Your Boss Just Asked You to Transfer Money on WhatsApp — Read This First

The boss scam has stolen over $55 billion globally. Learn how criminals impersonate your manager on WhatsApp, the warning signs, and exactly how to protect yourself and your business.

7/2/202612 min read

boss scam whatsapp ceo fraud how to protect yourself
boss scam whatsapp ceo fraud how to protect yourself

Your Boss Just Asked You to Transfer Money on WhatsApp — Read This First

Category: Workplace and Financial Safety | Reading Time: 12 minutes

In This Article:

1. What the boss scam actually is

2. How the scam works — step by step

3. Real cases where this happened

4. Word-for-word scripts scammers use

5. Warning signs every employee must know

6. What businesses can do to protect themselves

7. What to do if you have already transferred money

8. Frequently asked questions

You receive a WhatsApp message from your boss. The name is right. The profile photo is right. The message is urgent and asks you to transfer money immediately for a confidential business matter. You should not tell anyone else about it. Please handle it right away.

You transfer the money. Later you discover your boss never sent that message. Their account was copied or their number was spoofed. You have just become a victim of what the FBI and cybersecurity professionals call the Boss Scam — also known as CEO Fraud or Business Email Compromise.

According to the FBI's Internet Crime Complaint Center, Business Email Compromise — which now extends to WhatsApp, phone calls, and video calls — caused nearly 2.8 billion dollars in reported losses in the United States in 2024 alone. Between October 2013 and December 2023, the total global losses from this type of scam reached 55.4 billion dollars across 305,033 reported incidents in 186 countries.

https://www.ic3.gov/PSA/2024/PSA240911

In 2025, according to research published by Eftsure, Business Email Compromise and CEO fraud drove more than 3 billion dollars in reported losses in the US in a single year — and 63 percent of organisations experienced this type of attack, according to the Association for Financial Professionals.

https://www.eftsure.com/blog/industry-news/what-a-$36-million-whatsapp-fraud-reveals-about-approval-culture/

This is not a scam that only affects large corporations. It targets small businesses, schools, hospitals, charities, and individual employees across India and the world. And it works because it exploits something that most workplaces depend on: trust in authority.

What the Boss Scam Actually Is

The boss scam — officially known as CEO Fraud or Business Email Compromise (BEC) — is a type of fraud where criminals impersonate a manager, director, CEO, or business owner to trick an employee into transferring money, sharing confidential information, or purchasing gift cards.

The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) defines CEO fraud as a type of Business Email Compromise in which criminals impersonate top executives to deceive employees into revealing sensitive information or transferring funds — exploiting the power dynamic within the company and using social engineering tactics to ensure the employee does not question the request.

https://www.cyber.nj.gov/threat-landscape/phishing-online-scams/ceo-fraud

What makes the boss scam especially effective today is that it has moved well beyond email. The same attack now arrives through:

WhatsApp messages — using a number that looks like the boss's or a cloned profile

Personal text messages — from a number the criminal claims is a new phone

Phone calls — using voice cloning technology to replicate the boss's voice

Video calls — using deepfake AI to create a convincing video appearance of the executive

In 2024, an employee at a well-known international engineering firm transferred the equivalent of 25 million US dollars after participating in a video call with what appeared to be the company's Chief Financial Officer and multiple colleagues. Every person on that call was a deepfake generated by artificial intelligence, according to reporting by Eftsure.

https://www.eftsure.com/blog/industry-news/what-a-$36-million-whatsapp-fraud-reveals-about-approval-culture/

How the Boss Scam Works — Step by Step

Understanding exactly how the attack is constructed helps you recognise it before you fall for it.

Step 1: The Criminal Researches You and Your Organisation

Before sending a single message, the criminal spends time learning about the organisation. They find the names and roles of executives and employees through the company website, social media profiles, and professional networking platforms. They note who reports to whom, who handles finances, and which employees are most likely to transfer money without asking too many questions.

The FBI documented a real case in which criminals used a company's own website to identify executive officers, their email addresses, and the global events the CEO would attend during the year — giving them everything needed to construct a convincing impersonation timed to when the CEO would be unavailable to verify requests.

https://www.fbi.gov/news/stories/business-e-mail-compromise

Step 2: They Create a Convincing Fake Identity

The criminal creates either a fake phone number that resembles the boss's number, clones the boss's profile photo and name on WhatsApp, sends a message from a slightly different email address that looks identical at a quick glance, or — in more sophisticated attacks — uses AI to clone the boss's voice or appearance.

The NJCCIC confirms that criminals can create a highly accurate clone of an executive's voice using as little as three seconds of audio from an outgoing voicemail, a public speaking clip, an interview, or a social media post. AI-generated deepfake video of executives is also in active use for this type of fraud.

https://www.cyber.nj.gov/threat-landscape/phishing-online-scams/ceo-fraud

Step 3: They Send an Urgent, Confidential Request

The message arrives with specific characteristics designed to bypass your natural instinct to check with someone else:

It creates extreme urgency — the payment must be made today, within the hour, or an opportunity will be lost.

It demands confidentiality — "Do not discuss this with anyone else" or "This is strictly between us."

It uses authority pressure — the message comes from the boss, and questioning the boss feels uncomfortable.

It targets a moment of opportunity — often sent when the real boss is known to be in a meeting, travelling, or otherwise unreachable for verification.

KnowBe4, the cybersecurity awareness training organisation, notes that criminals target members of the finance team specifically — claiming a need for urgent, confidential support on a time-sensitive matter that cannot be verified with anyone else. This deliberate isolation from colleagues is a core feature of the attack design.

https://www.knowbe4.com/ceo-fraud

Step 4: The Funds Are Transferred

The employee, feeling the pressure of authority and urgency, and believing the request is genuine, makes the transfer. The criminal immediately moves the funds through multiple accounts — often across different countries — making them extremely difficult to recover.

The FBI warns that the window of time to identify the fraud and recover the funds before they are moved out of reach is extremely short — typically within 48 hours at most, and often far less.

https://www.fbi.gov/news/stories/business-e-mail-compromise

Real Cases Where This Happened

These are not hypothetical warnings. The boss scam has caused devastating real-world losses at organisations of every size.

Eftsure documented a case in Singapore where a company lost 36 million US dollars through a WhatsApp-based boss scam. The attack used a WhatsApp voice call — not even a sophisticated deepfake — and the same fundamental trust in hierarchy and authority that employees everywhere are conditioned to feel. The scam succeeded not because the technology was undefeatable but because no verification call was made.

https://www.eftsure.com/blog/industry-news/what-a-$36-million-whatsapp-fraud-reveals-about-approval-culture/

Forbes documented a 2019 case where the CEO of a UK energy company transferred 243,000 US dollars after receiving a phone call he believed was from the CEO of his German parent company. The voice had been cloned using artificial intelligence — and was convincing enough that the target completed the transfer without verification.

https://www.forbes.com/sites/steveweisman/2024/11/09/fbi-issues-warning-about-the-business-email-compromise/

The FBI documented an early case in which a company accountant received an email thread that appeared to be from the company's CEO, requesting an urgent wire transfer in connection with a business acquisition. The email address used was missing a single letter — the domain ended in .co rather than .com — a detail the accountant missed because the message appeared in what looked like an ongoing email thread. The funds were transferred before the fraud was discovered.

https://www.fbi.gov/news/stories/business-e-mail-compromise

Nacha reported that the FBI's IC3 2024 Annual Report identified BEC as the second highest category of financial losses in the United States that year — with close to 2.8 billion dollars lost despite being only the seventh most commonly reported category of crime. The gap between how often it is reported and how much money it takes reflects how rarely victims report it.

https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years

Word-for-Word Scripts Scammers Use

Recognising the exact language of the boss scam makes it obvious the moment it arrives.

The Classic WhatsApp Boss Script

"Hi [name], it's [boss's name]. I'm in a meeting right now and cannot talk. I need you to process an urgent payment of Rs 2,50,000 to a new vendor today. This is time-sensitive and confidential — please do not discuss it with the team. I will send you the account details now. Can you handle this?"

Why it works: Authority plus urgency plus secrecy. The three elements together override the employee's normal instinct to verify.

The Gift Card Variant

"Hey, I need a favour. I'm in a meeting and cannot use my phone for calls. Can you purchase ten gift cards worth Rs 5,000 each from the nearest store and send me the card numbers and PINs? I'll explain what it's for later. It's urgent."

Why it works: Smaller amounts feel less risky. The secrecy and urgency still prevent verification. The FBI specifically identified gift card requests as one of the most common variants of CEO fraud, with employees often purchasing and sharing codes before realising the request was fraudulent.

https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

The New Account Script

"This is urgent. Our regular vendor has changed their bank account. Please transfer this month's payment to the new account details below instead. Do not transfer to the old account — it has been deactivated. I need this done before 3pm today."

Why it works: The NJCCIC identifies invoice fraud and fake account change requests as one of the primary methods — the criminal combines the boss's identity with an apparently routine financial process to make the transfer seem entirely normal.

https://www.cyber.nj.gov/threat-landscape/phishing-online-scams/ceo-fraud

Warning Signs Every Employee Must Know

No matter how convincing the message seems, the boss scam almost always shows the same warning signs. Share this list with everyone in your workplace.

The request comes through an unusual channel — your boss normally uses email or calls, but this request came through WhatsApp or a personal message.

The message demands urgency — it must be done today, within the hour, right now. Real financial processes almost never have no-notice same-day deadlines.

The message demands secrecy — any request that says "do not tell anyone else" or "keep this between us" is a red flag. Legitimate business transactions are not secret from colleagues.

The boss is unreachable for direct verification — a key feature of the scam is that it is timed for when the real boss cannot easily be reached by a direct call.

The request involves gift cards — no legitimate organisation ever pays suppliers, settles invoices, or reimburses expenses using gift card codes.

The payment goes to a new or unusual account — particularly if accompanied by an explanation that the regular account has changed.

The number or email address is slightly different from the real one — look carefully. A single digit change, a missing letter, or an extra character is often the only visible difference.

The message puts pressure on you not to follow normal approval processes — phrases like "skip the usual process just this once" or "we can sort out the paperwork later" are designed to bypass the controls that exist for exactly this reason.

What Businesses Can Do to Protect Themselves

The boss scam succeeds because it exploits workplace culture — the pressure employees feel to respond quickly to requests from authority figures without question. The most effective protections address this culture directly.

Establish a Verbal Verification Rule for All Transfers

Any request to transfer money — regardless of who it appears to come from or through which channel it arrives — must be verbally confirmed by a direct phone call to the known, saved number of the person requesting it before any funds are moved.

This one rule — confirmed with a voice call before any transfer — stops the boss scam entirely. The criminal cannot answer a call to the real boss's phone number.

The FBI specifically recommends using secondary channels and two-factor authentication to verify any requests for changes in account information or fund transfers.

https://www.ic3.gov/PSA/2024/PSA240911

Require Two-Person Authorisation for Transfers Above a Threshold

No single employee should be able to authorise and execute a significant financial transfer on their own. Requiring a second person to approve any transfer above a set amount creates a check that the boss scam cannot easily bypass — because the criminal would need to simultaneously impersonate two people to two different employees.

Train Every Employee Who Handles Money

The boss scam works on employees at every level — receptionists, accountants, office managers, and executives have all been successfully targeted. KnowBe4 notes that cybercriminals deliberately choose the employees most likely to transfer money without asking too many questions, which means training must reach everyone in the organisation who has access to financial processes.

https://www.knowbe4.com/ceo-fraud

Establish a Clear Policy on Unusual Requests

Create a written policy that any unusual financial request — regardless of who it comes from — can and must be verified through a separate direct call before action is taken. Employees need to know they will not be in trouble for asking for verification. The culture of fear around questioning authority is what makes this scam work.

Be Careful What You Share on Professional and Social Media

Criminals research their targets extensively before making contact. Detailed information about who handles payments, who reports to the CEO, and when executives are travelling or in meetings — all of which is often visible on company websites and professional networking profiles — gives criminals everything they need to construct a convincing attack.

The FBI specifically warns organisations to be careful about what information is shared publicly, noting that criminals use publicly available company information to identify targets and time their approach.

https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

What to Do If You Have Already Transferred Money

Act immediately. Every minute matters. The FBI confirms that unless discovered quickly — typically within 48 hours — fraudulent transfers are extremely difficult to recover.

https://www.fbi.gov/news/stories/business-e-mail-compromise

Step 1: Call your bank immediately. Ask them to recall the transfer and contact the receiving institution. Request this as an emergency — explain it is fraud and provide the transfer details.

Step 2: Inform your manager and company immediately — do not attempt to handle this quietly. Your organisation needs to know immediately to coordinate a response and prevent further transfers.

Step 3: File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov if you are in the United States.

https://www.ic3.gov

Step 4: In India, report to the National Cyber Crime Reporting Portal at cybercrime.gov.in immediately or call the National Cyber Crime Helpline on 1930. Early reporting activates a financial freeze mechanism that can intercept funds before they are moved.

https://www.cybercrime.gov.in

Step 5: File a police report. The FBI and NJCCIC both advise notifying law enforcement immediately, as coordinated action between the bank, the FBI, and local police gives the best chance of fund recovery.

https://www.cyber.nj.gov/threat-landscape/phishing-online-scams/ceo-fraud

Step 6: Do not feel ashamed or delay action out of embarrassment. This scam fools experienced professionals, business owners, and finance teams at major organisations worldwide. Acting quickly is far more important than managing how the situation looks.

Frequently Asked Questions

How do criminals know who to impersonate in my company?

They research your organisation beforehand — using your company website, social media profiles, professional networking platforms, and press coverage. The names of executives, their titles, and their relationships to other staff members are typically publicly available. Criminals look specifically for organisations where a named executive has clear authority over a named employee who handles financial transactions.

https://www.fbi.gov/news/stories/business-e-mail-compromise

My company is small. Are we still at risk?

Yes. The FBI confirms that businesses of all sizes are targeted. KnowBe4 notes that smaller businesses are often considered easier targets precisely because they are less likely to have formal verification procedures in place. The scam has been reported in all 50 US states and 186 countries.

https://www.knowbe4.com/ceo-fraud

Can voice cloning really make a caller sound like my boss?

Yes. The NJCCIC confirms that criminals can create a convincing clone of a person's voice using as little as three seconds of audio from any public recording — a voicemail greeting, a video, a podcast, or a social media clip. Forbes documented real cases in 2019 and 2020 where voice cloning was used to successfully impersonate executives and trigger wire transfers of hundreds of thousands of dollars.

https://www.forbes.com/sites/steveweisman/2024/11/09/fbi-issues-warning-about-the-business-email-compromise/

What if the WhatsApp message comes from my boss's actual number?

A message from the exact number saved in your contacts is more convincing — but the boss scam can succeed even in this case if the boss's WhatsApp account has been taken over through a SIM swap or account hijacking. The verification rule remains the same: call the person directly on their known number before transferring any money, regardless of which channel the original request came through.

Is refusing to act on my boss's message without verification going to get me in trouble?

No legitimate manager or business owner will be upset that you called to verify a request before moving company funds. Any boss who becomes angry when you say "I just want to call to confirm before I process this" is either not who they claim to be, or is themselves behaving inappropriately. A two-second verification call is standard best practice — and if your workplace does not have this culture, this article is a good reason to start building it.

How much money has the boss scam stolen globally?

According to the FBI's IC3, between October 2013 and December 2023 there were 305,033 reported incidents of Business Email Compromise internationally, with total losses of 55.4 billion dollars. In 2024 alone, reported losses in the United States reached 2.8 billion dollars — making it the second highest category of reported financial crime by value. Cybersecurity researchers note that the true scale is significantly higher, since most incidents go unreported.

https://www.ic3.gov/PSA/2024/PSA240911

Related Articles

UPI Fraud in India | CyberSafe

How to Report and Block Harassers on Social Media — A Complete Guide | CyberSafe

WhatsApp Scams — How to Spot and Avoid Them | CyberSafe

How to Identify a Phishing Email | CyberSafe

The Bottom Line

The boss scam works because it weaponises two things that most workplaces depend on: trust in authority and the pressure to act quickly without question. As the FBI, NJCCIC, and cybersecurity researchers have documented, it has caused over 55 billion dollars in losses globally — and it is growing, not shrinking, as criminals add WhatsApp messages, voice cloning, and deepfake video calls to their toolkit.

The protection is straightforward: one direct phone call to the known number of the person making the request, before any money moves. That call costs nothing and takes thirty seconds. It stops this scam completely, every time.

Build that habit into your workplace. Share this article with every colleague who handles payments or responds to financial requests. And remember — a boss who genuinely sent a legitimate request will always be fine with you calling to confirm.

Share this with your team, your colleagues, and your business owner friends. In a world where a 25-million-dollar transfer can happen because someone trusted a video call, awareness is the most powerful protection available.