
Received WhatsApp message from CEO asking to download ZIP file – what to do?
A dangerous new variant of the "Boss Scam" is targeting Indian executives, leveraging WhatsApp and sophisticated malware. Fraudsters impersonate CEOs to trick employees into downloading malicious files, then hijack their accounts and drain company funds. This scam poses a high financial risk to businesses and individuals alike.
How This Scam Works
This highly deceptive scam, often referred to as "CEO Impersonation" or "Business Email Compromise (BEC) 2.0," begins with a seemingly innocuous and urgent message. The fraudster first carefully researches their target, often an executive or a senior employee within a company. They will then create a fake WhatsApp profile, meticulously using the real CEO's profile picture and even mimicking their communication style, often gathered from public social media profiles or company websites. The executive receives a WhatsApp message, crafted to appear incredibly urgent and authoritative. The message typically states that the CEO is in an ongoing, critical meeting and cannot be disturbed via traditional channels. It will then ask the executive to immediately review an important "regulatory notice," "confidential document," or "new policy update." To access this document, the executive is instructed to download a file, which is almost always a ZIP file. This ZIP file is the Trojan horse; it contains sophisticated malware designed to be discreet and effective. The moment the executive downloads and attempts to open this seemingly harmless ZIP file, the malware is unleashed. This particular variant of malware is designed to compromise the executive's WhatsApp account, giving the fraudsters full control. With access to the executive's WhatsApp, the scammers then pivot. They immediately begin to instruct subordinates within the company, using the hijacked executive's account, to transfer a significant sum of money, often citing an "urgent vendor payment," "contractual obligation," or "secret acquisition deal" that needs immediate processing. In our example, they demanded ₹1.5 crore. The fraudsters continue to use the excuse of "ongoing meetings" to prevent any direct verification calls, effectively isolating the victims and creating a sense of heightened pressure to comply quickly. By the time the deception is uncovered, the funds have often been transferred to various mule accounts and are virtually unrecoverable.
Red Flags
- Urgency, Secrecy, and Deviation from Protocol:** Any request for an immediate, large-sum money transfer that deviates from established company protocols, especially under the guise of secrecy or urgency, is a massive red flag.
- Unusual Communication Channel for Sensitive Tasks:** If your CEO suddenly contacts you exclusively via WhatsApp (or an unfamiliar email) for a critical financial or regulatory matter that would normally go through official email, secure portals, or direct phone calls, be suspicious.
- Malware-Laden File Attachments:** Any unsolicited request to download a ZIP file, executable (.exe), or other unusual file type from an unknown or suspicious source, even if it appears to be from a known contact, should be treated with extreme caution.
- CEO's Unavailability for Direct Contact:** The scammer will often insist the CEO is in an "important meeting" or "travelling" to prevent direct verification of the request. This isolation tactic is a classic sign of fraud.
- Grammar and Spelling Mistakes:** While sophisticated scams may have perfect language, watch for subtle grammatical errors, unusual phrasing, or a tone that doesn't quite match your CEO's usual communication style, especially in Indian English context.
- Requests for Personal Information or Credentials:** Even if it's not directly money, any request to click on a link that asks for your company login details, banking passwords, or personal credentials (like Aadhaar or PAN OTPs) is a definite scam.
How to Stay Safe
- Verify Independently:** Always verify urgent requests for financial transfers by calling the sender on a known, official number. Do NOT reply to the message, call the number provided in the message, or use the same communication channel for verification.
- Establish Clear Communication Protocols:** Companies should implement strict protocols for financial transactions, requiring multiple approvals and direct verbal confirmation for large sums, especially when requested outside of normal channels.
- Be Skeptical of File Downloads:** Never download or open unofficial files (.zip, .exe, .docm, etc.) from WhatsApp or untrusted email sources, even if they appear to be from someone you know. If in doubt, contact your IT department.
- Enhance WhatsApp Security:** Enable Two-Step Verification for your WhatsApp strong PIN. Regularly review linked devices and revoke access to any unfamiliar sessions.
- Conduct Regular Cybersecurity Training:** Employees, especially senior staff, should undergo regular training on identifying phishing, whaling, and CEO impersonation scams.
- Use Official Company Communication Channels:** Always default to official company email, secure internal messaging systems, or direct phone calls for sensitive business communications.
- Report Suspicious Activity:** If you receive a suspicious message, report it immediately to your company's IT security team or CISO.
If You Are Targeted
- DO NOT engage further:** Stop communication immediately. Do not click on any links, download any attachments, or provide any information.
- Isolate the compromise (if applicable):** If you suspect your WhatsApp or computer has been compromised, disconnect from the internet immediately. Run a full antivirus scan if you have appropriate tools. Change your WhatsApp PIN and unlink suspicious devices.
- Inform Your IT/Security Department:** Report the incident to your company's IT security team or your manager immediately. Provide all relevant details, including screenshots of the messages.
- Notify Your Bank (If Funds Transferred):** If money has been unfortunately transferred, contact your bank immediately to report the fraudulent transaction. The quicker you act, the higher the chance of recovery, though often slim due to the speed of these scams.
- File a Police Complaint (Cyber Cell):** File a complaint with the cybercrime cell (Cybercrime.gov.in or call 1930) and local police. Provide all evidence you have.
ScamGuard24 Insight
This scam highlights the increasing sophistication of cybercriminals who blend social engineering with technical exploits. The use of urgent authority coupled with malware distribution creates a potent attack vector, underscoring the critical need for constant vigilance and robust cybersecurity hygiene in Indian businesses.
Suspect a scam right now?
Open ScamGuard24 ScannerRecommended protection tools
AffiliateWe may earn a small commission if you sign up — it never changes our editorial picks.
India's most trusted antivirus. Blocks malicious APKs, UPI phishing and fake banking apps.
Get Quick HealAll-in-one mobile security + VPN. Stops phishing links shared on WhatsApp and SMS.
Try Norton 360Stop reusing passwords. Auto-fills only on the real bank site, never on phishing pages.
Get NordPassRelated alerts
WhatsApp Iran War Charity UPI Scam — is it real, what to do about strange requests?
HIGH RISKRBI call Iran transactions scam India – account frozen? What to do
HIGH RISK
Comments
Be the first to comment.