A WhatsApp message from the boss can feel safer than a random email from a stranger, especially when it appears inside a real executive account.
India’s cybercrime agency is warning companies about a “boss scam” in which criminals target senior executives with malicious files, hijack active WhatsApp Web sessions, and then use the executive’s identity to order employees to move company money.
The Indian Cyber Crime Coordination Centre, known as I4C, said the fraud can begin with a message that appears to come from a regulator such as the Reserve Bank of India. The message may claim the company has violated rules or must install an urgent security update.
Once the executive opens the file on a Windows computer, I4C said the malware can compromise the device and the person’s active WhatsApp Web session, giving criminals a way to message finance employees from an account they already trust.
The Scam Can Start With A Fake Regulatory Warning
Firstpost Live highlighted the warning in a segment on CEO impersonation fraud and how one WhatsApp message can push a company into sending money to the wrong place.
The official I4C advisory describes a more technical version of the same workplace trust attack. Criminals contact a chief executive or other high-ranking official through email or WhatsApp while pretending to represent a regulator. The message claims there is a compliance problem or urgent security requirement and demands action within a short window.
The attachment is the next step. I4C said the message can contain a compressed ZIP archive with a malicious executable file and a related DLL file. When the file is extracted and run on a Windows desktop or laptop, the malware can establish access to the system and hijack active WhatsApp Web session tokens.
That turns the executive’s account into the delivery system for the fraud. Instead of sending a suspicious message from a new number, the criminal can use the real account to contact finance or accounts employees and direct payments to mule bank accounts.
The Real Account Makes The Fake Request Harder To Question
A finance employee may see the boss’s name, a familiar profile photo, and a message thread that looks normal. If the instruction is urgent, confidential, or tied to a supposed regulator, the employee may feel pressure to act before checking it through another channel.
I4C said attackers may also use a contact-manipulation variant. If they gain broader access to the device, they can save an attacker-controlled number under the CEO’s name and use that secondary number to send payment instructions that appear to come from leadership.
The fraud does not need every employee to be compromised. It needs one believable instruction to reach someone who can approve a transfer, change beneficiary details, or move company funds.
That is what makes the attack different from a routine spam message. The malware opens the door, but the payment pressure comes from workplace authority.
The Scam Targets Employees Who Can Move Money
I4C singled out finance departments because they handle urgent transfers, account changes, and payment approvals. A fake instruction sent through a trusted executive channel can bypass the hesitation an employee might have with an outside email.
The pattern is familiar to U.S. investigators, even if the latest advisory centers on WhatsApp. The FBI describes business email compromise as one of the most financially damaging online crimes and says it targets businesses and individuals who perform legitimate transfer-of-funds requests.
The FBI’s examples include fake messages from a CEO asking an employee to buy gift cards, vendor-payment changes, and wire instructions that appear to come from a known source. In each example, the request looks legitimate long enough for money to move.
The FBI’s Internet Crime Complaint Center has put the scale of business email compromise and email account compromise at more than $55.4 billion in exposed losses from October 2013 through December 2023.
No Payment Should Move On WhatsApp Alone
I4C advised finance departments to verify urgent financial transactions or account changes through a separate channel when the request comes through WhatsApp or email. That can mean calling the executive on a known number, confirming in person, using an internal approval system, or requiring two-person authorization before large payments move.
The FBI gives similar advice for business email compromise: verify payment and purchase requests in person when possible or by calling the person directly, especially when the request involves a change in account number or payment procedure.
That rule is important when the message includes words such as urgent, confidential, regulator, security update, new beneficiary, account change, wire transfer, payroll change, refund, or deal closing. Those terms can be legitimate in real business, but they are also the language used to rush employees around normal controls.
Executives Should Check Linked WhatsApp Devices
Because the I4C warning involves hijacked WhatsApp Web sessions, executives and finance employees should regularly review linked devices inside WhatsApp and remove any device they do not recognize.
I4C also said organizations should not install executable files from unknown or unverified sources. The agency specifically warned that regulators such as the Reserve Bank of India do not distribute mandatory software updates or security fixes through WhatsApp attachments.
For company systems, I4C recommended blocking unknown executable and DLL files that originate from user-profile directories, keeping Windows endpoints protected with updated malware-detection tools, and treating unexpected compliance attachments as suspicious even when they appear to come from an authority.
If money has already moved, the FBI says the business should contact its financial institution immediately and request a recall of the funds. U.S. victims can also file a complaint with the FBI’s Internet Crime Complaint Center at IC3.gov. In India, I4C says suspected cybercrime can be reported by calling 1930 or through cybercrime.gov.in.
The boss can ask for a payment. A company process still has to verify it before the money leaves.