I4C Issues Advisory Urging Companies to Strengthen Verification Processes Amid Growing Cyber Threats

The Indian Cyber Crime Coordination Centre (I4C) has issued a nationwide advisory cautioning businesses and senior executives against a rapidly emerging cyber fraud known as the "Boss Scam." Also referred to as CEO impersonation fraud, this sophisticated cybercrime is increasingly targeting corporate organisations by exploiting trust, authority and organisational hierarchy.

The warning comes amid a sharp rise in cyber-enabled financial frauds across India, with attackers using advanced social engineering techniques to trick employees into transferring funds, disclosing confidential information or compromising corporate systems.

What Exactly Is a Boss Scam?

A Boss Scam is a highly targeted cyber fraud in which criminals impersonate top company executives such as Chief Executive Officers (CEOs), Chief Financial Officers (CFOs) or senior management officials to deceive employees.

The fraud typically targets finance departments, treasury teams and decision-makers responsible for processing payments and approvals. Attackers exploit employees' trust in senior leadership and create a false sense of urgency to pressure them into taking immediate action.

Unlike traditional cyberattacks that focus primarily on technical vulnerabilities, Boss Scams rely heavily on manipulating human behaviour and workplace dynamics.

How Cybercriminals Execute the Fraud

According to the I4C advisory, fraudsters are increasingly impersonating regulatory authorities such as the Reserve Bank of India (RBI) and contacting company executives through email or messaging platforms like WhatsApp.

The attackers often claim that the organisation has violated regulatory guidelines or requires urgent security updates. To support their claims, they send files disguised as official compliance documents.

These files usually contain malicious software hidden inside compressed folders. Once downloaded and opened on a computer, particularly Windows-based systems, the malware can infect the device and provide cybercriminals with unauthorised access.

In many cases, the targeted executive unknowingly forwards the suspicious file to finance or administrative teams, thereby widening the attack surface within the organisation.

Hijacking Communication Channels

After successfully compromising a device, attackers can gain control over official communication platforms, including active WhatsApp Web sessions.

Cybercriminals may then alter contact details, replacing genuine phone numbers with attacker-controlled numbers while retaining the names of senior executives. This enables fraudsters to send payment instructions that appear authentic.

Employees receiving such requests often believe they are acting on legitimate directions from top management and process financial transactions without additional verification.

Experts warn that this tactic significantly increases the probability of successful fraud.

Why Boss Scams Are More Dangerous Than Phishing Attacks

Cybersecurity professionals believe Boss Scams are considerably more sophisticated than conventional phishing campaigns.

Traditional phishing attacks generally involve mass distribution of generic emails aimed at a broad audience. In contrast, Boss Scams are highly personalised, carefully researched and often executed in real time.

Attackers use multiple communication channels—including email, instant messaging applications and social media—to create convincing impersonation attempts.

The growing use of artificial intelligence tools has further increased the sophistication of such scams. Fraudsters can now create highly convincing messages, fake profiles and even AI-generated voice communications that closely mimic senior executives.

As a result, traditional cybersecurity tools alone may not be sufficient to detect or prevent these attacks.

Corporate India Faces Growing Cyber Risk

With organisations increasingly adopting digital communication tools for day-to-day operations, the risk of executive impersonation fraud has grown substantially.

Large corporations, small businesses, startups and financial institutions are all vulnerable to such attacks. Finance teams and employees involved in payment processing remain the most common targets.

Industry experts believe the increasing digitisation of workplace communication, combined with remote and hybrid working models, has created new opportunities for cybercriminals.

The financial and reputational impact of successful Boss Scams can be severe, often resulting in substantial monetary losses and operational disruptions.

Key Measures to Prevent Boss Scams

The I4C has urged organisations to strengthen internal controls and cybersecurity practices to reduce the risk of such frauds.

Key preventive measures include:

• Independently verifying all urgent payment requests through direct phone calls or face-to-face confirmation.

• Avoiding the download or installation of files received from unknown or unverified sources.

• Regularly reviewing and monitoring devices linked to corporate messaging platforms.

• Deploying advanced endpoint protection and updated anti-malware solutions.

• Implementing software restriction policies to block unauthorised applications.

• Conducting periodic cybersecurity awareness training programmes for employees.

Verification Is the Strongest Defence

Cybersecurity experts unanimously agree that a robust verification process remains the most effective safeguard against Boss Scam attacks.

Organisations are advised to establish strict maker-checker frameworks and multi-level approval systems for all high-value transactions.

No payment instruction or sensitive request should be executed solely based on an email, message or digital communication, regardless of the apparent authority or urgency associated with it.

As cyber threats continue to evolve, companies that combine strong cybersecurity infrastructure with employee awareness and disciplined verification procedures will be better positioned to defend themselves against executive impersonation fraud.

The latest advisory serves as a reminder that in today's digital environment, human vigilance remains one of the most critical elements of cybersecurity.