SEBI has issued a formal warning to all listed companies regarding a rise in 'Boss Scam' fraud, where criminals use AI voice cloning and deepfakes to trick finance teams. The regulator is urging firms to implement stricter verification processes for all fund transfers to prevent unauthorized payments and data breaches.
The Securities and Exchange Board of India (SEBI) has released a critical advisory for all listed companies and regulated financial entities, warning them of a rising threat known as the 'Boss Scam.' This type of cyber fraud targets finance and accounts departments by impersonating high-ranking company officials, such as CEOs or CFOs, to manipulate them into making unauthorized, urgent fund transfers.
According to the regulator, the sophistication of these attacks has increased significantly due to the use of artificial intelligence. Criminals are now employing AI-powered voice cloning and deepfake technology to conduct video calls or voice messages that appear authentic. By mimicking the identity of a senior executive, scammers pressure employees to bypass standard financial controls to process immediate payments to external bank accounts.
The regulator, citing data from the Indian Cyber Crime Coordination Centre (I4C), noted that scammers are also using technical methods to compromise corporate devices. One common tactic involves sending malicious files in compressed ZIP formats. When these files are opened, they can install malware that hijacks active WhatsApp Web sessions. This gives attackers control over an employee's communication channels, allowing them to send fraudulent payment instructions to other staff members or alter contact lists to replace legitimate executive contacts with their own numbers.
Recommended Security Measures
To mitigate these risks, SEBI has outlined specific verification protocols for companies. Organizations are advised to verify the authenticity of any urgent or sensitive request—especially those related to financial transactions—by contacting the senior official directly through a pre-established, trusted communication channel. The regulator emphasized that fund transfers should never be executed based solely on instructions received via email, WhatsApp, or other social media platforms, even if the sender appears to be a senior leader.
Additionally, companies are encouraged to implement strict cybersecurity hygiene. This includes regular logging out of WhatsApp Web sessions on office computers, training employees to recognize suspicious communication patterns, and avoiding the opening of executable files from unknown or unverified senders. Any suspected fraud attempts should be immediately reported to the national cybercrime helpline at 1930 or through the official government cybercrime portal.
For investors, this advisory highlights the increasing operational risks associated with digital transformation and cyber security in the modern corporate environment. While these scams primarily target internal financial controls, the potential for significant financial loss or data leakage remains a material risk for any company. Moving forward, the effectiveness of a company’s internal security policies and its ability to prevent such social engineering attacks will be a relevant aspect of operational oversight.
