is that a scam?
← Back to all scams
CRITICAL phishing Share

Fake "boss" message on WhatsApp tricks the accounts team into wiring company funds

Fraudsters hijack the CEO's WhatsApp via malware or fake a profile with the boss's photo, then message finance staff to transfer funds urgently. A Mumbai firm lost ₹10.4 crore; I4C issued a formal advisory on June 22, 2026.

Also known as: boss scam, WhatsApp CEO impersonation fraud, executive WhatsApp session hijack, corporate BEC WhatsApp India

What to do right now

  1. 1 Never authorize a NEFT, RTGS, or IMPS transfer based solely on a WhatsApp message — call the supposed sender on their known direct number or visit them in person to confirm
  2. 2 If the 'boss' says they cannot take calls, verify through a second channel: email to their known address, message to their PA, or a colleague who can physically reach them
  3. 3 Do not open .zip or .exe files received via WhatsApp or email from contacts claiming to be regulators — the RBI, SEBI, and CBI never send security fixes or compliance tools as attachments
  4. 4 If the CEO's WhatsApp account is suspected compromised, immediately go to WhatsApp Settings → Linked Devices and log out all sessions; then change the account's two-step verification PIN
  5. 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
  6. 6 If transfers were already made, call your bank's fraud line immediately to initiate a NEFT/RTGS recall — every hour matters before funds are layered through mule accounts
  7. 7 Report at https://cybercrime.gov.in or call 1930 (national cyber helpline).

Was remote-access software installed?

If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.

Run SeraphSecure to detect and remove it →

Red flags

  • Any WhatsApp message from the 'boss' asking for an urgent wire transfer without a simultaneous voice call to confirm — real executives use company channels for payments
  • The sender's number is different from the boss's known contact, but uses the boss's profile photo — scammers download public photos to fake identity
  • Message says 'I'm in a meeting, can't take calls — please transfer immediately and don't discuss with anyone' — isolation and urgency are the two levers
  • An email or WhatsApp message from a 'regulatory authority' (RBI, SEBI, CBI) contains a .zip or .exe attachment — real regulators never send executable compliance tools
  • The transfer destination is a new or unfamiliar account, vendor, or 'emergency fund' — verify any new payee through official channels

Known variants

  • Employee-phone compromise: malware sent as a ZIP to finance staff (not the CEO) installs contact-manipulation code that replaces the MD's saved number with an attacker-controlled one. WhatsApp messages then appear to come from 'the MD'. Two Mumbai firms lost ₹3.48 crore this way in June 2026.

    Last seen: 7/8/2026

  • Profile-photo impersonation (Kolhapur, July 6, 2026): attacker created a WhatsApp account using the CEO's photo and messaged the accounts officer directly. The accounts officer transferred ₹80.50 lakh via RTGS believing it was the CEO's instruction. Complaint filed with Kolhapur cyber cell.

    Last seen: 7/6/2026

Sources

Share this with someone who might need it