Boss Scam in India: How CEO and CFO Impersonation Fraud Actually Works — iTechFixr Infotech LLP

💡 In Simple Terms (For Beginners)

A scammer sends an email pretending to be the company CEO, asking a staff member to make an urgent payment or purchase gift cards for a client. Because it seems to come from the "boss," employees comply without double-checking. This is called CEO impersonation.

Summary
  • "Boss scam" tricks a junior employee into an off-process transfer by impersonating a senior executive.
  • Isolation and urgency are the mechanism — not the size of the amount requested.
  • Dual authorization and a callback rule break the pattern regardless of channel.

THREAT INTEL · July 21, 2026 · 7 min read · By Hardik Patel

"I'm in a board meeting, keep this confidential" — that single line has moved more fraudulent money out of Indian businesses than almost any technical exploit. Boss scam impersonates authority to bypass judgment, and it hasn't slowed down; it has just moved onto faster channels.

Table of Contents - The Sequence, Step by Step - Why Indian Businesses Are Frequent Targets - Controls That Actually Break This Pattern - A Pattern iTechFixr Sees Repeatedly - Key Takeaways - Frequently Asked Questions - How iTechFixr Can Help

The Sequence, Step by Step

Boss scam follows a fixed five-step pattern: identify a target with payment authority, impersonate a senior executive, create urgency and isolation, request a transfer framed as routine, then disappear once the money moves.

1. Identify the target inside the company. Not the CEO — someone junior enough to feel obligated to comply quickly, senior enough to actually authorize a payment. Usually someone in accounts, finance, or admin.

2. Impersonate someone with authority. Email spoofing, a lookalike domain, or a WhatsApp account carrying the executive's name and photo. The borrowed identity matters more than the channel used to deliver it.

3. Create isolation and urgency. "I'm traveling," "keep this confidential for now" — every line exists to prevent the employee from checking with anyone else before acting.

4. Request the transfer. Framed as routine: a vendor payment, an advance, a tax settlement. Unusual framing invites questions, so the request is deliberately made to sound ordinary.

5. Disappear. Once funds move, the account goes silent or is deleted entirely, closing the loop before anyone can trace it back.

Why Indian Businesses Are Frequent Targets

[Likely] Smaller and mid-sized Indian firms often run approval processes informally, where a verbal or chat-based go-ahead from a director is standard practice rather than an exception — and that informality, which normally makes a business efficient, is precisely what this scam is engineered to exploit.

Larger companies with layered sign-off processes aren't immune either — the scam simply adapts by targeting the specific approver in the chain who has both the authority and the pressure to act fast, whether that's a regional finance head or a single-signatory director in a smaller firm.

Controls That Actually Break This Pattern

Dual authorization above a set threshold, with zero exceptions for "urgent" requests, closes this gap more reliably than any awareness poster — because urgency is the attack itself, not a legitimate reason to skip a step.

Build these into your standing process, not just team memory:

  1. Dual authorization on any transfer above a defined threshold — no exceptions, regardless of who is asking or how urgent it sounds.
  2. A callback policy: any executive-authorized payment gets confirmed by phone to a number already on file, every time, before it's processed.
  3. Written escalation paths so a junior employee never has to decide alone whether an "urgent and confidential" instruction is genuine.
  4. Regular awareness refreshers, since this scam specifically relies on employees not having seen the exact pattern before.

See our companion piece on WhatsApp impersonation scams for the specific delivery method this fraud most often uses in Indian businesses today.

A Pattern iTechFixr Sees Repeatedly

Hardik Patel, CEH-certified cybersecurity trainer and founder of iTechFixr Infotech LLP, Pimpri-Chinchwad, has flagged boss scam attempts as one of the most consistently reported incidents during client onboarding conversations — almost always caught by an employee who paused to make one phone call, not by any software.

That single data point is worth repeating to your own team: in every case we've reviewed where the scam was stopped, it was stopped by a person choosing to verify, not by a filter or a firewall.

Key Takeaways

  • The five-step sequence — target, impersonate, isolate, request, disappear — is consistent across most reported cases.
  • Urgency and confidentiality are control tactics designed to prevent verification, not genuine business needs.
  • Dual authorization with no urgency exceptions is the single strongest structural defense.
  • Awareness training works because this scam depends on employees not recognizing the pattern.

Frequently Asked Questions

Q: How is a boss scam different from a phishing email?

A: Phishing usually targets credentials through a fake link. A boss scam targets a person's judgment directly, asking them to act on an instruction rather than click anything — which makes it harder for technical filters to catch.

Q: Who inside a company is usually targeted?

A: Typically finance, accounts, or admin staff who have the authority to move money but may not feel able to question a senior executive's instruction without a clear, sanctioned process for doing so.

Q: What's the single most effective control against this?

A: A callback-verification rule — no payment moves without a phone confirmation to a known, saved number, regardless of how urgent or confidential the message claims to be.

Q: Can this scam target smaller businesses without a formal finance department?

A: Yes — in smaller businesses, the "finance department" is often one or two people, which can make the scam easier, not harder, since there's no second person naturally positioned to question the request.

How iTechFixr Can Help

Need a compliance-ready risk framework? Let's map your gaps together. iTechFixr helps businesses determine their exact obligation status and builds the detection-to-reporting pipeline needed to genuinely protect your operations.

Share this post: