A WhatsApp message from your CEO, Rs 1.5 crore gone. How the ‘Boss scam’ is tricking Indian executives

7 min read Original article ↗

New Delhi: An urgent regulatory notice, a malware-laden ZIP file and a WhatsApp message bearing the CEO’s profile picture are the latest tools in a sophisticated cyber fraud that has already siphoned off crores from companies and individuals. Dubbed the “boss scam”, the fraud has prompted the Indian Cybercrime Coordination Centre (I4C) to issue an advisory as investigators trace syndicates operating through mule bank accounts.

One of the victims of the fraud was Ahmedabad real estate businessman Pravin. On 23 June, around 11 am, he received a WhatsApp message from an unknown number.

“This is a notification from the Reserve Bank of India (RBI),” it stated. “The bank has issued a notice regarding risk control related actions and unusual financial transactions related to your company’s bank account. In view of this, action may be taken to restrict or suspend your account. Therefore, your finance department is requested to immediately review the relevant details and provide necessary cooperation.”

“Please provide the requested information within three working days. Otherwise, the use of your account may be adversely affected. Thank you for your cooperation,” added the message, that had a 3.3 MB ZIP file attached.  

Pravin, who narrated the sequence of events to ThePrint over phone Monday, forwarded the message to his accountant, Pritish.

“Pritish saw the message on WhatsApp Web on his desktop where the ZIP file was downloaded. Within minutes, he received a WhatsApp message from an account that had my profile picture, asking him to transfer Rs 1.5 crore to a Kolkata-based company’s account and not to call back. He transferred the sum, assuming I had texted him,” Pravin said.

This CEO impersonation fraud, in which cybercriminals target high-ranking officials and executives by delivering malicious archives via email or WhatsApp and request urgent regulatory compliance, is what the I4C has warned about in an advisory issued on 22 June.

“Once executed, the malware compromises the executive’s Windows device and active Web WhatsApp sessions, enabling the fraudsters to message subordinate employees and orchestrate fraudulent financial transfers,” warns the I4C.

“If the attacker achieves complete device takeover, they covertly modify the device’s contact list, saving a fraudulent, attacker-controlled phone number under the name of the ‘CEO’, and use that secondary number to instruct employees into transferring funds,” it adds.

Pravin said the fraudsters gained access to his accountant’s computer through WhatsApp Web after the malware was downloaded.

“The fraudster managed to read all the messages between me and my accountant, and that is when he texted Pritish, assuming my identity. The fraudster instructed Pritish to not make any phone calls. He sent him details of an IndusInd Bank account and the money was subsequently transferred. When I received a text about the money being debited, I immediately called Pritish. Then he narrated what had happened,” he told ThePrint.

A senior police officer from Ahmedabad Crime Branch said a case has been registered under Bharatiya Nyaya Sanhita Sections 318(4) (cheating), 319(2) (cheating by personation) and under the IT Act and investigation initiated.

“In this case, Pritish’s WhatsApp was hacked. Earlier, APK files were being shared, now it is a ZIP file,” the officer told ThePrint.

Police in other states have also issued advisories warning against the “boss scam”.


Also Read: Mass weddings are booming across India. So are the scams around them


How ‘boss scam’ unfolds

Senior cybercrime officers from Mumbai and Ahmedabad Crime Branch explained the modus operandi, saying cybercriminals contacted CEOs or high-ranking officials via email or WhatsApp impersonating regulators such as the RBI.

The communication falsely claims regulatory violation or mandates an urgent security improvement, demanding a response within a very short timeframe.

An Ahmedabad Crime Branch officer said that in most cases, the message contains a compressed zip file, which has a malicious executable (exe) file accompanied by a dynamic link library (dll) file.

As seen in multiple cases, the CEO forwards the regulatory compliance message to a finance officer. “When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated. The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens,” according to the I4C advisory.

“Armed with access to the executive’s real WhatsApp account, the fraudster contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts.”

An officer with the Delhi Police’s cybercrime unit IFSO said these are high value scams targeting businesspersons, “and most of them happen from outside India”.

“The ZIP file and WhatsApp coordination requires understanding of sophisticated technology. Only the mule accounts are based in India for cash withdrawal. The boss scam has become very advanced,” he told ThePrint.

Explaining further, he said that in digital arrest scams, fraudsters terrify victims, while in investment scams, victims are lured. In boss scam, it is pure impersonation.

The Delhi-Mumbai case

A similar fraud case was unravelled by the Delhi Police and Mumbai Police.

An officer investigating the case told ThePrint that four to five men had visited an IDFC First Bank branch in Jasola Vihar, requesting cash withdrawal of around Rs 8-9 lakh. The branch manager got suspicious and informed the beat constable about the youth looking to withdraw the substantial amount.

Delhi Police officers reached the spot and interrogated the men, who revealed a link to a “boss scam” in Mumbai.

Five accused arrested in the Delhi-Mumbai ‘boss scam’ case | By special arrangement
Five accused arrested in the Delhi-Mumbai ‘boss scam’ case | By special arrangement

“Through sustained technical analysis, banking transaction scrutiny, account profiling, and coordination with the agencies concerned, the team unearthed a larger network involved in routing, layering and withdrawing cyber fraud proceeds through commission-based account holders,” said the officer.

The Mumbai case involves a deputy general manager (accounts) of a private company, who received WhatsApp messages from a mobile number displaying the photograph of the company’s director.

“The fraudster, posing as the director, instructed me to urgently transfer funds to multiple bank accounts, citing ongoing meetings as the reason for being unavailable on phone calls,” the victim told the police.

Trusting the apparent authenticity of the messages, the victim executed 63 separate transactions between 3 June and 15 June, transferring a total of Rs 10,40,71,924 to various beneficiary accounts, according to the police.

The fraud came to light on 15 June when the victim directly contacted the actual director and discovered that no such instructions had ever been issued.

“Crucially, subsequent inquiry established that one of the beneficiary accounts stated for withdrawal by the accused at IDFC First Bank was directly linked to the proceeds of this impersonation scam, providing investigators with the critical lead connecting the Mumbai fraud to the Delhi-based withdrawal network,” DCP (South East) Hemant Tiwari said.

The five accused, identified as Vikash, 22, Vansh, 21, Faiyaz Alam, 22, Amit, 28, and Balvir Kumar, 23, have been arrested.

Tiwari told ThePrint that during sustained interrogation, the accused disclosed that they were working as part of a commission-based cyber fraud withdrawal syndicate. They revealed that cyber fraud proceeds were routed through bank accounts arranged by the syndicate, after which the amount was withdrawn in cash and handed over to their associates in lieu of commission.

“The accused disclosed the involvement of other syndicate members who are presently absconding,” he said. Sources in Mumbai Police said investigation is under way to identify them.

(Edited by Nida Fatima Siddiqui)


Also Read: IDFC First Bank scam: Pardeep Kumar, IAS officer under scanner, ‘on the run’ as CBI closes in