of regulatory consequences by impersonating institutions like the RBI, suggesting that failure to act quickly could result in penalties or compliance breaches.

I4C has clarified that legitimate regulators do not send software, compliance tools, or security patches via WhatsApp attachments. Any such communication should be treated as suspicious.

To counter these threats, authorities recommend strict verification protocols. Employees should confirm any financial request via direct phone calls, video calls, or in-person confirmation rather than relying on messages.

Organisations are also advised to block executable files from unknown sources and enforce IT policies that prevent unauthorized software installation.

Additionally, cybersecurity experts recommend dual approval systems for large transactions and regular employee training to recognise phishing and social engineering attempts.