Sebi cautions listed cos over 'Boss Scam'

In a public statement, Sebi said perpetrators are increasingly deploying advanced techniques such as deepfake voice cloning and AI-generated video calls to impersonate company heads
SEBI
SEBI
Updated on
2 min read

Market regulator Securities and Exchange Board of India (Sebi) on Friday cautioned listed companies and regulated entities about an emerging cyber fraud known as the 'Boss Scam' or CEO/MD impersonation scam, in which fraudsters use artificial intelligence-driven deepfakes, voice cloning and malicious software to trick finance officials into transferring funds.

In a public statement, Sebi said perpetrators are increasingly deploying advanced techniques such as deepfake voice cloning and AI-generated video calls to impersonate company heads. The statement follows an alert from the Indian Cyber Crime Coordination Centre (I4C) about an emerging trend involving the impersonation of chief executive officers or managing directors using digital communication tools.

In a typical Boss Scam, fraudsters pose as senior executives through email, WhatsApp, Microsoft Teams or other social media platforms and instruct finance personnel to execute urgent fund transfers. These messages are often designed to appear confidential and may discourage verification, citing sensitive or unpublished information.

In some instances, fraudsters create fake social media groups to lend credibility to their requests. Another method involves sending malicious ZIP files containing malware. Once opened, these files can compromise systems, hijack WhatsApp Web sessions and enable fraudsters to send payment instructions from legitimate accounts.

Sebi further warned that attackers may alter contact details on compromised devices, replacing genuine numbers with fraudulent ones to mislead employees into transferring money.

"The malware hacks the system and hijacks the active WhatsApp Web session tokens. The fraudster gets access to the finance officer's WhatsApp account and then contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts," Sebi said.

The regulator advised companies to exercise caution and independently verify any financial instructions received through digital platforms by directly contacting the concerned official. It also urged firms not to act solely on messages received via social media or messaging platforms and to avoid installing unverified executable files.

Entities have been asked to immediately report any cyber fraud incidents through the national cybercrime helpline (1930) or the cybercrime reporting portal.

X
The New Indian Express
www.newindianexpress.com