India’s securities regulator, the Securities and Exchange Board of India (SEBI), issued an urgent advisory on July 17 after a sophisticated fraud campaign began targeting company executives with malware that hijacks their WhatsApp Web sessions — enabling criminals to send genuine-looking payment orders from the boss’s own account.
SEBI’s warning follows an earlier alert from the Indian Cyber Crime Coordination Centre (I4C), describing a wave of “Boss Scam” attacks that combine executive impersonation with malicious Windows executables. The result: finance teams see payment requests coming from the CEO’s actual WhatsApp number, with full chat history and a recognizable profile, making the fraud extraordinarily difficult to spot.
How the scam unfolds: from a ZIP file to a hijacked chat
The attack typically starts with a message that appears to come from a senior leader or even a regulator like SEBI itself. The victim — often a CEO, managing director, or other senior executive — receives an urgent request via email, WhatsApp, Microsoft Teams, or another messaging platform. The message is crafted to sound authoritative and confidential, pressuring the target to bypass normal procedures.
But this is not just a simple impersonation text. According to the I4C advisory and SEBI’s own investigation, the initial lure often includes a compressed ZIP archive. Inside the archive sits an executable file and a DLL. Once the victim extracts and runs the files on a Windows desktop or laptop, the malicious program can establish persistence and scan for active WhatsApp Web sessions.
WhatsApp Web mirrors a user’s phone account through a browser or desktop app. If an executive has WhatsApp Web open on the infected machine, the malware can exploit that session to send messages as if they were the legitimate user. The attacker doesn’t need to steal a one-time password or trick the victim into scanning a QR code — the running malware simply uses the already authenticated browser connection.
From there, the attacker sends payment instructions to the finance department. Because the messages arrive from the executive’s genuine WhatsApp account, complete with prior conversation history and contact photo, the recipient has no obvious warning sign. “Urgent” and “confidential” requests to wire funds to a designated account bypass normal skepticism, especially if the communication is framed as time-sensitive and the normal approver is claimed to be unavailable.
SEBI also highlighted that criminals are increasingly using AI-assisted voice cloning and deepfake video calls to reinforce the fraud. In some cases, the attacker alters the compromised device’s contact list so an attacker-controlled number displays under the CEO’s name. The old advice to “call and verify” becomes useless if the voice on the other end sounds exactly like the boss.
Windows at the center: why the endpoint matters
The malware stage makes this a distinctly Windows threat. While the social engineering can happen on any device, the executable payload targets Windows machines — often the laptops that executives use for daily work, personal PCs used after hours, or shared devices that may lack strict security controls.
A security team investigating a fraudulent transfer might focus on email gateways, Entra ID sign-ins, and Microsoft 365 audit logs. But if the critical instructions were sent through a hijacked WhatsApp Web session, those systems show nothing amiss. The evidence lives on the Windows endpoint: downloaded archives, process execution records, browser activity, and outbound network connections.
This changes the incident response playbook. After a suspected compromise, isolating the affected Windows machine and preserving its forensic state becomes as important as resetting passwords. The first steps should include:
- Disconnecting the machine from the network
- Terminating all active WhatsApp Web sessions from the “Linked Devices” list in the WhatsApp mobile app
- Checking the executive’s contacts for altered entries
- Notifying finance to freeze any recent payment requests coming from that account until independently verified
SEBI also recommends regularly logging out inactive WhatsApp Web sessions. Many users leave a browser tab open for weeks after a one-time need. That stale session gives attackers a long-lived window of opportunity once malware is installed.
Who’s at risk — and what it means for different readers
For finance teams and executive assistants: Any payment order that arrives via chat — WhatsApp, Teams, SMS, or even a personal email — should not be acted on solely because of the message. An authentic-looking message from the CEO’s real account is exactly what this scam aims to produce. A robust policy must require independent verification through a channel established before the request. That means calling a pre-registered phone number, using a separate approval workflow in the ERP system, or confirming in person. Replying in the same chat thread or calling the number listed in the message does not constitute verification.
For IT and security administrators: Executive endpoints are now the frontline. If senior leaders are exempted from standard protections “because they need flexibility,” that creates a high-value attack surface. Review whether Microsoft Defender’s Attack Surface Reduction (ASR) rules are applied to these machines — particularly the rule “Block executable content from email client and webmail.” But note: a ZIP attachment delivered through WhatsApp might not be covered by an email-specific rule. Test controls against real-world delivery paths, including browser downloads and desktop messaging clients. Consider additional layers like AppLocker or Windows Defender Application Control to restrict execution from user-writable directories.
For everyday Windows users (including executives at smaller firms): Beware of compressed files or executables even when they appear to come from a known contact. The sender’s account may already be compromised. Verify unexpected attachments by a separate communication method. If you use WhatsApp Web, log out when not in use, and watch for suspicious behavior on your device — unexplained CPU spikes, new startup programs, or unusual network connections could indicate a compromise.
How to harden your organization against a blended attack
- Rewrite the payment approval workflow. Establish that no single electronic message — in any app — can initiate, modify, or approve a financial transfer. Require dual authorization for urgent or non-standard requests, and block transfers based solely on chat instructions.
- Lock down executive endpoints. Enforce the same security policies on CEO laptops as on any other corporate device. Deploy Microsoft Defender ASR rules in block mode after adequate testing. The “Block executable content from email client and webmail” rule is a start, but supplement it with rules that block suspicious scripts and processes commonly abused by malware.
- Monitor for WhatsApp Web anomalies. While most endpoint detection and response (EDR) tools don’t directly track browser-based WhatsApp sessions, they can flag the initial malware execution, persistence mechanisms, and unusual outbound connections. Ensure your security operations center (SOC) has a playbook for investigating executive devices when a suspicious payment request surfaces.
- Educate relentlessly. Train staff to recognize the pattern: urgent, confidential requests delivered through informal channels, often accompanied by a file attachment or a link. Make it acceptable to slow down and verify, even under pressure. Share real-world examples from SEBI’s advisory to make the threat concrete.
- Run tabletop exercises. Simulate a scenario where an executive’s WhatsApp account sends a payment order. Walk through the response steps: who isolates the machine? How is finance notified? Who verifies the message? Which credentials get reset? This surfaces gaps before real money moves.
How we got here: the evolution of the Boss Scam
Executive impersonation fraud is not new. For years, attackers relied on spoofed email addresses, lookalike domains, and simple text messages. Organizations responded with DMARC, advanced email filters, and user training. Fraudsters adapted by moving to messaging apps, where trust is more implicit and technical filters are weaker.
The latest iteration raises the stakes by weaponizing the very platform that was supposed to be a secondary, informal channel. Instead of creating a fake profile or spoofing a number, attackers take over the actual account. The malware component — delivered as an innocent-looking ZIP — bridges the gap between social engineering and endpoint compromise. This isn’t a WhatsApp vulnerability; it’s a Windows malware problem combined with a payment-process weakness.
SEBI’s involvement signals that regulators see this not just as a cybercrime issue, but as a governance failure. Listed companies and regulated entities are expected to have internal controls that survive a compromised communications account. The advisory places responsibility squarely on organizations to build payment processes that don’t rely on a single, easily subverted channel.
Outlook
SEBI has directed regulated entities to put stringent controls in place and warned that non-compliance could invite regulatory action. That means boardrooms and compliance teams can no longer treat the Boss Scam as a distant IT problem. Microsoft too may face pressure to enhance Windows security defaults — for example, by extending ASR rules to cover a broader range of delivery vectors or by integrating better clipboard and session protections in the Edge browser where WhatsApp Web often runs.
For now, the most effective defense remains a simple rule: if the boss asks for money on WhatsApp, pick up the phone — and call a number you already have on file.