Boss Scam: fake CEO and RBI WhatsApp transfer fraud (India, 2026)
India's cybercrime agency has flagged a corporate fraud it calls the "Boss Scam." Criminals hijack a company chief's WhatsApp account, or rebuild the chief's profile photo and name on a brand-new number, then message the finance team as the boss and demand an urgent, confidential, high-value transfer. Some versions add a layer: the fraudster first poses as the Reserve Bank of India to pressure the executive. Here is exactly how it runs and the one rule that stops it.
Verdict: corporate impersonation fraud
If "your boss" or "the RBI" messages you on WhatsApp from a new or changed number and orders an urgent, secret, high-value bank transfer, it is the Boss Scam, not a real instruction. India's I4C (Indian Cyber Crime Coordination Centre, under the Ministry of Home Affairs) issued a fresh advisory in late June 2026 about it. Fraudsters either take over a company chief's actual WhatsApp account, or copy the chief's profile photo and display name onto a new number, then message a junior in the finance team posing as the boss. The order is always the same shape: pay this account now, keep it confidential, do not call me, close the deal before it expires. Some versions first impersonate the rbi.org.in Reserve Bank of India to spook the senior executive into cooperating. The tell never changes: a real boss or the RBI does not issue urgent confidential payment orders over WhatsApp from an unfamiliar number. Verify every payment instruction out of band: call the executive on their known number, route it through a second approver, and never act on a chat message alone. Report attempts at cybercrime.gov.in or by calling 1930. This is the WhatsApp cousin of the classic CEO wire-transfer (whaling) scam and the deepfake CEO video call.
How the Boss Scam actually runs
The scam has two jobs: become the boss in the target's eyes, then push a payment through before anyone checks. It usually plays out in stages.
First, the criminals choose a company and learn who is who. Public sources do most of the work: a company website, LinkedIn, news articles, a press release naming the managing director and the finance head. They want the chief executive's name and photo, and the name of a junior or mid-level person in accounts or finance who can move money.
Second, they take over the chief's identity on WhatsApp. The strongest version actually hijacks the executive's real account, often by tricking them into sharing a 6-digit WhatsApp verification code or approving a linked-device request. When that fails, the simpler version is enough: they set up a fresh number, paste the executive's real profile photo and full name onto it, and that alone passes a glance on a phone screen. A subordinate sees the boss's face and name pop up and rarely questions the unfamiliar number.
Third, they message the finance person as the boss. The script is built from three levers: authority ("this is the MD"), urgency ("the deal closes today, send it now"), and secrecy ("do not discuss this with anyone, it is confidential until we announce"). Often there is a cover story: a vendor that must be paid immediately, an acquisition, a regulatory deposit, a tax payment. The bank account details arrive in the same chat. In the RBI-flavoured version, the fraudster first contacts the senior executive posing as the Reserve Bank of India, citing some compliance issue, to manufacture the pressure that gets passed down the chain.
Fourth, the money moves, and only afterward does anyone call the real boss and discover the boss never sent anything. By then the funds have been pulled out of the receiving account and the trail has gone cold.
The tools that make it convincing
I4C's advisory points at the kit these crews now use, and it is worth knowing because it raises the bar on what looks "real."
- Lookalike corporate domains. A near-copy of the company's email or website domain, sometimes with a swapped letter or an extra word, used to send a follow-up "confirmation" email that backs up the WhatsApp order. This is where browser-layer checking matters, because the spoofed login or document portal lives on a domain that is not the company's real one.
- Fake executive social and WhatsApp profiles. The chief's photo and name lifted onto a new account, sometimes a cloned LinkedIn profile too, so any cross-check the target does still shows the boss's face. We break this pattern down in social media account cloning.
- AI-generated text and voice. The messages read in the executive's tone, and if the target asks to hear the boss, a short AI-cloned voice note can answer in a passable imitation. A live video version exists too, covered in our deepfake CEO video fraud piece.
- Malware hidden in "official document" attachments. An attachment dressed up as an invoice, an agreement, or an RBI notice that drops malware when opened, giving the crew a foothold inside the company or harvesting more credentials.
None of this changes the underlying con. The fanciest deepfake still ends with the same ask: move money now, quietly, without verifying.
Check that link before you trust the email or message
Got a "confirmation" email, a login link, or a document portal that is supposed to back up an urgent payment request? Paste the URL here before you sign in or download anything. Our 3-layer engine (Local + APIs + AI) checks it against a 550+ brand database and returns a verdict in about 3 seconds. Free, no signup.
Red flags that you are in a Boss Scam
- A payment order arrives over WhatsApp or text, not the normal channel. Real high-value transfers run through a documented process, not a chat from the boss's phone.
- It comes from a new or changed number. Even if the photo and name match the boss, an unfamiliar number behind a sudden payment demand is the single biggest tell.
- Urgency plus secrecy together. "Do it now" and "do not tell anyone" in the same message is the manipulation. Legitimate confidential deals still survive one phone call to confirm.
- You are told not to call. "I am in a meeting, just message me," or "do not phone, it is sensitive," exists only to block the one check that breaks the scam.
- A new beneficiary account you have never paid before. First-time account details delivered inside the same urgent chat deserve full verification, every time.
- An RBI or regulator angle. The "Reserve Bank of India" does not WhatsApp executives to order transfers. The RBI never messages company officials on WhatsApp; verify anything claiming to be the RBI only through rbi.org.in.
- A backing email from a near-miss domain. A confirmation email whose domain is almost, but not exactly, the company's real one.
- An attachment you are pushed to open quickly. An "official document," invoice, or notice you are urged to open before paying can carry malware.
What to do
- Verify out of band, always. Call the executive on their known, saved number, or speak to them in person, before moving a rupee. Do not reply in the same chat to confirm, because you would just be asking the fraudster.
- Use a second approver for payments. Any high-value or first-time transfer should need two people. A single chat message must never be enough to release funds.
- Slow the urgency down on purpose. A genuine deal does not collapse because you took ten minutes to confirm the instruction through the proper channel. Pressure to skip that step is the scam.
- Never treat a WhatsApp or text instruction as authorisation. Make it a written rule in the finance team: chat messages are not payment orders, full stop.
- Do not open pushed attachments. Treat any "urgent official document" tied to a payment demand as suspicious until verified through a known channel.
- If money already moved, act in minutes. Call your bank to attempt a recall and freeze, then report immediately. Speed decides whether funds can be held.
How to report it in India
- Call the national cybercrime helpline 1930 as soon as money has moved. Fast reporting gives the best chance of holding funds in the receiving account.
- File at cybercrime.gov.in, the National Cyber Crime Reporting Portal, with the numbers, chats, account details, and any emails.
- For anything claiming to be the central bank, verify only via rbi.org.in. The RBI publishes its own fraud awareness material and never messages company executives on WhatsApp to order transfers.
- Tell your bank right away. A recall request and account freeze are time-sensitive, so the bank call should not wait for the police report.
- Warn your own team. If one finance person was targeted, the others likely will be too. A quick internal heads-up stops the second attempt.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database plus homograph and Punycode checks, all running inside the extension before a page renders. It catches the lookalike corporate-login or document portal a Boss Scam uses to back up its order, where a near-copy domain pretends to be the company's real site.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists, so a malicious "official document" link or credential-harvest page that is already reported gets flagged before you click.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis flags a brand-new impersonation page, including a fresh fake login or fake RBI notice that copies real styling and exists only to capture credentials.
Honest scope: SafeBrowz works on the web layer, the malicious links and impersonation pages a Boss Scam leans on. It flags the lookalike corporate-login page, the fake document portal, and the malicious attachment link before you act on them. What it cannot do is read a WhatsApp message or block a wire transfer your own bank sends, so the core defence stays human: verify every payment instruction out of band, on a known number, with a second approver. SafeBrowz hardens the web side of the attack; the human verification rule beats the rest.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser-layer defense fits
The Boss Scam lives mostly in chat, but it almost always reaches for the web to look legitimate: a confirmation email with a login link, a document portal, a fake invoice page, a credential-harvest form on a domain that is one letter off the company's real one. That is the moment a browser-layer scanner earns its keep. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon), plus a live SafeBrowz Android app, that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and an optional AI deep scan. Learn how to tell if a website is a scam, see how the same playbook runs as a CEO wire-transfer scam over email, and install SafeBrowz, then pair it with the rule that beats this whole category: never authorise a payment from a chat message without verifying out of band.
Install SafeBrowz free
Add the browser extension, or the live SafeBrowz Android app, that runs every web check in this article automatically, on every page, before it renders. It flags the lookalike corporate-login pages, fake document portals, and impersonation domains a Boss Scam uses to look real. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
What is the Boss Scam that I4C warned about?
It is a corporate impersonation fraud flagged by India's I4C (Indian Cyber Crime Coordination Centre, under the Ministry of Home Affairs) in a late-June 2026 advisory. Criminals hijack a company chief's WhatsApp account, or copy the chief's profile photo and name onto a new number, then message the finance team posing as the boss and order an urgent, confidential, high-value bank transfer. Some versions first impersonate the RBI to pressure the senior executive. The goal is to get money wired to a fraudster's account before anyone verifies the order with the real boss.
Does the RBI ever message executives on WhatsApp?
No. The Reserve Bank of India does not message company officials or executives on WhatsApp to order transfers or demand payments. Any WhatsApp or text claiming to be the RBI and pushing an urgent confidential transfer is a scam. Verify anything claiming to be the RBI only through its official site, rbi.org.in. The RBI does not run urgent payment demands through chat apps.
How do I tell a hijacked boss account from the real one?
The strongest tell is the channel and the ask, not the photo. A real boss does not order an urgent, secret, high-value transfer over WhatsApp, especially from a new or changed number, and does not tell you not to call to confirm. Even if the profile photo and name match, treat any payment instruction in chat as unverified. Call the executive on their known, saved number, or check in person, before moving money. Never reply in the same chat to confirm, because you would only be asking the impostor.
The deal really is urgent. Should I still verify first?
Yes, always. Genuine business deals survive a ten-minute verification call through the proper channel. The combination of urgency and secrecy, plus pressure not to phone anyone, is the manipulation itself, not a sign the deal is real. Use a second approver for any high-value or first-time transfer, and make it a written team rule that a chat message is never payment authorisation. If the instruction is genuine, the boss will confirm it on a known number without complaint.
Money already went out. What do I do right now?
Act within minutes. Call your bank immediately to request a recall and freeze on the receiving account, since speed decides whether funds can be held. Then call the national cybercrime helpline 1930 and file a report at cybercrime.gov.in with the numbers, chat logs, and account details. Do not wait for the police report before calling the bank, and warn the rest of your finance team so the next attempt fails.
Related SafeBrowz coverage
- CEO wire-transfer (whaling) scam: how it works
- Deepfake Zoom CEO video call fraud
- WhatsApp 6-digit code account takeover scam
- Social media account cloning scam
- Digital arrest scam: fake police and court calls
- Fake invoice and callback-number scam
- Spear phishing and LinkedIn profiling
- How to tell if a website is a scam
- I got scammed: what to do in 2026
Bottom line: The Boss Scam wins by becoming the boss in your eyes and rushing you past the one check that breaks it. A real CEO or the RBI never orders an urgent, secret, high-value transfer over WhatsApp from a new number. Verify every payment instruction out of band on a known number, require a second approver, and keep SafeBrowz on your browser and phone so the lookalike login pages and fake document links behind the con get flagged before you act.