Two recent incidents show how cybercriminals are quickly changing their tactics to fool even alert and well-informed people. From fake advertisements on social media to malicious files disguised as documents, and even Ponzi-style investment schemes misusing the Union finance minister’s name and photo—fraudsters are deploying increasingly sophisticated traps to steal money and personal data.
Case 1: Fake Credit Card Offer & a Malicious 'Document' File
Prasad (name changed), a senior marketing executive and frequent flyer, was looking for a new credit card that offered airport lounge access. While browsing Facebook at an airport, he came across a post claiming to be from a private bank and offering the exact card he needed. Assuming it was authentic, he responded.
The following day, someone posing as a bank representative called him and sent a 'form' on WhatsApp. Believing it to be a routine document, Prasad downloaded it and began filling in his details. Within minutes, he noticed two unauthorised transactions—each close to ₹50,000—on his other credit cards.
The form he downloaded turned out to be a malicious app (android package kit-APK) hidden inside the document. Once installed, it silently gave cybercriminals full access to his phone, including messages, one-time passcodes (OTPs), login credentials and installed apps. Using his compromised device, the fraudsters quickly made purchases on a major e-commerce platform.
Thankfully, Prasad reacted immediately. He blocked both credit cards, alerted the card issuers by email, dialled 1930 to register a cybercrime complaint and reset his phone.
Later, while reviewing the incident, we checked whether his SIM had been cloned or if call-forwarding had been activated. By removing the SIM and testing it in another phone, we confirmed that calls and SMS were functioning normally—indicating that, although his phone had been hacked, the SIM itself was not compromised or swapped.
This incident is a stark reminder that even a harmless-looking WhatsApp 'document' can actually be a dangerous app capable of taking complete control of your device.
Case 2: Senior Citizens in Bhubaneswar Tricked Using the Finance Minister’s Name
Trusting these seemingly official posts and endorsements, the two senior citizens invested ₹22,000—only to realise later that it was a complete scam and their money was gone.
They were understandably distressed and questioned why the government was not blocking such fraudulent schemes online. I explained that thousands of dubious ads, fake pages and scam accounts appear every single day, many operated by networks based outside India, making it extremely difficult for authorities to identify and block each one instantly.
But like many victims, they felt the government should protect people around the clock and even refund money lost to such scams—a reflection of the growing frustration among citizens who fall prey to manipulative social media campaigns and fabricated endorsements.
Their experience shows how even well-educated, retired high-rank officers can be misled by scams that cleverly exploit trusted public figures and official-looking online content.
The Bigger Threat: Why These Scams Work
• Fake Social Media Ads
Cybercriminals deliberately use platforms like Facebook and Instagram because many people naturally trust posts that look 'official'. Scammers copy bank logos, colours and wording so well that the ads appear genuine at first glance.
• Malicious Files Disguised as FormsFraudsters often send malware—usually android package kit (APK) files—disguised as PDFs or application forms. Since people believe they are opening a harmless document, they unknowingly install apps that can secretly access their phone and data.
• Misuse of Public Figures
Using the names and photographs of the finance minister, officials from the Reserve Bank of India (RBI), Securities and Exchange Board of India’s (SEBI) or well-known business leaders instantly gives a scam a false sense of legitimacy. Victims feel reassured when they see familiar faces, making them more likely to trust the message.
• AI Buzzword Scams
Phrases like 'Quantum AI', 'automated income', or 'AI-powered investing' are used to attract people who are curious about artificial intelligence (AI). Cybercriminals rely on these trendy buzzwords to make their schemes look modern, advanced and believable.
New Regulations Designed To Protect You
A. TRAI’s 1600-series Numbers for Banks
To reduce fraud and improve customer safety, TRAI has mandated that all banks and financial institutions -FI (registered and regulated), must contact customers only through 1600-series phone numbers.
In addition, every SMS sent by a bank or FIs must include a suffix that clearly shows the type of message:
S – Service message
T – Transaction alert
P – Promotional message
G – Government-related information
For example, JD-SBIINB-S is the official SMS header of SBI issued by Jio in the Delhi circle, and this message pertains to a specific service. For transactions, the suffix will change to JD-SBIINB-T.
If you receive a bank SMS or call that does not follow these rules, treat it as suspicious.
B. RBI’s Mandatory Shift to '.bank.in'
RBI has also directed all banks to move their official email and website domains to the '.bank.in' extension to prevent spoofing and fake websites.
For example, ‘onlinesbi.sbi’ is now ‘onlinesbi.sbi.bank.in’ (its new corporate website is ‘sbi.bank.in’) while ‘axisbank.com’ has now become ‘axis.bank.in’.
Always check the domain name before clicking links or responding to emails claiming to be from your bank. This simple step can protect you from phishing and identity theft.
How To Protect Yourself
1. Avoid engaging with credit card or loan offers advertised on Facebook, Instagram or other social media platforms. These promotions are frequently used by fraudsters to harvest personal details or push victims into scam investments.
2. Never download files sent via WhatsApp, SMS or Telegram unless you personally know the sender and are expecting the document. Criminals often disguise APK malware as PDFs or official-looking forms. So it is a safe practice to fully read the file name and if it contains ‘.apk’, the avoid downloading it.
3. Check the caller ID carefully. Genuine bank representatives are required to call from authorised 1600-series numbers. Any deviation should be treated as suspicious.
4. Inspect bank emails before responding. Official communication must increasingly come from domains ending in '.bank.in', which are harder to spoof.
5. Be extremely wary of investment schemes that use photos of Union ministers, celebrities or well-known business chiefs. Fraudsters frequently misuse public figures to appear credible.
6. Do not trust schemes that claim 'guaranteed daily income', 'Quantum’ or any other ‘AI returns' or automated platforms promising easy profits. These claims are classic red flags.
7. Use an extra layer of caution for any scheme offering returns higher than the current provident fund (PF) interest rate. Always cross-check details only through official websites—avoid relying on Google links which may lead to fake portals.
8. If you suspect your phone contains malware, remove your SIM card and test it in another device to check if there is any swapping. (In another mobile, you should be able to make and receive calls and SMS. If not, then your SIM is swapped and you need to visit your mobile services-provider and obtain a new SIM for the same number.)
9.
Report suspected fraud immediately by calling 1930, the national cybercrime helpline or use the portal national cybercrime reporting portal (NCCRP)
http://cybercrime.gov.in .
10. Back up your mobile regularly. It will come handy in case your phone has been compromised. You can then perform a full reset to eliminate malicious software and restore the device with the backup.
Cybercriminals are constantly refining their methods—whether through malware-laced documents, AI-themed Ponzi schemes or fraudulent adverts that misuse the names and photos of high-profile individuals. Your strongest defence is vigilance. If an offer appears too good to be true, it almost certainly is.
Always stay alert, verify every message or call you receive and never trust unknown online offers, no matter how 'official' they look.
Stay Alert, Stay Safe!
How To Report Cyber Fraud?
Immediately report the cybercrime incident to the National Cyber Crime Reporting Portal
http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.
