Fraud Alert: Boss Scam 2.0 & Risky Attachments on WhatsApp
A WhatsApp message pings on a company director's phone. "Your company account is going to be closed. Please verify immediately." There is a ZIP file attached. The tone is urgent; the language official; and it even drops in something about ‘compliance requirements’. Sometimes it claims to be from the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), or some other regulator that sounds important enough not to ignore.
So, the director does what any of us might do — forwards it to the compliance or accounts team and asks them to sort it out. One member of this team opens the ZIP file.
What happens next takes minutes, not days. Cybercriminals slip into the company's WhatsApp communications. Within hours, employees start receiving instructions that appear to come straight from the chairman, the managing director (MD), or the chief executive officer (CEO) — telling them to urgently release payments. By the time anyone stops to ask, "Wait, is this real?" crores of rupees have already vanished into a maze of mule accounts.
This is what investigators have started calling the ‘Boss Scam’ — and its newest version is proving far more dangerous than anything that came before it.
If you are wondering what changed, here is the short version. The earlier avatar of this fraud — call it Boss Scam 1.0 — relied on fake email IDs, cloned WhatsApp profiles, or spoofed caller IDs to bully finance teams into transferring money fast. It worked, but it had a weakness: a sharp employee could sometimes spot the fake.
The new version removes that safety net entirely. There is no impersonation, no cloning, no spoofing. The fraudsters simply take over the real WhatsApp account. And once they are inside, every message looks exactly as it should — because it genuinely is coming from the boss's own number.
The ₹7.8 Crore Lesson
This scam grabbed headlines recently, after former member of Parliament (MP) Naresh Gujral — son of former prime minister (PM) IK Gujral — was allegedly defrauded of ₹7.8 crore through a string of fake transfers.
Here is the part that should worry every business owner: investigators say the fraudsters never touched a bank's systems and never cracked any encryption. They didn't need to. All they had to do was exploit something far more basic — human trust.
It started, as these things usually do, with a message dressed up as an urgent compliance notice. It eventually landed with an accountant, who clicked on the attached ZIP file, thinking it was just another document to deal with.
That single click was enough. It allowed the attackers to quietly take over the device and, through it, the WhatsApp account itself. From there, using the company owner's genuine account, they posed as him and told the accountant to push funds via RTGS to a string of accounts controlled by the fraud network.
The money didn't sit anywhere for long. It was bounced across dozens of mule accounts in different states almost immediately which is exactly why recovering it has proven so difficult.
Why ZIP Files Are the New APK Trick
For years, the go-to weapon for cybercriminals was the malicious APK (Android package kit) file. It is still very much in use. But something has shifted. Fraudsters are now leaning more on ZIP files sent over WhatsApp and email.
These ZIP files usually carry malicious Windows executables (.exe) files, sometimes paired with dynamic link libraries (.dll) files that help them run. To anyone opening it, the file looks harmless enough: a compliance document, maybe, or a security patch, or an audit report.
But once it is extracted and opened on a Windows computer, the malware quietly installs itself in the background and starts communicating with servers controlled by criminals.
According to the Indian cybercrime coordination centre (I4C), these attacks are increasingly aimed at CEOs, promoters, finance heads and other senior executives — for a simple reason. Crack open one executive's account and you may have just unlocked the whole organisation.
How the Boss Scam 2.0 Actually Plays Out
Break it down, and the scam follows a fairly predictable five-step pattern.
Stage 1: Manufacturing Panic. The fraudster poses as a regulator, a bank official, or some government authority. The message hints at a compliance breach or a security gap that needs fixing — right now. A tight deadline is dropped in on purpose, so the recipient acts first and thinks later.
Stage 2: Slipping in the Malware. The victim receives a ZIP file via WhatsApp or email. Tucked inside is a malicious program. Because it is compressed, most people assume it is just a regular document — nothing to be wary of.
Stage 3: Taking Over the Device. The moment the file is opened, the malware installs itself on the Windows machine. I4C notes that it can dig in, take control of the system and lift active WhatsApp Web session tokens — meaning criminals can access ongoing WhatsApp conversations without ever needing to physically hold the victim's phone.
Stage 4: Playing the Boss. Once inside, the fraudsters don't rush. They read through old conversations, determine who reports to whom and identify exactly who has the authority to approve payments. Then, using the executive's real account, they start messaging the finance team directly. Since the messages are coming from a genuine number, nobody thinks twice.
Stage 5: Moving the Money. The instructions arrive — pay this vendor, settle this acquisition, handle this ‘urgent’ matter quietly. Employees comply, the money moves into mule accounts and it is spread across multiple banking channels before anyone realises something is wrong.
The Contact List Trick
I4C has flagged another twist worth knowing about. In some cases, once attackers have full control of a device, they don't stop at hijacking the account — they go further and edit the device's contact list. They add a new number, one they control, and save it under the CEO's name.
The result? Employees see a familiar name pop up on their screen, not a string of unfamiliar digits, and naturally assume they are talking to their boss. It is a small trick, but it works precisely because most of us trust the name on the screen far more than we would ever bother checking the actual number behind it.
Why Even Sharp Employees Get Caught Out
There is a comforting myth that only careless or inexperienced people fall for scams like this. It is not true.
What makes Boss Scam 2.0 an effective fraud is not clever technology — it is clever psychology. The message feels urgent. It sounds authoritative. It comes from a name you trust, on an account that is genuinely theirs, presented as confidential and not to be discussed openly.
Every single element is designed to exploit how we behave at work. Most employees are trained, almost instinctively, to respond quickly when a senior leader asks for something. Cybercriminals know this — and they use it against the very people who would never imagine they could be fooled.
Red Flags Worth Knowing
A few warning signs should make anyone pause:
• A senior executive asks for an urgent fund transfer entirely over WhatsApp, with no other confirmation.
• A message insists on immediate compliance with some regulator's ‘instruction’.
• An unexpected ZIP file shows up out of nowhere.
• The attachment contains .exe or .dll files.
• Payment instructions point to a new or unfamiliar beneficiary account.
• Staff are told, directly or indirectly, not to verify the request through usual channels.
• There is an odd sense of urgency or secrecy hanging over the transaction.
And one rule worth remembering above all: regulators like RBI or SEBI simply do not send mandatory software updates, compliance tools, or security patches through WhatsApp. If a message claims otherwise, that alone should be enough to raise suspicion.
What Companies Need To Do, Starting Now
I4C's advice is straightforward — no financial transaction should ever be approved purely on the strength of a WhatsApp message or an email. Every urgent payment request deserves a quick phone call, video call, or face-to-face check before anyone acts on it.
Beyond that, organisations should:
• Block unauthorised .exe and .dll files from running.
• Restrict employees from installing software on their own.
• Check WhatsApp's ‘Linked Devices’ list regularly.
• Log out of any unfamiliar WhatsApp Web sessions immediately.
• Keep endpoint security tools updated.
• Run regular phishing and cyber-awareness drills for staff.
• Put dual or multi-level approvals in place for high-value payments.
CERT-In Flags a Parallel Threat: Fake ‘Invoices’ Carrying Malware
The Indian Computer Emergency Response Team (CERT-In) has issued a separate advisory warning of another large-scale WhatsApp campaign, this time using VBScript (.vbs) files instead of ZIPs. Attackers first hijack a real WhatsApp account, then send the malicious file disguised as an invoice, bank statement, or similar financial document — with file names in multiple languages, showing how broadly the campaign is being cast. Once opened, the script quietly installs a remote-access tool on the victim's device, giving attackers full control, stolen credentials and a foothold for further attacks.
CERT-In's advice largely echoes existing precautions: verify unexpected attachments with the sender, avoid risky file types like .vbs, .exe, .bat (batch file with Windows script that runs system commands in order), and .js (JavaScript), enable multi-factor authentication (MFA), download software only from official sources, never share passwords or OTPs over chat, and report suspicious messages.
Two different campaigns, same underlying playbook — hijack trust, disguise the malware as something routine and let habit do the rest.
This Is a Business Risk, Not Just an IT Problem
The Boss Scam has outgrown its old label of ‘cybercrime’. At this point, it is a genuine threat to business continuity.
Unlike traditional hacking, the attackers don't need to break into any bank's systems. All it takes is convincing one employee to open one file they shouldn't have.
What happened with the former MP shows just how quickly a hijacked WhatsApp account can turn into a multi-crore loss — and how little time there is to react, once the fraud is set in motion.
As these criminals keep refining their methods and aiming higher up the corporate ladder, it is worth remembering that cybersecurity is not something you can entirely leave to the IT department anymore. It belongs in the boardroom too — a responsibility shared by promoters, CEOs, finance teams and every employee in between.
If an unexpected ZIP file (or with .vbs, .exe, .bat and .js extensions) lands in your inbox claiming to be from your senior, a regulator or a government authority, stop before you click.
That one pause could be the difference between business as usual and a loss running into crores.
Stay alert, Stay safe!
