SEBI Cautions Listed Companies, Regulated Entities Against 'Boss Scam'

Shilpa Soman

17 July 2026 7:20 PM IST

  • SEBI Cautions Listed Companies, Regulated Entities Against Boss Scam

    The Securities and Exchange Board of India (SEBI) on Friday cautioned regulated entities and listed companies against an emerging cyber fraud known as the "Boss Scam" or CEO/Managing Director impersonation fraud, after the Indian Cyber Crime Coordination Centre (I4C) alerted the market regulator to the trend.

    SEBI said the fraud involves cybercriminals impersonating Chief Executive Officers, Managing Directors and other senior officials through email, WhatsApp, Microsoft Teams and other social media platforms. They then communicate with subordinates or counterparts and induce them to transfer funds to the fraudsters.

    According to the regulator, fraudsters have been observed using either of two strategies. The first involves impersonating senior executives through deepfakes, voice cloning, AI-generated video calls and fake social media groups.

    The second involves sending a compressed .zip archive containing a malicious executable (.exe) file along with a Dynamic Link Library (.dll) file. The press release notes that, in such cases, the CEO's message is forwarded to finance officers.

    Under the impersonation strategy, finance officers are instructed to transfer money to specified mule accounts. In some instances, they are also directed not to disclose the transaction on the pretext that it involves unpublished price-sensitive information. The regulator noted that these instructions have been observed being conveyed through messages or fake calls on social media platforms.

    The regulator further warned that if a finance officer extracts and executes the malicious files on a Windows desktop or laptop, malware can hijack an active WhatsApp Web session. Once access is gained, fraudsters can contact accounts or finance personnel from the compromised WhatsApp account and direct them to make immediate payments to mule bank accounts.

    If they obtain complete control of the device, they may also alter the contact list and save their own phone number under the name of the CEO or Managing Director before using that number to instruct finance officers to transfer funds.

    In light of the advisory, SEBI asked regulated entities and listed companies to independently verify requests received through WhatsApp, email or social media platforms by contacting the concerned senior official.

    It also advised them not to transfer funds solely on the basis of such instructions, avoid installing executable files without verifying the sender's identity or confirming the request through a phone call if it comes from a known sender, log out of inactive WhatsApp Web sessions, and report suspected cyber fraud immediately by calling 1930 or through www.cybercrime.gov.in.

    Next Story