How digital impersonators are turning staff trust into a weapon to empty company accounts

Consider what happened to a Delhi garment business in June. Naresh Gujral, a former Rajya Sabha member whose late father IK Gujral was India’s prime minister in 1997-98, owns the firm. Between June 12 and June 16, someone “posing as Gujral on a messaging app” allegedly told an employee to move money for what looked like pressing business. The employee had been given financial authority by Gujral himself. According to reports, he made four transfers by real-time gross settlements (RTGS), the bank channel used for large, real-time payments.

The bank noticed. It reportedly flagged the unusually large payments and asked the company's chief financial officer to approve them. The officer did, “certain the instruction came from Gujral”. It had not.

“We are increasingly seeing a combination of new elements when it comes to cybercrime,” says Pavan Duggal, an advocate practising in the Supreme Court, who is also founder president of the Global Artificial Intelligence Accountability Law and Governance Institute and chief executive of the Artificial Intelligence Law Hub.

Duggal adds: “Impersonation is one such element that we are beginning to see. And these trends will continue to get more complicated. Because now cybercriminals are increasingly using artificial intelligence (AI) for the purposes of doing their illegal activities. So, we should be prepared for these kinds of scenarios.”

In Gujral’s case, the deception ran deeper than a borrowed name. According to reports, investigators found that the gang had first sent a malicious file to an employee, which compromised his phone. With access to the device, they rewrote his contacts. They left Gujral's photograph in place but replaced his saved number with one of their own. Every message from “Naresh Gujral” now arrived from a contact the employee had saved and trusted. A call to that number would have reached the fraudsters.

Also read: Why Tamil Nadu’s new Singappen police force is making both the public, serving officers optimistic

“The theft of identity is the biggest theft taking place now. Targets are not chosen randomly. Everything about the person is researched, studied, a detailed profile is created using AI and that profile is so immaculate that it becomes easy to manipulate them,” says Prashant Mali, a cybersecurity, cyber law and AI data protection expert. The degree of vulnerability depends upon the extent of information available about them in the digital arena. The bigger the digital footprint, the more vulnerable they are, Mali adds.

In Gujral’s case, about Rs 7.7 crore allegedly left the company. The former Rajya Sabha member was later quoted in the media as saying that more than 70 per cent was eventually traced.

Gujral's case was neither the only one that month nor the largest.

Days earlier, a private firm in Mumbai reportedly lost more than Rs 10.4 crore to the same idea, executed more crudely. According to media reports, it began on June 3, when a deputy general manager in the company's accounts department purportedly received a WhatsApp message from an unknown number. The sender allegedly claimed to be the firm's executive director. He asked the employee to save the number as a personal contact and set the executive director's photograph as the display image to look convincing. He added that he was in an urgent meeting and could not take calls, so the instructions would come by message.

The first transfer was Rs 46.5 lakh. Over the next 12 days, 62 more followed. By June 15, the employee had reportedly made 63 transfers in all, totalling Rs 10.4 crore, to a string of bank accounts. A superior who was also allegedly deceived approved payments along the way, which removed the last check. The alleged fraud surfaced only when the employee approached the real executive director for invoices to close the books. The director said he had issued no such instruction.

On June 22, the government put a name to the pattern. The Indian Cyber Crime Coordination Centre, the home ministry's cyber wing, also known as I4C, issued an advisory calling it the ‘Boss Scam’.

“The modus operandi is not new. They use the same sense of fear and urgency to ensure victims react instead of acting after due deliberation,” points out NS Nappinai, a senior advocate practising at the Supreme Court and founder of Cyber Saathi, an initiative focusing on cyber safety on digital spaces.

According to the 14C advisory, the racket now blends three things, malware, social engineering and executive impersonation, to push finance staff into clearing fraudulent transfers. The cases form a sequence, from crude to formidable. Each method defeats the safeguard that stopped the one before it. The safeguard, almost always, is a single telephone call.

The Mumbai fraud sits at the bottom. It needed no hacking at all. A stranger with the boss's photograph, a fresh number and an urgent tone was enough. One thing would have stopped it cold. A call to the executive director's own number, the one already in the company's records, would have exposed the imposter on day one. The fraud survived because nobody made that call.

Gujral's loss was the same idea, one step harder to catch. Here, the malware mattered. By rewriting the saved contact, the gang ensured that the obvious check, ringing the boss back, reached them instead. The employee who did everything right would still have spoken to the fraudster. The call had been quietly disabled.

The advisory describes a method that goes further. It reportedly often begins with a message to the executive himself, dressed as an urgent notice from a regulator such as the Reserve Bank, warning of a violation or demanding a security update. Attached is a compressed file. Opened on a Windows computer, it installs malware that hijacks the live WhatsApp Web session, the version of the app that runs in a browser. The criminals can then send messages from the executive's real account. Finance staff who check the app find nothing wrong, because the account is genuine.

Worse, the trap sometimes springs through the boss. In several cases, the bait reportedly reaches the executive first and believing it official, he forwards it to his finance officer, who opens it. In the most advanced form, the attacker takes full control of the device and edits the contact list, saving his own number under the chief executive's name. This is the technique that struck Gujral. Verification on the phone or the app no longer helps, because the phone and the app have been turned against the user.

Also read: Why SC case of office attendant who hid graduation degree is telling of India's employment crisis

Like Duggal, Commander (retired) Ashok Menon, a cybersecurity consultant, says, “attacks are only going to get more and more sophisticated with time. For instance, with acceleration in the capability of AI models and easy access to the tools that leverage these models, the bad actors have another weapon in their arsenal through which social engineering methods for deception and manipulation of the target become far more successful.”

Menon adds: “While WhatsApp is an easy-to-use messaging app, the key question that goes begging in a business context is whether financial approvals or key business decisions need to be disseminated this route? And even if the same is used, shouldn’t a dual approval control have been in place?”

A close relative of the ‘Boss Scam’ skips the messaging app and works the email inbox. It is called business email compromise, and it has cost Indian firms heavily.

In December, an Indore company, Shivganga Drillers, was reportedly about to pay a United States vendor, Innovex International of Houston, around Rs 3.72 crore. Fraudsters who had been watching the correspondence created an email address almost identical to the vendor's. They wrote to the Indore firm saying the vendor's bank details had changed, and gave an account of their own. The forged mail allegedly copied the vendor's house style down to the signature. The company paid in good faith, wiring the full sum to an account with JP Morgan in the United States. Suspicion rose only after a second email arrived. By then, the firm had alerted the police and a rare outcome followed. Working with banks and United States agencies, the Madhya Pradesh cyber police recovered the entire Rs 3.72 crore.

Pune saw a smaller version in April. An engineering products firm in Vimannagar reportedly lost Rs 73.18 lakh, allegedly after fraudsters inserted themselves into a procurement exchange, again by spoofing email. Investigators are examining whether the attackers had broken into the email system of the firm's German associate or used phishing to get in. The lever in both cases is identical to the ‘Boss Scam’. Only the mask changes, from the chief to the supplier.

The most advanced version is no longer a thought experiment. In January 2024, a finance worker at the Hong Kong office of Arup, the British engineering firm behind the Sydney Opera House and Beijing's Bird's Nest, reportedly received an email from a person claiming to be the company's United Kingdom-based chief financial officer. It allegedly asked for a confidential set of transfers. The employee suspected a phishing attempt and held back.

He was then invited to a video call. On screen were the chief financial officer and several colleagues he recognised, talking, moving and addressing him by name. Reassured, he carried out the instruction. He made 15 transfers worth about $25.6 million, roughly Rs 200 crore at the time, to five Hong Kong accounts. Only afterwards, checking with the head office in Britain, did he learn the truth. Every face and voice on the call had allegedly been a deepfake, reportedly generated by software from public recordings of real Arup staff. No internal system had been breached. The fraud went through a person, not a firewall. The money was never recovered.

The technique is not confined to video. As long ago as 2019, criminals reportedly used a cloned voice to imitate the head of a firm's parent company and talk an executive into sending about $243,000 to a supposed supplier. The funds were then split across accounts in several countries. The old assurance, “I spoke to them myself”, is quietly expiring.

Strip away the tools and one fact remains. None of these frauds asks the victim to be stupid. The serious ones remove the single check a careful person would run, then let ordinary diligence carry the money out the door.

Three forces do the persuading, and the criminals understand each. The first is authority. A junior does not cross-examine the managing director and rank discourages questions. The second is urgency. The message demands action within minutes, and haste is the enemy of doubt. The third is plausibility. Firms do send large sums at short notice, so a wire to close a deal raises no alarm on its face.

The scripts are written to all three. Investigators report stock lines such as “handle this immediately”, along with claims of being in a meeting and unable to talk, and instructions not to escalate. Each line shuts a door the victim might open. The invented regulator adds a fourth pressure, the fear of penalty, which is why a notice that appears to come from the Reserve Bank is so effective a wrapper.

Yet, experts recommend some precautions.

“Never act on payment instructions received only via WhatsApp, text message, or email; always verify through a separate channel such as a phone call to a known number,” says NV Krishnan, head, finance strategy & digitisation , VyomFin Consulting Pvt Ltd, a Delhi-based startup.

Krishnan adds: “Implement multi-level approval, so that no single employee can initiate and approve a fund transfer, protect executive accounts and train employees against social engineering, including recognising urgent requests, secrecy demands, and requests to bypass normal procedures and use secure payment workflows and banking controls, such as approved payment platforms, transaction limits, beneficiary verification, and alerts for unusual transactions for malware.”

Duggal and Mali also recommend everyone to be distrustful of information shared, to question hurry and to be stingy with information shared in the digital sphere.

“The key factor is how regulations are being complied with,” says Menon. “Regular awareness campaigns, continuous training programs, making cybersecurity assignments compulsory for each employee etc., as a part of a drill, is inevitable. The material for these campaigns and training also needs to be updated periodically (say with every new lesson an incident provides) – akin to a briefing and debriefing aviator’s guide, so that individuals stay up to date about the latest threats and, importantly, are aware of their role and actions.”

Also read: Why Delhi HC judgment on ‘right to be forgotten’ has the legal fraternity divided

The Arup case is the clearest proof, however, that care is often not enough. The employee did the textbook thing. He distrusted the email and asked for a call. The call was the trap. The act of verifying had itself been turned into a weapon. Gujral's episode reads the same way on a smaller scale. The chief financial officer questioned the payment, asked, and was reassured by an answer that seemed to come from the top. The controls worked and were beaten.

Recovery is where the law turns cold. A large electronic transfer moves in close to real time and is hard to reverse once gone.

“One issue is when the money defrauded is going outside the boundary of our country. Often, the law enforcement agency is unable to recover the money from outside. Also, the law enforcement agency is not able to arrest the mastermind of these crimes, who may be sitting beyond our borders. They are arresting either operators or mule account holders,” says Mali.

Speed of reporting is almost everything. India runs a cyber-fraud helpline on the number 1930, paired with an online reporting portal. A prompt complaint lets police ask the receiving banks to freeze, or mark a lien on, money still sitting in the chain.

The money is built to outrun that call. It is split within hours across mule accounts, the borrowed or rented accounts that launder the trail. In the Gujral case, it passed through four accounts, then 30 to 40 more. In Mumbai, it ran into accounts whose holders had been paid a commission to lend them.

Three outcomes show what speed buys. Gujral's firm reported fast and recovered most of the money. The Indore driller reported within hours and reportedly got back every rupee, because banks and foreign agencies moved together. Arup, which realised only after the transfers cleared, has recovered nothing. The difference was not luck. It was the gap between the fraud and the first phone call.

Most victims are slower, and most recover little. Of 2.81 million cyber-fraud complaints in 2025, only 55,484 became formal police cases, many lost to disputes over which state should investigate. Many more never reach the police at all, kept quiet out of embarrassment.

“People often don’t speak up,” agrees Mali. “There is fear of reaction."

A further surprise waits for those who do report. The protection most people assume they have may not apply. The Reserve Bank's 2017 rules promise “zero liability” to a customer hit by an unauthorised transfer, provided he reports it promptly and was not himself negligent. But a transfer the company's own officer instructed is not unauthorised in that sense. The instruction was real, even if the belief behind it was false.

The courts have begun to say so. In December 2025, the Allahabad High Court, in Suresh Chandra Negi vs Bank of Baroda, held that the zero-liability rule cannot be stretched to recast a transfer the customer made himself as a third-party fraud. A payment ordered by the firm's own employee, however cleverly induced, may leave the firm with no claim on the bank. The loss stays where it fell.

Which is why increasing attempts at prevention beat remedy here by a wide margin. The weak point the criminals have studied is not the firewall. It is the instant a trusted instruction lands and a busy person obeys it.

Experts point at legal loopholes and the need for better government awareness programmes to meet the challenge of digital fraud.

“India doesn't have a law on artificial intelligence yet. Nor do we have a law on artificial intelligence crime. Existing criminal laws do not cover the use of AI,” says Duggal. He adds: “Because the Indian law does not recognise AI as a legal entity. It's very, very hard to detect the human behind the AI. So you may do investigations, but may still not be in a position to really reach out to the final human behind the AI.”

To counter the finesse of AI-enabled fraud, Mali encourages victims to speak up to alert others from personal experience. “The government should have a national digital safety mission, which should have victims as ambassadors. When victims narrate their experience, there is emotion; the impact is better. And the government should choose victims from across the country for this, who can speak in different Indian languages, for increased reach.”

India reportedly lost about Rs 22,495 crore to cyber fraud in 2025, most of it to investment cons. The ‘Boss Scam’ and its cousins in the inbox and on the video call are spreading because they need so little: a face, a deadline and the habit of trusting the boss. Gujral's name made his case news. The method does not care whose name it borrows next.