Messages Of Free Diwali Gift Can Empty Your Bank Account, Steal Your Sensitive Details!

The Indian Computer Emergency Response Team (CERT-In) has warned online shoppers of a scam in which the victim is promised gifts and prizes, including money.

Messages Of Free Diwali Gift Can Empty Your Bank Account, Steal Your Sensitive Details!


In short

Sensitive details such as bank account details, passwords and OTPs are then stolen by Chinese websites that the scammers lead users to.

“Fake messages are in circulation on various social media platforms (WhatsApp, Telegram, Instagram, etc), that falsely claim a festive offer luring users into gift links and prizes,” an October 18 advisory by CERT-In said.

“The threat actor is mostly targeting women and asking to share the links among peers over WhatsApp/Telegram/Instagram accounts,” it added.

How it works

The victim receives a message with a link to a website modeled after websites of popular brands.

It could come from other victims who have been asked to share the link with their friends and family.

Many of the fake websites have Chinese (.cn) domains.

Other extensions include, .top and .xyz.

Once a user clicks on the link, they are first greeted by a false “Congratulations” message.

The user is then asked to fill up a questionnaire.

After this, they are asked to select a “gift” from a set of items.

What happens next

Once that is done, they get another false “Congratulations” message which asks them to share the message with others on WhatsApp or other social media platforms in order to claim the prize.

The users are then scammed out of sensitive information like personal details, bank account details, passwords, OTPs.

The attackers may also use the data for adware and other adversarial purposes.

Advice to the public

CERT-In urged users to not browse untrusted websites or click on un-trusted links even if it appears legitimate.

Only click on URLS that clearly indicate the website domain.

“When in doubt, users can search for the organization’s website directly using search engines to ensure that the websites they visited are legitimate,” the agency recommended.

The domain name should always be checked.

How one can stay safe

Even if you end up clicking on the link, you should never reveal your personal data.

Keep in mind that legitimate organizations would never ask for login credentials or credit card information by email or SMS or through questionnaires.

People are also advised to keep their personal information private and to not share it unless it is with legitimate websites.

Since such attacks typically involve fraudulent financial transactions, set transfer limits for UPI and other transactions through your bank in order to reduce any exposure you could have.

Comments are closed, but trackbacks and pingbacks are open.

who's online