🔴 Caution / Press Release — Cybersecurity Advisory
Issued by SEBI (Communications Division) on 17th July, 2026 — PR No. 40/2026. This is an advisory to regulated entities and listed companies; it does not amend any regulation and takes effect immediately as a caution notice.
Background
SEBI has issued a press release cautioning regulated entities and listed companies about a fraud pattern the Indian Cyber Crime Coordination Centre (I4C) has flagged as an emerging trend — commonly called the "Boss Scam," or CEO/MD impersonation fraud. The advisory sets out the modus operandi in detail and lists precautionary steps for finance and accounts teams, who are the primary targets.
The scam exploits organisational trust and urgency — fraudsters impersonate a senior official and direct a subordinate, typically in finance, to transfer funds quickly, often invoking confidentiality to discourage the recipient from double-checking the instruction.
Modus Operandi
Target and Initiation
Fraudsters target a CEO or other high-ranking official by impersonating them, then communicate with that official's subordinates or counterparts through email, WhatsApp, Microsoft Teams, or other social media platforms — directing them to carry out instructions that ultimately result in a fund transfer to the fraudster.
Two Impersonation Strategies
📝 Strategy A — Deepfake Impersonation
Voice cloning, AI-generated video on calls impersonating the MD/CEO, and fake social media groups impersonating high-ranking officials.
📝 Strategy B — Malicious Zip Archive
A compressed .zip archive sent via message, containing a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. I4C observed that the impersonated "CEO" forwards this message to finance officers.
Fund Transfer Instructions (Strategy A)
❌ How the Instruction Is Delivered
Under Strategy A, the finance officer is instructed — via messages or fake calls on social media platforms — to transfer funds to a specified mule account. The instruction may also direct the officer not to disclose the transaction, framing it as Unpublished Price Sensitive Information (UPSI).
WhatsApp Web Hijacking (Strategy B)
❌ How the Malware Operates
When the finance officer extracts and runs the file on a Windows desktop or laptop, a Trojan dropper activates and hijacks the officer's active WhatsApp Web session tokens. The fraudster then gains access to that WhatsApp account and messages accounts/finance colleagues directly, instructing them to make immediate payments to mule bank accounts. In cases of full device takeover, fraudsters secretly relabel their own phone number under the CEO/MD's name in the victim's contact list, and use it to issue further instructions.
SEBI's Advisory to Regulated Entities and Listed Companies
✅ Recommended Precautions
- Remain cautious and cross-check requests received via WhatsApp, email, or social media by calling seniors directly
- Do not transfer funds solely on the basis of instructions received on social media platforms
- Do not install executables without verifying the sender's identity, including by call if the sender appears known
- Log out of any active WhatsApp Web sessions that are not currently in use
- Report any fraudulent activity or scam incident immediately to 1930 or www.cybercrime.gov.in
Compliance Checklist
☑ Finance/Accounts Teams: Independently verify any urgent fund-transfer instruction from a senior official by calling them directly, regardless of the channel it arrived on.
☑ All Employees: Never act on fund-transfer instructions received solely via WhatsApp, email, or social media without independent verification.
☑ IT/Security Teams: Reinforce policies against opening unsolicited .zip attachments or executables, even from apparently known senders.
☑ All Employees: Periodically log out of unused WhatsApp Web sessions on shared or work devices.
☑ Compliance/Company Secretary: Circulate this advisory internally and refresh fund-transfer authorisation protocols, especially requests citing UPSI confidentiality.
☑ All Entities: Establish an internal escalation path to report suspected incidents to 1930 or cybercrime.gov.in without delay.
CorpLawUpdates Analysis
What makes this advisory notable is the dual-vector nature of the attack — it doesn't rely on a single technique but combines social engineering (deepfake voice/video impersonation) with a technical malware payload (the Trojan dropper via .zip/.exe/.dll). Organisations that train staff only on phishing-email hygiene, without covering deepfake voice/video calls or messaging-app session hijacking, will have a real gap in their defences against this specific pattern.
The invocation of UPSI confidentiality to suppress disclosure is a particularly sharp social-engineering detail — it exploits listed companies' genuine internal norms around insider information to discourage a finance officer from raising the alarm or seeking a second opinion, which is usually the first line of defence against fraud.
For compliance officers and company secretaries, the practical response isn't just circulating this advisory once — it's building it into recurring fraud-awareness training and ensuring finance teams have a clear, pre-agreed verification protocol (e.g., mandatory callback on a known number) for any large or unusual fund transfer, regardless of how urgent or confidential the request is framed to be.
Given that I4C is the source of this intimation, expect further advisories of this kind as deepfake-enabled fraud techniques continue to evolve — this is unlikely to be a one-off caution.
Source: SEBI Press Release PR No. 40/2026 dated July 17, 2026, "Caution to Regulated entities and listed companies — Boss Scam," issued by the Communications Division, SEBI, Mumbai.
This article is for informational and educational purposes only and does not constitute legal or regulatory advice. Verify with primary regulatory sources before acting.



