A fake senior executive, 63 transfers, Rs 10 crore gone: Inside India’s new ‘Boss Scam’ | Mumbai News
Girish Amin, a Mumbai-based deputy general manager with a reputed corporate company with offices across the country, received a message from his boss. Sidharth Jain, the executive director of the company, wanted him to transfer a sum of Rs 46.5 lakh to a particular bank account from the company’s funds.
Amin did as asked.
Over the next few days, Amin received similar instructions, which he duly acted upon. In under two weeks, he ended up transferring Rs 10.40 crore in 63 transactions.
On June 16, it was Amin’s turn to contact Jain, this time through an official channel. He asked his boss to share invoices related to the transactions for accounting purposes.
Then came the truth. It wasn’t Jain whose instructions he had been acting upon all this while.
Amin’s ordeal is, however, just one example of a new kind of scam that has emerged from the world of cybercrime. India’s top cybercrime sleuths have a term for it: Boss Scam.
In “Boss Scam”, scamsters get in touch with employees at major corporate firms, impersonating their seniors, preferably the CEOs. Then they get them to part with huge amounts of company money.
Here’s how ‘Boss Scam’ works
On June 22, a week after Amin’s case came to light, the Indian Cyber Crime Coordination Centre (I4C) issued an advisory in this regard, asking citizens, especially industries, to be careful.
Story continues below this ad
From con call to ‘con’ call
An industry veteran who has spent more than three decades at the company, Amin is no novice. But when he received the message from an unknown number on June 3, telling him that it was from his boss Jain, he was convinced. For one, it displayed Jain’s image in the DP (display picture). On top of that, the text in fine font, which appears right above an unknown phone number, clearly stated “Siddharth Jain”.
Around the time Amin approached the police, a banker at IDFC FIRST bank’s Jasola branch in Delhi, over a thousand kilometres from Mumbai, noticed a suspicious looking pair of young men entering the premises.
They asked to withdraw a total of Rs 8 lakh in cash from their bank accounts. “They were shabbily dressed. Plus, the fact that they asked to withdraw such a huge amount minutes after it had been credited in their accounts made the banker suspicious. He asked them a series of questions and they just fumbled…” said a police officer.
The banker immediately alerted the police. The duo, Vikas Bind and Vansh Manocha, both 22, were apprehended.
Story continues below this ad
During questioning, they told police they had “rented out” their bank accounts to allow someone to route illicit funds in return for promised commissions of Rs 30,000 and Rs 20,000, respectively. Another handler, Faiyaz Alam, also 22, was arrested soon after.
Investigation revealed that the amount in their bank accounts came from the same company’s account in Mumbai.
The Delhi Police then contacted the Mumbai south region cyber police, who in turn reached out to Amin: the person claiming to be Jain, on whose instructions he had made the transfers, was a cyber fraudster suspected to be working with an organised racket operating from UP.
The Indian Express had reached out to Amin when the fraud came to light but he refused to comment.
Story continues below this ad
The fraudster posing as Jain instructed Amin to save it as a “very personal number” and not share it with anyone.
According to officers who probed the case, the scam had begun even before Amin received the message on June 3.
A ‘very personal’ number
As per officers at the South Region cyber police station where the FIR was registered, they found a .zip file on Amin’s phone that had a malicious file inserted in it. Such files generally give fraudsters remote access to their target’s phone.
“In a variant of the scam, the fraudsters, after gaining control of the victim’s mobile, delete the actual number of the boss and save their own number instead. It is from this number that the messages are sent. In this case, though, they had not deleted Jain’s number,” an officer said. Instead, they contacted Amin from a fresh number and convinced him that it was Jain’s alternative number.
The fraudster posing as Jain instructed Amin to save it as a “very personal number” and not share it with anyone.
Story continues below this ad
“In several cases, where this particular modus operandi is used, the fraudster, who is usually impersonating a high-profile person, like a CEO, tells his junior that he is contacting them through a personal number. As it is not unusual for those in top positions to have separate personal and professional numbers, the story seems more believable,” an officer said.
And why did Amin not call and verify if it was indeed Jain who had contacted him? Police said the sender had told Amin that he was headed to a meeting, instructing him not to call him.
“Soon after, the impersonator allegedly shared the bank account details and instructed Amin to transfer Rs 46,50,102, which Amin, believing the instruction to be authentic, processed from the company’s bank account,” an official said.
Between June 3 and June 15, Amin allegedly acted on similar WhatsApp instructions and transferred money from the company’s account to multiple beneficiary accounts named by the sender. In all, 63 transactions, amounting to Rs 10,40,71,924, were carried out, the complaint alleged.
Story continues below this ad
Digital arrest alarm
While the fraudsters managed to convince Amin that he was actually interacting with his boss, police, on the other hand, had a tough time convincing Amin that they were genuine officers.
Said an officer, “When we first contacted Amin and informed him that he may have been a fraud victim, he found it difficult to believe we were real policemen. It is understandable as in ‘digital arrest’ cases, fraudsters often pose as police personnel to dupe people. Eventually, using official IDs, we managed to convince him.”
An FIR was registered and Mumbai Police took custody of the three accused from Delhi Police. Based on the investigation, three others were arrested soon after. One of them was from Jalna in Maharashtra. The hunt for the other two ended in Samastipur in Bihar.
But this begets a question: How did such a huge amount get transferred without anyone in the company raising a suspicion? Don’t companies in India have a system in place?
Story continues below this ad
During investigation, police found out that firms do follow a “creator-approver” system when it comes to transferring funds. As part of this, an approver verifies if the money transfer request by the creator is legitimate.
The designated approver in this case: Amin himself.
“It was the victim who was the approver. We have found that the money was transferred to 40 accounts across 30 cities in 10 states,” the officer said.
‘Gold standard’ of money laundering
Usually, in such fraud cases, the money is transferred through various mule accounts to hide its trail. In this case, however, the police discovered a new modus operandi. The fraudsters had purchased gold from well-known jewellery shops across several states including Maharashtra, UP, West Bengal and Bihar.
While interrogating the accused, Mumbai Police found that this was a strategy to sever the digital paper trail that law enforcement agencies traditionally rely on to trace illicit funds.
Story continues below this ad
“Modern cybercriminals are highly aware of how police cyber cells operate. They know that investigators can rapidly freeze and track funds flowing through a succession of compromised mule bank accounts,” said an officer.
Police said the stolen money was initially funnelled through a few mule accounts. “Field agents” then use the funds to purchase high-value gold ornaments from well-known jewellery chains.
The physical gold is then pledged with local moneylenders to secure gold loans, said police. The “clean cash” received from these loans is routed through a fresh set of untainted accounts to ultimately reach the syndicate leaders, they added.
Later, when money from another cyber offence comes in, it is used to recover the mortgaged gold from one shop only to be mortgaged to another in return for money and so on, they said.
“When law enforcement agencies track the digital money, the trail leads them to a jewellery shop. But this is where the link goes cold. It becomes incredibly difficult to track where that physical gold was subsequently mortgaged to extract cash,” the officer explained.
The three persons arrested later by the Mumbai Police include Birendra Kumar Bhagat (26) and Ranjan Kumar Kharwar (41) from Bihar. Their job was to go to jewellery stores and purchase jewellery. The third accused, Dyaneshwar Thoke (22) from Jalna, was the one whose mule account was used to move the money initially, said police. So far, it is not clear who the mastermind of the entire operation was.
The hunt for potential victims
Police learnt that gangs that operate this scam work in a methodical manner, with members divided into groups. One group’s job is to list out major companies in the country which could be targeted. The accused go to the websites of these companies and download photographs of the top management executives, said police.
“The fraudsters then ring up the office landline of these companies on the pretext of confirming the IFSC code. This way, they manage to secure the number of the person who handles the accounts for that particular bank. After this, they send their target a link, which, once clicked, installs a .zip file on the phone. This gives the scamsters access to the device of their targets,” the officer said.
The I4C, in its advisory, said that cybercriminals are targeting high-ranking officials and executives by delivering malicious archives via email or WhatsApp, impersonating regulators under the guise of urgent regulatory compliance.
“The malware compromises the executive’s Windows device and active Web WhatsApp sessions, enabling the fraudsters to message subordinate employees and orchestrate fraudulent financial transfers,” the advisory stated.
Complete device takeover
“The message contains a compressed .zip archive. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. As seen in multiple cases, the CEO forwards the message to the finance officer. When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated. The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens,” said police.
Armed with access to the executive’s WhatsApp account, the fraudster contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts.
In alternative scenarios, if the attacker achieves complete device takeover, they covertly modify the device’s contact list, saving a fraudulent, attacker-controlled phone number under the name of the “CEO”, and use that secondary number to instruct employees into transferring funds. This is what had happened in Amin’s case, said police.
An officer said that they suspect that, in this case, a gang based in UP was involved in the operation. “Some of the numbers that we found in this case had surfaced in a similar scam that was carried out in February. Both the numbers are from Lucknow in UP,” the officer added.
Of the money that the company lost, the police have managed to put a hold on nearly 50 per cent of the amount lost in the fraud. The amount will be retrieved through legal channels, said an officer, adding that efforts were underway to track down the remaining sum of money.