The Boss Scam: How Fake CEOs Are Draining Corporate Accounts
Introduction
Imagine receiving a WhatsApp message from your CEO late on a Friday afternoon. The message is urgent: a confidential business deal requires an immediate wire transfer before markets close. The profile picture matches, the tone sounds familiar, and the account it came from has your CEO's name on it. Everything appears legitimate except it is not. This is the essence of the 'Boss Scam,' a sophisticated form of CEO impersonation fraud that has emerged as one of the most financially devastating cybercrime trends of 2025. India's Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs, issued an urgent national advisory on this threat in June 2025, warning that organisations across the country are falling victim to an evolved and technically advanced version of executive impersonation fraud that bypasses many traditional cybersecurity safeguards.
Understanding the Boss Scam
What Is CEO Impersonation Fraud?
CEO fraud, also known as Business Email Compromise (BEC) or executive impersonation fraud, is a targeted cyberattack in which criminals assume the digital identity of a high-ranking executive most commonly the Chief Executive Officer to deceive subordinate employees into authorising fraudulent financial transactions or divulging sensitive information. Unlike generic phishing campaigns that cast a wide net, CEO fraud is a precision attack. Cybercriminals invest significant time and resources researching their targets, studying organisational hierarchies, communication styles, and internal financial workflows before executing the scam. The attack is devastatingly effective because it weaponises one of the most powerful forces in any workplace: authority. An instruction that appears to originate from the CEO carries an implicit demand for immediate compliance, often bypassing normal checks and verification procedures. The FBI's Internet Crime Complaint Center (IC3) has consistently identified BEC as one of the most financially destructive categories of cybercrime, with adjusted losses of approximately USD 2.77 billion reported in 2024 alone across the United States.
The New and Evolved Variant: India's I4C Advisory
The variant identified by India's I4C represents a dangerous evolution of traditional CEO fraud. The earlier versions of this scam relied on spoofed email addresses or fake WhatsApp profiles that merely mimicked an executive's account. Employees were trained to spot tell-tale warning signs suspicious domains, unusual sender addresses, or spelling errors in email IDs. The latest
Boss Scam variant eliminates many of these red flags entirely by hijacking the executive's actual and legitimate WhatsApp account. This sophisticated attack begins not with the employee, but with the CEO. Cybercriminals approach senior executives through email or WhatsApp while posing as regulatory authorities in India's context, this includes impersonating officials from the Reserve Bank of India (RBI) or other government bodies. These messages claim an urgent compliance violation or regulatory breach requiring immediate remedial action. The communication contains a compressed ZIP archive, which the executive is prompted to open. Inside the archive are malicious executable (.exe) and Dynamic Link Library (.dll) files that, when run on a Windows system, deploy a Trojan dropper a form of malware capable of establishing persistent access on the device and hijacking active WhatsApp Web session tokens.
Once the session token is compromised, the attacker gains complete control over the executive's WhatsApp account without needing the phone, password, or any two-factor authentication code. The legitimate account is now in criminal hands, and any message sent from it appears entirely authentic to recipients.
How the Boss Scam Operates: A Step-by-Step Breakdown
Stage 1: Targeting the Executive: The operation begins with careful reconnaissance. Attackers study the target organisation's leadership, identify the CEO or a senior executive, and gather publicly available information about their communication patterns, business relationships, and company operations through LinkedIn, corporate websites, and news sources. They then contact the executive under a false regulatory identity, engineering a sense of crisis and urgency.
Stage 2: Malware Deployment:The fraudulent regulatory communication contains a ZIP file disguised as a compliance document, a security patch, or a mandatory software update. Upon execution on a Windows machine, the embedded malware installs itself and begins hijacking the WhatsApp Web session. Critically, in many documented cases, the CEO innocently forwards this regulatory message and the malicious attachment to their own finance officer or IT team, inadvertently widening the attack surface.
Stage 3: Account Takeover and Impersonation:With the CEO's legitimate WhatsApp account now under their control, cybercriminals send highly convincing messages to subordinate staff, particularly those in finance, accounts payable, or treasury functions. These messages carry the full weight of genuine executive authority correct name, profile photo, and account history making them extraordinarily difficult to distinguish from authentic communications.
Stage 4: The Financial Strike:The fraudulent instruction typically requests an urgent, confidential wire transfer to an unfamiliar account, often accompanied by requests for complete secrecy. The employee, believing the instruction to be genuine and fearing the consequences of non-compliance with a directive from their CEO, processes the transaction. By the time the fraud is discovered, the funds have been routed through multiple mule accounts, making recovery extremely difficult.
The Broader Landscape: Scale and Impact
The Boss Scam is not an isolated Indian phenomenon it represents the cutting edge of a global epidemic of executive impersonation fraud. According to the FBI's data, BEC has been the costliest category of cybercrime for several years running, with cumulative global losses that officials have described as exceeding USD 50 billion over the past decade. A 2025 fraud survey found that 90 per cent of U.S. companies experienced attempted cyber-fraud in 2024, with business email compromise and impersonation scams surging by 103 per cent year-on-year. The technological sophistication of these attacks has grown in lockstep with the availability of AI tools. In early 2024, a finance worker at a multinational firm in Hong Kong was tricked into authorising a payment of USD 25 million after attending a video conference in which the CFO and other senior executives were entirely fabricated using deepfake technology. In March 2025, a similar attack unfolded in Singapore, where a finance director authorised nearly USD 499,000 after joining a Zoom call populated entirely by AI-generated deepfakes of company executives. Deepfake attacks against businesses reportedly surged by 3,000 per cent in 2023, and voice cloning fraud rose by 680 per cent the following year. In India, the Telangana Cyber Security Bureau reported over 300 complaints related to the Boss Scam variant alone within a twenty-day period in June 2025. In one prominent case, formerPrime Minister I.K. Gujral's son, Naresh Gujral, reportedly lost approximately Rs 7.8 crorethrough a messaging-app impersonation scheme targeting his company's Chief Financial Officer.
Warning Signs Every Employee Must Recognise
Identifying a Boss Scam attempt requires situational awareness and healthy scepticism. The following red flags should prompt immediate caution:
● Any request for urgent or secret financial transfers received via WhatsApp or email, without prior discussion or formal documentation.
● Instructions to bypass standard approval procedures or to maintain secrecy from colleagues or senior management.
● Compressed files (.zip, .rar) or executable attachments received from any source, including apparently known contacts, claiming to be compliance documents or regulatory updates.
● Messages from executives at unusual hours, particularly those emphasising that a transaction must be completed immediately.
● Claims that a request comes from a government regulator, such as the RBI, delivered through informal channels like WhatsApp.
● Any communication that creates extreme urgency, invokes authority, and simultaneously demands confidentiality the classic triangle of social engineering manipulation. Protective Measures: Defending Against the Boss Scam
For Employees and Finance Teams
The I4C advisory and global cybersecurity authorities recommend several concrete steps that employees can take. The most important is to independently verify any urgent financial instruction through a direct voice call or in-person confirmation before taking action, regardless of how convincing the digital message appears. No financial transaction of significance should be authorised on the basis of a WhatsApp message or email alone.
For Organisations and Leadership
Organisations must implement multi-layered verification protocols for all wire transfers above a defined threshold, making dual authorisation and out-of-band verification mandatory. IT teams should deploy updated malware detection tools, enforce software restriction policies that block unauthorised executable files, and regularly audit devices for signs of compromise. WhatsApp linked devices should be reviewed periodically. Leadership must also commit to regular, mandatory cybersecurity awareness training for all staff, with particular attention to social engineering tactics. The I4C has also emphasised that legitimate regulatory bodies including the RBI , do not distribute software, compliance tools, or security patches via WhatsApp or email attachments. Any such communication must be treated as a potential attack vector and reported immediately.
Conclusion
The Boss Scam exploits organisational trust and human psychology rather than technical vulnerabilities and with deepfake technology now capable of replicating familiar voices and faces, traditional verification instincts are no longer reliable. The strongest defence is a culture of verification without embarrassment, where questioning an unusual instruction is seen as diligence, not insubordination. Awareness, clear protocols, and scepticism towards urgency remain our most powerful tools. If you've encountered such a scam, contact India's National Cybercrime Helpline at 1930 or report at cybercrime.gov.in.
References
- https://www.cybercrime.gov.in
- https://www.business-standard.com/india-news/boss-scam-ceo-impersonation-fraudgovt- advisory-i4c-126062300353_1.html
- https://www.indiatvnews.com/news/india/boss-scam-all-about-the-new-cyber-fraudtargeting- corporates-and-precautions-listed-by-mha-2026-06-23-1045827
- https://www.freepressjournal.in/business/boss-scam-on-whatsapp-new-ceo-fraudbypasses- traditional-cybersecurity-checks
- https://hyderabadmail.com/tgcsb-warns-boss-scam-ceo-impersonation-fraud-malwarealert/
- https://www.newkerala.com/news/a/rising-boss-scam-threat-targets-senior-executiveswarns- 242.html
- https://www.ic3.gov
- https://www.mcafee.com/learn/is-that-really-your-boss/
- https://abnormal.ai/glossary/ceo-fraud
- https://www.brside.com/blog/deepfake-ceo-fraud-50m-voice-cloning-threat-cfos
- https://www.eftsure.com/blog/cyber-crime/these-7-deepfake-ceo-scams-prove-that-nobusiness- is-safe/
- https://www.knowbe4.com/ceo-fraud
- https://trustpair.com/blog/ceo-fraud-how-to-protect-your-organization-from-fraudsters/
- https://hacked.com/services/executive-impersonation-and-ceo-fraud-protecting-high-networth- individuals/
- https://www.certifid.com/article/ceo-fraud
Related Blogs
Executive Summary
Talks between the United States and Iran over a ceasefire reportedly held in Islamabad on Saturday ended without a resolution. Meanwhile, a video circulating on social media claims to show US troops returning home following a ceasefire in the Middle East conflict.
However, a research by the CyberPeace found the claim to be false. The viral video is not linked to any recent ceasefire. It actually dates back to March and shows the return of Iowa National Guard troops after months of deployment in the Middle East.
Claim
An X (formerly Twitter) user posted the video on April 7, 2026, claiming,“Another victory for Iran: American soldiers have started arriving home. After leaving the Middle East, American soldiers are saying, ‘Why did we fight for Israel? If Iran is talking about peace, we will also stand with them.’”
Fact Check
To verify the claim, we extracted keyframes from the viral video and conducted a reverse image search using Google Lens. This led us to posts by Newsradio 1040 WHO, which had shared the same footage on March 12 across Facebook and Instagram.
In its caption, the radio station stated that nearly 600 Iowa soldiers had returned home after a nine-month deployment in the Middle East as part of Operation Inherent Resolve. The segment, narrated by journalist Claire Burnett, explained that the soldiers belonged to the 2nd Brigade Combat Team, 34th Infantry Division, and had been deployed to Iraq and Syria. The footage was recorded at the 132nd Wing base of the Iowa Air National Guard in Des Moines.
For further confirmation, a March 12 report by KCCI 8 News also showed the same aircraft and troops, verifying the authenticity and timeline of the footage
Operation Inherent Resolve, launched in 2014, is a US-led campaign aimed at supporting local forces in the fight against the Islamic State (ISIS) and ensuring its lasting defeat.
https://www.kcci.com/article/iowans-welcome-national-guard-unit-home-from-deployment-in-middle-east/70729105
Conclusion
The viral claim is false and misleading. The video does not show US troops returning due to any recent ceasefire between the United States and Iran. Instead, it captures the routine homecoming of Iowa National Guard soldiers in March after completing a scheduled deployment in the Middle East.There is no evidence linking the footage to current geopolitical developments or any ceasefire agreement. The claim has been taken out of context and shared with a misleading narrative to create confusion around ongoing international events.
Introduction
The insurance industry is a target for cybercriminals due to the sensitive nature of the information it holds. This makes it essential for insurance companies to have robust cybersecurity measures to protect their data and customers’ personal information.
Cyber fraud in India’s insurance industry is increasing. It is reported that the Indian insurance sector has witnessed a surge in cyber-attacks, with several instances of data breaches, identity thefts, and financial fraud being reported. These cybercrimes not only pose a significant threat to the financial stability of the insurance industry but also to the privacy and security of policyholders.
Cyber Frauds in the Insurance Industry
The insurance industry in India has been the target of increasing cyber fraud in recent years. With the growing digital transformation trend, insurance companies have become increasingly vulnerable to cyber-attacks. Cyber frauds in the insurance industry are initiated by hackers who use various techniques such as phishing, malware, ransomware, and social engineering to gain unauthorised access to policyholders’ personal data and sensitive information
Kinds of cyber frauds in the insurance industry
It is essential for insurers and policyholders alike to be aware of these kinds of cyber-attacks on insurance companies in today’s digital age. Staying educated about these threats can help prevent them from happening in the future.
Identity theft– One common type of cyber fraud that occurs in the insurance industry is identity theft. In this type of fraud, criminals steal personal information such as name, address, date of birth and social security numbers through phishing emails or fraudulent websites. They then use this information to open fraudulent policies or access existing ones.
Payment fraud- Another type of cyber fraud that is on the rise is payment fraud. In this type of fraud, hackers intercept electronic payments made by policyholders or agents using fake bank accounts or compromised payment gateways. The money is then siphoned into untraceable accounts, making it difficult for law enforcement agencies to identify and arrest the perpetrators.
Phishing attacks- Where the fraudsters posed as company officials and sent emails to policyholders requesting their account details. The unsuspecting customers fell for this scam and shared their sensitive information, which was then used to access their accounts and steal funds.
Hacking- Where hackers breach the company’s system to gain access to policyholder data. The hackers’ stoles personal records, including names, addresses, phone numbers, social security numbers, and financial information, which they later sell on the dark web.
Fake policies scam- Fraudsters create fake policies using stolen identities and collect premiums from innocent customers. The insurer then voided these policies due to fraudulent activity leaving those people without valid coverage when they needed it most. The victims suffer significant financial losses due to this scam.
Fake Insurance Websites- Discuss the creation of deceptive websites that imitate well-known insurance companies, where unsuspecting individuals provide their personal details, leading to identity theft or financial losses.
Prevention of Cyber Frauds in the Insurance Industry- Best practices to follow
Prevention is better than cure, which also holds true in the case of cyber fraud in the insurance industry. The industry must take proactive steps to prevent such frauds from occurring in the first place. One of the most effective ways to do so is by investing in cybersecurity measures that are specifically designed for the insurance sector.
Insurance companies must conduct regular employee training programs on cybersecurity best practices. This includes educating employees on how to identify and avoid phishing emails, create strong passwords, and recognise potential cyber threats. Companies should also establish a reporting mechanism for employees to report suspicious activity or incidents immediately.
Having proper access controls in place is also necessary. This means limiting access to sensitive data only to those employees who need it, implementing two-factor authentication, and regularly monitoring user activity logs. Regular audits can also provide an extra layer of protection against potential threats by identifying vulnerabilities that may have been overlooked during routine security checks.
Another essential step is encrypting all data transmitted between different systems and devices. Encryption scrambles data into unreadable codes that can only be deciphered using a decryption key, making it difficult for hackers to intercept or steal information in transit.
Legal Framework for Cyber Frauds in the Insurance Industry
The legal framework for cyber fraud in the insurance industry is critical to preventing such crimes. The Insurance Regulatory and Development Authority of India (IRDAI) has issued guidelines for insurers to establish a cybersecurity framework. The guidelines require insurers to conduct regular risk assessments, implement security measures, and ensure compliance with data privacy laws.
The Information Technology Act 2000, is another significant piece of legislation dealing with cyber fraud in India. The act defines offences such as unauthorised access to a computer system, hacking, and tampering with data. It also provides for stringent penalties and imprisonment for those found guilty of such offences.
The IRDAI’s guidelines provide insurers with a roadmap to establish robust cybersecurity measures to help prevent cyber fraud in the insurance industry. Stringent implementation of these guidelines will go a long way in safeguarding sensitive customer information from falling into the wrong hands.
Best Practices for Insurers and Policyholders
Insurers:
Implementing Strong Authentication: Encouraging the use of multi-factor authentication and secure login processes to safeguard customer accounts and prevent unauthorised access.
Regular Employee Training: Conduct cybersecurity awareness programs to educate employees about the latest threats and preventive measures.
Investing in Advanced Technologies: Utilizing robust cybersecurity tools and systems to promptly detect and mitigate potential cyber threats.
Policyholders:
Vigilance and Awareness: Policyholders must stay vigilant while sharing personal information online and verify the authenticity of insurance websites and communication channels.
Regular Updates and Patches: Advising individuals to keep their devices and software up to date to minimise vulnerabilities that cybercriminals can exploit.
Secure Online Practices: Encouraging the use of strong and unique passwords, avoiding sharing sensitive information on unsecured networks, and exercising caution when clicking on suspicious links or attachments.
Conclusion
As the Indian insurance industry embraces digitisation, the risk of cyber scams and data breaches becomes a significant concern. Insurers and policyholders must collaborate to ensure robust cybersecurity measures are in place to protect sensitive information and financial interests.
It is essential for insurance companies to invest in robust cybersecurity measures that can detect and prevent fraud attempts. Additionally, educating employees on the dangers of cyber fraud and implementing strict compliance measures can go a long way in mitigating risks. With these efforts, the insurance industry can continue to provide trustworthy and reliable services to its customers while protecting against cyber threats. As technology continues to evolve, it is imperative that the insurance industry adapts accordingly and remains vigilant against emerging threats.
Executive Summary
A video is rapidly circulating on social media showing a man enthusiastically dancing to the Hindi song Sun Sahiba Sun. The clip is being shared with a sensational claim that it is a private video leaked from the hacked email account of FBI Director Kash Patel. In the video, a man can be seen dancing in a casual setting while people in the background cheer him on. Several users have linked the clip to an alleged cyberattack by Iran-linked hackers, attempting to connect it with ongoing international developments.
However, research by the CyberPeace found that the video has been available online since at least 2020. It also resurfaced in 2022, long before the current claims emerged. There is no connection between the video and Kash Patel or any hacking incident. Further research confirmed that the clip is not recent and has no link to any cybersecurity breach. In 2022, the same video had gone viral as a humorous post, with claims that the man was celebrating because his wife had temporarily gone to her maternal home.
Claim
On March 29, 2026, an Instagram user named ‘greyinsightsbharat’ shared the video claiming it was leaked from Patel’s hacked Gmail account. The caption read:“FBI Director Kash Patel's Gmail Hacked by Iranian Hackers; His Alleged Dancing Video Leaked.”
The research involved extracting keyframes from the video and conducting reverse image searches, which revealed that the same clip had been shared multiple times in the past with different, unrelated claims.
Fact Check
A reverse search also led to a December 2022 media report featuring the same visuals. According to that report, the video showed a man joyfully dancing to celebrate his wife’s temporary visit to her parental home.
Additionally, findings confirm that the footage has existed online since at least 2020 and has previously gone viral. The song featured in the clip is from the 1985 Bollywood film Ram Teri Ganga Maili, originally sung by legendary artist Lata Mangeshkar.
Conclusion:
The claim that the viral dance video is a leaked private clip of FBI Director Kash Patel is false and misleading. Verified findings show that the video has been available on the internet since at least 2020 and had already gone viral in 2022 in a completely different and humorous context. There is no evidence linking the clip to any recent cyberattack, email hack, or data breach involving Patel. The resurfacing of this old video with a fabricated narrative highlights how unrelated content is often repurposed to create sensational misinformation, especially during sensitive geopolitical situations. Users are advised to verify such claims through credible sources before sharing, as misleading posts like these can distort public understanding and spread confusion.
