SEBI Warns Listed Firms of AI 'Boss Scam' Fund Fraud Risks

SEBIEXCHANGE
Whalesbook Logo
AuthorAarav Shah|Published at:
SEBI Warns Listed Firms of AI 'Boss Scam' Fund Fraud Risks

SEBI has issued an alert to Indian companies regarding a rise in 'Boss Scam' frauds involving AI voice cloning and deepfakes. Fraudsters are impersonating top executives to trick finance teams into making unauthorized fund transfers. Companies are advised to implement strict independent verification protocols for all payment instructions received via digital channels.

The Securities and Exchange Board of India (SEBI) has released a formal caution to all listed entities and market participants concerning the growing threat of AI-driven financial fraud, specifically the 'Boss Scam.' This sophisticated method involves criminals impersonating CEOs, Managing Directors, and other senior officials to manipulate finance departments into executing unauthorized fund transfers.

According to the regulator, the threat is amplified by the use of artificial intelligence tools that can mimic human voices and create deepfake video calls. These technologies make fraudulent communications appear genuine, often reaching employees via common corporate communication platforms like Microsoft Teams, WhatsApp, and professional email accounts. The regulatory notice, which follows inputs from the Indian Cyber Crime Coordination Centre (I4C), points out that these schemes often begin with seemingly routine requests that pressure staff to bypass standard financial security checks.

Beyond direct impersonation, the regulator noted that fraudsters are distributing malware disguised as compressed ZIP files. When opened on a company computer, this software can hijack active WhatsApp Web sessions. This allows criminals to monitor ongoing business communications and send fraudulent payment instructions that appear to come from legitimate, active accounts.

To mitigate these risks, SEBI has directed companies to enforce strict, multi-layer verification procedures. Finance teams are advised never to process fund transfers based solely on instructions received through digital messaging platforms or email. Instead, every high-value or unusual transaction request should be confirmed through a direct, independent phone call or an in-person meeting with the senior official allegedly making the request.

The regulator also emphasized practical cybersecurity hygiene, such as regularly logging out of WhatsApp Web sessions on office computers and avoiding the execution of unknown files or attachments. If a company suspects it has been targeted or has fallen victim to such an incident, it is mandated to report the activity immediately to the national cybercrime helpline at 1930 or through the official government cybercrime portal. For investors, this warning highlights the necessity for listed companies to maintain robust internal financial controls and cybersecurity frameworks to protect corporate cash reserves from increasingly complex digital threats.

Disclaimer: This article is published for informational purposes only. This is not a buy sell recommendation.