Real Phishing and Smishing Scams

This is an awareness post to raise awareness around the real phishing and smishing scams used by fraudsters to steal valuables from innocent common people. Losses to various scams has been on the rise globally, where citizens have lost almost $1.03 trillion to scams or identity theft in the past year, according to latest stats from Global Anti-Scam Alliance and ScamAdviser.

Scam #1: Bank Loan Scam

User (Victim) gets a message on mobile saying

“Your Axis/HDFC/ICICI/HSBC Bank account will become inoperative tomorrow on account of not linking PAN and Aadhar. Click on this link

Click here to link now.”

User (Victim) has clicked on the link and it took him to the bank website and the user has entered the login credentials and OTP.

User (Victim) got a loan of INR 500,000 into his account on his name, which he or she never applied for. This is an online loan of a small amount that can be disbursed by the bank on online application alone.

And, then the INR 500,000 was attempted to be transferred to another bank account. A person impersonating an Axis Bank employee calls the user and says there has been an incorrect transfer of loan. You have received an OTP now, if you can give that OTP, we will take the loan back. If you don’t give the OTP, they will say that this is a very high interest loan that needs to be revoked by the bank, and this is urgent. Else, this will be a great burden on you to pay the interest and principal amount.

The user (victim), afraid that the loan will be on his head, gives the OTP only to realize that the 5 Lakh rupees was transferred to another account. And the user is now left with a loan and EMI for the next 10 years.

Scam #2: Fake Electricity Bill

User (victim) gets a message on mobile saying

“Your electricity bill is overdue beyond the due date. The connection will be disconnected by today evening on account of no payment. Please contact xxxxxxxx for assistance.”

User (victim) calls the number mentioned in the message in worry and anxiety. The call is answered by someone who pretends that he is from the Electricity Department of the concerned state. He then says that since the payment is overdue it cannot reflect if paid online, and hence he requests to pay Rs. 200 immediately saying it is the minimum payment to stop the disconnection. He then sends you a new link for the same.

The victim who could be in an office meeting or busy with something, is suddenly worried and might click on the link to avoid the hassle and clear the problem. But, he is little aware that he is falling prey to a phishing scam.

This even continues more. The victim then gets a message saying that the payment is not reflected against your electricity bill, and it will be refunded in 3 working days. The message says to either pay manually or to download their latest app (link to the app will be mentioned).

This app is a remote access application through which the fraudster gains access and private information about the victim. The victim only realizes later that his money has been transferred to an unknown account.

Scam #3: The Venmo Overpayment Scam

When a phone is lost with a Venmo account in it, the attacker uses it to transfer some money to your account.

He then messages you that he has accidentally transferred the money to your phone number instead of someone else’s and requests you to give the money back to him.

He encashes or uses the Venmo money.

Later, you’ll discover that Venmo has taken away additional money from you that was transferred by him because it was from a stolen phone/hacked Venmo account.

Scam #4: The Education Fees Scam

The attacker posts an attractive course online.

When someone applies, they take all the personal information data and then after a few days they mention that you’re selected for the course.

Later, they ask for a small fee like $100 as a Booking Fees or Onboarding Fees or for Initiation Charges to send you the Onboarding Booklet and Course Books.

Once you pay that, all communication stops.

Scam #5: The Lucky Draw or Lottery Scam

Basis the victim’s social media, the scammer understands your behavior and that you went to a theme park last week.

The victim gets a call saying that they are calling from the theme park. The call says that you are one among the lucky 50 people (out of the 40,000 people who visited the theme park last month) that have a chance to win a $10,000 holiday in Las Vegas or Hawaii.

The victim gets all excited and starts to dream about packed bags and bikini bodies. Just then, the telecaller says we have the holiday tickets ready and who will be the travelers and all that.

At the end of the conversation, this is a high ticket prize and this has to be availed (which idiot will not avail it, if it is real). So, in order to be sure that you will avail it, you have to extend a token of payment of $100 showing your seriousness and commitment. This will also help us to send the tickets in a speed post so that you can get it by tomorrow. They may also take your credit card details saying that we will not charge it if you avail the holiday.

Once you pay that money, they vanish.

Scam #6: The Lost iPhone Scam

The scammer comes to your car saying that he or she has lost her iPhone and on the other iPhone she looks for this lost iPhone and says it is showing inside your car.

At that point you’ll be puzzled on what exactly she is saying to you. Are you saying the phone is under the car or inside the car?

The point here is: the lost phone is in her bag. And when she checks for the lost phone on the other phone, it is obviously showing near your car. Find My iPhone is accurate up to 30 meters.

Once you open the car, they may do anything. Typically, this is done by two people.

Scam #7: Photodeposit of Cheque Scam

There is a lender involved in giving a loan. These could typically be shadow loans that are shark loans.

After all the documentation and all, the lender shows you the cheque of the loan.

However, he says, he needs to photodeposit it and therefore needs your login and password to do the same in your account.

Lessons from the above Real Phishing Scams

Lesson #1: Just don’t share anything with anyone ever.

Lesson #2: Never click on any links (always type the URL or even go to Google and get to your banking website)

Lesson #3: When something is in a hurry, don’t trust it.

In our Ethical Hacking course, we do cover extensive detail on various Phishing scams that people may become vulnerable to and we build awareness on various aspects of cybersecurity and vigilance for kids and teenagers. It is very important for all of us to be educated around this subject and to be responsible to increase the awareness of such incidents and scams.

Hope this is useful, thank you.