India’s Securities and Exchange Board has warned listed companies and regulated entities that a “Boss Scam” campaign is using CEO impersonation, malicious ZIP files and hijacked WhatsApp Web sessions to trigger fraudulent fund transfers — a combination that puts Windows endpoints and finance workflows squarely in the blast radius.
SEBI’s July 17 advisory follows an earlier alert from the Indian Cyber Crime Coordination Centre, or I4C, which described attackers approaching chief executives, managing directors and other senior staff through email, WhatsApp and messaging platforms with urgent, authoritative requests. The end goal is not merely to impersonate a boss in a text chat. In the more damaging version, criminals compromise the executive’s Windows device and then send payment instructions from an authentic, already trusted WhatsApp account.
For Windows administrators, the warning is a useful reminder that business-email-compromise controls alone do not cover the modern payment-fraud chain. The initial lure can reach an executive through personal or corporate messaging, the malware can run locally, and the final instruction can arrive through a legitimate account in a tool the organization treats as informal collaboration.

A security analyst investigates a suspected deepfake CEO message and malware-laden payment attachment.The scam turns a trusted chat into a payment channel​

SEBI said the campaign relies on messages that appear to come from senior leaders and press accounts or finance personnel to send funds to designated bank accounts. A request may be delivered through email, WhatsApp, Microsoft Teams or other social platforms, frequently framed as urgent and confidential so normal approval procedures are skipped.
That basic executive-impersonation technique is familiar. What makes the current campaign more dangerous is the reported attempt to take over the executive’s real communications rather than rely solely on a cloned profile, spoofed address or newly registered phone number.
The I4C advisory, published through India’s Press Information Bureau in June, described a sequence in which fraudsters first impersonate a regulator — potentially invoking an urgent compliance failure or security directive — and send a compressed ZIP archive to a senior executive. The archive reportedly includes an executable and a DLL. Once the victim extracts and runs the files on a Windows desktop or laptop, the malicious program can establish persistence and target active WhatsApp Web sessions.
That is a meaningful escalation. A finance employee who receives a payment order from an unfamiliar number has an obvious warning sign. An employee who receives it from the CEO’s genuine WhatsApp account, complete with prior conversation history and a recognizable profile, has far less reason to pause unless the business has made independent verification a hard rule.
SEBI also highlighted the possibility of AI-assisted voice cloning and deepfake video calls, which could be used to reinforce the fraud after an initial message. In other cases, criminals reportedly alter a compromised user’s contact list so an attacker-controlled number appears under the name of a CEO or managing director. Neither a familiar display name nor a realistic voice should be treated as authorization for a financial transaction.

WhatsApp Web is the Windows-specific weak point​

The ZIP-file element deserves particular attention from Windows shops because it links a social-engineering event to a conventional endpoint compromise. The user does not need to hand over an OTP or scan a fraudulent QR code for the attacker to gain useful access. If a malicious program runs on the device hosting an active WhatsApp Web session, the attacker may be able to leverage that existing browser session to act as the executive.
In practical terms, the endpoint being targeted may be the laptop a director uses for Outlook, Teams, browser-based portals and WhatsApp Web. It may also be a home Windows PC used after hours, where corporate software restrictions are weaker and a “regulatory document” sent through WhatsApp feels less suspicious than it would in a formal mail client.
The attack also exposes a blind spot in many incident-response processes. Security teams often concentrate on the executive’s mailbox, Entra ID sign-ins and Microsoft 365 audit trails after an alleged CEO-fraud event. But if the decisive messages were sent through a hijacked WhatsApp Web session, the relevant evidence may sit on the Windows endpoint: downloaded archives, process execution, browser activity, persistence artifacts and unusual outbound network connections.
The immediate response after a suspected compromise should therefore include isolating the affected Windows machine, preserving forensic evidence, terminating the WhatsApp Web session from the linked-device list, resetting relevant credentials and checking the executive’s contacts for altered entries. Finance teams should be told that recent payment requests issued through the account are untrusted until independently validated.
A routine logout of inactive WhatsApp Web sessions, as SEBI recommends, reduces the time an old browser session remains valuable to an attacker. It does not replace endpoint security, but it closes a path that often remains open long after the business reason for linking the browser has ended.

The payment control matters more than the message filter​

There is no technical filter that can reliably determine whether a real CEO’s WhatsApp account is being used under duress or by a criminal who has commandeered an active session. The durable defense is a transaction process that does not allow any single chat message — no matter how authentic it appears — to create, alter or approve a payment.
SEBI’s advice is direct: organizations should independently verify fund-transfer instructions through a trusted channel by contacting the senior official, and should not approve transfers solely because of a message received through social media. That needs to be translated into a control staff can apply under pressure.
A practical policy should require a known, pre-registered callback number or a separate approval route in the finance system for:
  • Any urgent transfer request that bypasses the normal payment cycle.
  • Any change to beneficiary banking details.
  • Any request to keep a transfer confidential from usual approvers.
  • Any instruction received through WhatsApp, Teams, SMS, personal email or a voice call alone.
The important distinction is between confirmation and replying. Responding inside the same WhatsApp thread, calling the number displayed in the message, or accepting a video call initiated by the apparent executive does not independently verify anything. The organization needs a channel whose contact details and approval path were established before the incident.
For multinational firms, this is also a reason to examine whether finance teams have well-defined escalation coverage when executives are traveling or working across time zones. Fraudsters thrive on the claim that a normal approver is unavailable and money must move before a deadline.

Windows defenses can make the first click harder​

SEBI’s warning is primarily about fraud prevention, but Windows endpoint controls can limit the malware stage. Microsoft documents Attack Surface Reduction rules in Microsoft Defender as a way to curb risky behaviors associated with malware, including executable content delivered through email and webmail, suspicious scripts and other common infection paths.
Organizations using Microsoft Defender Antivirus with Intune or Microsoft Defender for Endpoint should review whether their estate is merely detecting risky activity or actively blocking it. Microsoft’s “Block executable content from email client and webmail” rule is particularly relevant to a campaign built around an archive that ultimately delivers an executable. App-control policies, least-privilege configurations and restrictions on running unapproved executables from user-writable locations provide additional friction.
The caveat is equally important: a ZIP attachment sent in WhatsApp is not necessarily covered in the same way as an email attachment. Administrators should test controls against the real delivery routes used in their environment, including browsers, downloaded archives and desktop messaging clients. Broad rules deployed without testing can interrupt legitimate line-of-business workflows, which is why Microsoft recommends staged, audit-first rollouts for many Attack Surface Reduction policies.
Security teams should also ensure that executives are not exempted from standard endpoint protections because they need flexibility. Senior leaders are attractive targets precisely because their devices, authority and access to financial decision-makers create an unusually high-value compromise.

This is a workflow attack, not just a malware alert​

The most useful reading of SEBI’s warning is that the “Boss Scam” is a blended attack: social engineering gets the file opened, Windows malware gets a foothold, a legitimate messaging session supplies credibility, and a weak payment workflow produces the financial loss.
That means the ownership cannot rest solely with the SOC or desktop engineering team. Treasury, accounts payable, executive support, legal, compliance and IT need one shared playbook for verifying unusual transfer requests and responding when an executive messaging account may be compromised.
SEBI’s advisory supplies the immediate action: distrust urgent payment demands received through chat, independently verify the requester, and do not run unverified compressed or executable files. For Windows administrators, the next milestone is more concrete: identify every executive device with WhatsApp Web in use, confirm the endpoint protections applied to it, and make sure finance has a payment-control process that still works when the message really does appear to come from the boss.

References​

  1. Primary source: The Hans India
    Published: 2026-07-17T15:45:05+00:00
  2. Related coverage: sebi.gov.in
  3. Related coverage: economictimes.indiatimes.com
  4. Related coverage: moneylife.in
  5. Related coverage: business-standard.com
  6. Related coverage: theprint.in