The Securities and Exchange Board of India has raised the alarm over a sophisticated impersonation fraud sweeping through corporate offices, where cybercriminals pose as chief executives and other senior management to manipulate employees into authorising unauthorised fund transfers. The warning, issued on Friday following reports from the Indian Cyber Crime Coordination Centre, highlights the escalating threat of what authorities are calling the "boss scam"—a deception strategy that exploits the hierarchical trust structures within organisations and the speed of modern digital communication.
The modus operandi is straightforward in concept but effective in execution. Fraudsters target finance officers, accountants, and other payment-processing employees at companies across India, initiating contact through seemingly legitimate channels such as email, WhatsApp, Microsoft Teams, and various social media platforms. By impersonating the voices of authority within these corporations—CEOs, chief financial officers, or other executives with financial decision-making power—the scammers create a sense of urgency and legitimacy that bypasses normal verification procedures. The instruction invariably follows: transfer funds immediately to specified bank accounts that the fraudsters control, typically described as mule accounts used to launder stolen money.
What makes this fraud particularly insidious is the multiplicity of its variations. Beyond simple impersonation over messaging platforms, criminals have adopted more technical approaches involving malware deployment. Employees receive files through email or messaging apps that appear legitimate but contain malicious code designed to compromise their devices. Once activated, this malware can hijack WhatsApp Web sessions, granting fraudsters direct access to an employee's account without their knowledge. From this position, the criminal can then directly contact colleagues in the finance department, using the compromised account to issue payment instructions that carry the appearance of internal, authorised communications.
The sophistication of these attacks reflects a broader trend in cybercrime targeting the corporate sector. Rather than attempting mass hacking or breaching security infrastructure—approaches that trigger IT department alerts—these fraudsters exploit human psychology and organisational culture. The assumption that communication from a senior leader requires immediate action, combined with the expectation of discretion around financial matters, creates psychological conditions where employees may bypass standard verification checks. The use of WhatsApp Web hijacking is particularly clever because it allows criminals to maintain ongoing conversations with victims, making requests seem increasingly normal and less suspicious over time.
For Southeast Asian businesses, particularly those with operations in India or extensive business relationships with Indian companies, this development carries direct implications. Many regional companies have subsidiary operations or joint ventures in India, and their finance teams are vulnerable to similar exploitation. The transnational nature of modern business means that a fraud targeting an Indian subsidiary could expose parent companies and partner organisations across the region to significant financial loss. Additionally, criminals operating this scam in India often expand their operations to other markets once techniques are refined and profitable, making awareness among Malaysian and other regional firms essential.
SEBI's response reflects regulatory concern about protecting market participants and maintaining financial system integrity. The regulator has instructed all entities it supervises—including brokers, asset managers, and other investment industry participants—to implement strict internal protocols preventing fund transfers based solely on communications through social media or messaging platforms. This represents an attempt to establish a firewall between informal digital communication channels and actual financial transactions, ensuring that payment authorisations always require verification through established institutional channels with documented audit trails.
The challenge for corporations lies in balancing security with operational efficiency. Implementing verification procedures for every fund transfer request, particularly those purporting to come from senior executives, can slow business operations and create friction in fast-moving organisations. Yet the alternative—maintaining trust-based systems vulnerable to impersonation—exposes companies to potentially catastrophic losses. Some organisations have begun implementing multi-factor authentication requirements, mandatory callback verification to known executive phone numbers, and mandatory segregation of duties where no single person can both receive and execute payment instructions based on senior management directives alone.
The rise of this fraud also reflects broader vulnerabilities in how Indian companies and potentially those across South Asia have adopted digital tools without corresponding security updates. WhatsApp, Microsoft Teams, and email remain deeply embedded in corporate communication structures, valued for their ease of use and accessibility. However, they were designed primarily for convenience rather than security, creating inherent weaknesses when used for sensitive financial coordination. The disconnect between tool adoption and security infrastructure represents a persistent vulnerability across the region.
For employees in finance and accounting roles, the warning underscores an uncomfortable reality: they may become the unwitting vector through which corporate funds are stolen, and they may face accountability for transfers they were manipulated into executing. Training and awareness become critical defences, though fraudsters continuously refine social engineering techniques to defeat such protections. Some security researchers have noted that the most effective defence combines technical solutions—such as endpoint protection software and advanced email filtering—with cultural changes that make verification requests normal rather than exceptional, and that encourage employees to question unusual payment instructions without fear of appearing insubordinate.
The broader context reveals that while India's financial markets have achieved significant sophistication and scale, the supporting cybersecurity infrastructure and public awareness remain inadequate to the threat level. Similar regulatory bodies across Southeast Asia may need to issue comparable warnings and implement comparable protections, recognising that the "boss scam" is not uniquely Indian but rather reflects vulnerabilities that exist wherever companies rely heavily on digital communication for financial coordination.
