I4C Warns of the 'Boss Scam': Fake RBI Files Hijack a CEO's WhatsApp to Order Fraudulent Transfers
India's I4C has issued an advisory on the 'Boss Scam', where criminals impersonate the RBI and company executives, plant malware via a .zip/.exe file, hijack the boss's WhatsApp Web session, and instruct finance staff to wire money to mule accounts. Here is how it works and how to stop it.
The Indian Cyber Crime Coordination Centre (I4C) has warned of a fast-growing fraud it calls the "Boss Scam", in which criminals impersonate regulators and company executives to hijack a real WhatsApp account and trick finance staff into wiring money to mule accounts. The warning comes in an advisory (TAU/ADV/017) issued by I4C's National Cybercrime Threat Analytics Unit on 22 June 2026.
On this page
At a glance
According to I4C, attackers contact a CEO or other high-ranking official by email or WhatsApp, posing as a regulator such as the Reserve Bank of India, and claim an urgent compliance violation that must be fixed immediately. The "fix" is a malicious file. Once it runs on the executive's Windows machine, the criminals take over their genuine WhatsApp Web session and use it to order subordinates to transfer funds.
How the Boss Scam works
I4C breaks the attack into a clear sequence. The danger is that the final instruction to staff comes from the boss's real account, so it looks completely legitimate.
- Initial contact (impersonating a regulator). Criminals message a CEO or senior official by email or WhatsApp, posing as a regulator such as the RBI. They claim a regulatory violation or a mandatory urgent security improvement and demand a response in a very short timeframe.
- Delivery of the payload. The message carries a compressed .zip archive containing a malicious executable (.exe) plus a Dynamic Link Library (.dll). In several observed cases, the CEO simply forwards the message on to a finance officer.
- Device and session takeover. When the file is extracted and run on a Windows desktop or laptop, a Trojan dropper launches, establishes a persistent foothold, compromises the system, and hijacks the active WhatsApp Web session tokens.
- Fraudulent transfer instruction. Now holding the executive's real WhatsApp account, the fraudster messages accounts or finance employees and instructs them to make immediate payments to specified mule bank accounts.
The contact-swap variant
I4C describes an alternative play used when attackers achieve full device takeover. Instead of (or in addition to) hijacking WhatsApp Web, they quietly edit the phone's contact list, saving a fraudulent, attacker-controlled number under the name of the "CEO". They then use that second number to instruct employees to transfer funds, so even a phone call or message that appears to come from "the boss" is actually the criminal.
Why it works
This is social engineering wrapped around malware. Three things make it effective:
| Lever | Why it lands |
|---|---|
| Authority | The opening message impersonates a regulator (RBI) and an executive, two voices employees rarely question. |
| Urgency | A short deadline and a "compliance violation" push the target to act before verifying. |
| Trusted channel | The payment order arrives from the boss's genuine WhatsApp account, defeating "does this look real?" checks. |
Red flags
- A regulator or senior leader sending a .zip / .exe file and asking you to run it. Regulators like the RBI never distribute software updates or security fixes via WhatsApp attachments.
- A "compliance" or "security" message with an aggressive deadline.
- An urgent payment or bank-account-change request that arrives only over WhatsApp or email.
- The boss's number or contact details appearing to have changed recently.
How to protect your company
I4C's recommended safeguards, grouped by who acts on them:
Finance teams
- Verify any urgent financial transaction or account-change request that comes solely through WhatsApp or email. Confirm by a direct voice call or in person before acting.
- Never install executables received from unknown or unverified sources.
IT / system administrators
- Enforce strict Software Restriction Policies (SRP) to block execution of unknown .exe and .dll files originating from user profile directories.
- Ensure Windows endpoints run up-to-date solutions that detect malware.
Executives and all staff
- Regularly audit authorised devices in WhatsApp (Settings → Linked Devices) and log out of any WhatsApp Web sessions you are no longer actively using.
- Treat any "open this file to stay compliant" message as suspicious, especially from a regulator.
If you have been hit
Report a fraudulent application or any scam incident immediately on the national cybercrime helpline 1930 or at cybercrime.gov.in. The first hour matters most for freezing transferred funds.
Preserve everything: the original email or WhatsApp message, the file, the sender details, and the beneficiary account numbers used in any transfer. They help investigators trace and freeze the money trail.
For a step-by-step walkthrough of filing the complaint and recovering funds in India, see our guide: How to Report Cybercrime in India (and Get Your Money Back).
Frequently asked questions
Who does the Boss Scam target? High-ranking officials and executives (CEOs and senior decision-makers), and through them, the finance staff who can move money.
How does the malware get in? Through a .zip archive containing a malicious .exe and .dll, delivered by email or WhatsApp and run on a Windows device.
What does the malware actually do? It installs a Trojan dropper, persists on the system, and hijacks the executive's active WhatsApp Web session so attackers can message staff as the boss.
Will the RBI ever send a security file over WhatsApp? No. Per I4C, regulators like the RBI never distribute mandatory software updates or security fixes via WhatsApp attachments.
How do we verify a payment request? By a direct voice call or in-person confirmation, never on the basis of a WhatsApp or email message alone.
Where do we report it? Call 1930 or file at cybercrime.gov.in.
Source: Indian Cyber Crime Coordination Centre (I4C), National Cybercrime Threat Analytics Unit (NCTAU), Advisory TAU/ADV/017 (PDF), "Regulatory and Executive Impersonation for WhatsApp Account Takeover using Malicious Windows Executables and High value financial fraud", dated 22 June 2026. Published by the Ministry of Home Affairs, Government of India.