For generations of Indian office-goers, one rule has been drilled in deeper than anything in the HR manual: when the boss says urgent, you move. Do not ask why, do not ask twice and certainly do not ask for it in writing.
On Friday, the Securities and Exchange Board of India (Sebi) issued a counter-order: if the boss pings you on WhatsApp demanding an immediate, hush-hush transfer of funds, do the unthinkable. Question him.
The market regulator has cautioned listed companies and all its regulated entities about what it calls, with admirable directness, the “Boss Scam”. Alerted by the Indian Cyber Crime Coordination Centre, Sebi says fraudsters are impersonating chief executives and managing directors on email, WhatsApp, Microsoft Teams and other platforms, instructing finance and accounts personnel to wire money—urgently, confidentially and preferably before anyone’s better judgement kicks in.
The choreography is finely tuned to corporate psychology. The message from “the CEO” often invokes a sensitive transaction or unpublished information, conveniently explaining why the employee must not consult anyone. Urgency supplies the pressure; confidentiality removes the safety net. All that remains is the reflex that decades of hierarchy have perfected: compliance.
If a text from the top is not persuasive enough, technology completes the costume. Fraudsters are using deepfake voices and AI-generated video calls. The man on screen looks and sounds like your chairman, and carries the same air of mild impatience. He is, regrettably, a graphics file.
Some scammers create fake “management” groups on social media—a supporting cast of directors and chief financial officers, all counterfeit. The payment instruction then appears to carry the authority of the entire boardroom. Artificial intelligence has not merely learnt to imitate the boss; it can recreate the management committee.
Another variant dispenses with acting. A ZIP or ISO file arrives, ostensibly containing an urgent regulatory notice or company document. Once opened on a Windows computer, it can instal malware and compromise an active WhatsApp Web session. The fraudster can then send instructions from a genuine account.
Attackers may also alter contact details on compromised devices, diverting verification calls back to themselves. Call the boss to double-check, and the “boss” who answers is the scamster. The fraud, in other words, comes with its own customer-verification department.
The danger is not hypothetical. Two Indian companies recently lost nearly ₹3.5 crore after employees opened malicious files apparently sent by senior colleagues. The scam does not merely hack computers; it hacks the organisational chart. Its most useful vulnerability is the employee too deferential—or frightened—to question an instruction from the top. The four words “Sir has told me” can override controls that cost crores to install.
Sebi’s prescription is disarmingly old-fashioned: verify financial instructions directly with the official concerned, using a trusted channel rather than the one on which the request arrived. Do not act on social-media messages alone or instal unverified executable files. Log out of unused WhatsApp Web sessions—an open tab can become an open door. Suspected fraud should be reported immediately through the national cybercrime helpline, 1930, or the cybercrime portal.
Companies must go further. Unusual payments should require dual authorisation, callbacks to registered numbers and cooling-off periods after beneficiary details are changed. No CEO, real or otherwise, should be able to bypass these safeguards merely by invoking urgency or confidentiality.
But the deeper fix may be cultural. Companies spend crores on firewalls while leaving their oldest vulnerability unpatched: the employee too junior, or too well-trained in obedience, to say, “Let me confirm that, sir.” The Boss Scam works because questioning the boss feels riskier than wiring money to a stranger.
So here is the new survival skill of corporate life, now with regulatory blessing: healthy insubordination. The next time the CEO video-calls demanding a discreet transfer within 10 minutes, hang up and call him back on the number you have always used.
If it was really him, he may be irritated for a minute. If it was not, you have saved the company a fortune—and become that rarest of corporate heroes: the employee who got promoted for not doing what the boss said.
How the scam works
# Fraudsters impersonate CEOs or MDs through email, WhatsApp, Microsoft Teams and other digital platforms.
# They demand urgent and confidential fund transfers, often citing sensitive transactions or unpublished information to discourage verification.
# Deepfake voices, AI-generated video calls and fake management groups are used to make the instructions appear authentic.
# Malicious ZIP or ISO files can compromise WhatsApp Web sessions or alter contact details, enabling fraudsters to issue payment instructions from genuine-looking accounts.
