SEBI warns firms against 'Boss Scam' cyber fraud targeting CEOs

SEBI warns firms against 'Boss Scam' cyber fraud targeting CEOs. (IANS Photo)

SEBI warns firms against 'Boss Scam' cyber fraud targeting CEOs. (IANS Photo)

Mumbai, July 17 (IANS): Capital markets regulator Securities and Exchange Board of India (SEBI) on Friday cautioned listed companies and regulated entities against an emerging cyber fraud known as the "Boss Scam", in which cybercriminals impersonate chief executive officers (CEOs), managing directors (MDs) or other senior officials to trick employees into transferring funds.

The advisory comes after the Indian Cyber Crime Coordination Centre (I4C) flagged a rise in CEO and MD impersonation frauds targeting organisations through email, WhatsApp, Microsoft Teams and other social media platforms.

According to SEBI, fraudsters pose as senior executives and send urgent messages or make calls instructing finance or accounts personnel to transfer money to specified bank accounts.

“Fraudsters are targeting CEO or high ranking official via email or WhatsApp by impersonating them. The communication through email/ WhatsApp/Microsoft Teams/other social media platforms with their subordinates or counterparts, directs them to carry out instructions given to them resulting in transfer of funds to fraudsters,” SEBI said in its advisory.

In some cases, cybercriminals use artificial intelligence-based tools such as voice cloning and deepfake video calls to make the impersonation appear authentic.

The regulator also warned about another modus operandi in which fraudsters send a compressed ZIP file containing malicious software.

Once opened on a Windows device, the malware can hijack an active WhatsApp Web session, enabling cybercriminals to access the victim's account and send fraudulent payment instructions to finance teams.

SEBI said fraudsters may also manipulate contact lists on compromised devices by saving their own phone numbers under the names of CEOs or managing directors, making fraudulent calls or messages appear genuine.

To prevent such incidents, SEBI advised listed entities and regulated organisations to independently verify all fund transfer requests received through email, WhatsApp or other social media platforms by directly contacting the concerned senior official through a trusted communication channel.

The regulator also urged organisations not to authorise fund transfers solely based on messages received through social media platforms and to avoid installing executable or compressed files without first verifying the sender's identity.

In addition, SEBI recommended that organisations regularly log out of inactive WhatsApp Web sessions to minimise the risk of account compromise.



Support The Morung Express.
Your Contributions Matter
Click Here