This scam often extends to a two-stage fraud wherein they also alter the victim’s contact list and save an attacker-controlled number under the name of the CEO, enabling them to continue issuing fake payment instructions, said the MHA’s Indian Cyber Crime Coordination Centre (I4C).

Explaining the modus operandi, it said cybercriminals are targeting CXOs by posing as regulators such as the RBI through email or WhatsApp messages, claiming regulatory violations or urgent security compliance issues to pressure the victims into responding immediately.

They then send messages containing compressed files carrying malicious software. Once downloaded and executed on a Windows computer, the malware compromises the device and hijacks active WhatsApp Web sessions. The attackers then gain access to the executive’s WhatsApp account and sends instructions to finance teams or subordinate employees, directing them to transfer funds to bank accounts operated by their mules.

In some cases, the criminals change the contact list and save an attacker-controlled number under the name of the CEO, enabling them to continue issuing fake payment instructions, the centre said, advising companies to verify all requests involving urgent financial transactions or account changes through direct voice calls or in-person confirmation rather than relying solely on emails or WhatsApp messages.

Organisations were also advised to implement strict software restriction policies, regularly review authorised devices linked to WhatsApp accounts, log out of unused WhatsApp web sessions, and ensure that systems are protected with updated anti-malware solutions.

The advisory also cautioned users against installing executable files received from unknown sources, noting that RBI and other regulators do not distribute software updates or security fixes through WhatsApp attachments.

The cybercrime agency asked citizens and organisations to report suspicious incidents immediately through the national cybercrime helpline 1930 or the cybercrime reporting portal.