On a busy office day, Sushmita, a corporate executive, received an email in the name of her bank, asking her to update her know-your-customer (KYC) details immediately. It asked her to use a link provided in the email, or else her account would be blocked. Without giving it much thought, Sushmita clicked the link which opened a page with an online form. The page looked exactly like her bank website pages. To complete the 'required' KYC, she filled out the form by providing personal details such as name, bank account number, Aadhaar and registered email ID and mobile number. The form also prompted her to enter one-time passcodes (OTPs) received on her phone and email — a step common in legitimate banking procedures. Minutes after submitting the form, unauthorised transactions began withdrawing funds from her account.
Sushmita’s experience mirrors a growing number of cases where victims are lured through phishing emails and defrauded after sharing sensitive personal and financial information on fake websites.
This is a dual-layered attack: social engineering through alarming messages, followed by a fraudulent form designed to extract sensitive data under the guise of regulatory compliance.
According to Avast's
Q1 Gen Threat Report, online threats have become increasingly sophisticated, and phishing attacks are no exception. "Among the many tactics cybercriminals deploy, developing phishing campaigns by mimicking well-known companies and duplicating their online forms has emerged as a quick, cost-effective, and deceptively simple method for stealing sensitive user information. The alarming rise in the success of these campaigns speaks volumes about how cybercriminals are exploiting weaknesses in both technology and human trust."
In today’s digital landscape, where convenience and connectivity define our interactions, online forms have become an integral part of everyday life. Whether it is booking a doctor’s appointment, signing up for newsletters, or applying for jobs, we constantly submit personal data via web-based forms. But this convenience has also created a fertile ground for cybercriminals. Fraudsters are increasingly creating fake online forms to steal sensitive information, ranging from names, addresses and phone numbers to banking credentials and identity-proof documents.
This form of cybercrime is surging, often integrated with phishing campaigns that mimic trusted brands to trick users into sharing data. These scams are becoming more sophisticated and harder to detect, posing a significant risk to individual privacy and digital security.
Let us first understand how fake online forms work.
Fake online forms are essentially spoofed versions of legitimate web forms. These forms are often hosted on lookalike websites and pages or embedded within phishing emails, social media messages, or mobile applications.
Phishing through online forms takes advantage of tools like website builders and dynamic DNS (DDNS) services to create fake login or data submission pages that appear genuine.
These forms are designed to harvest data such as full names, email addresses, mobile numbers, Aadhaar, permanent account number (PAN), bank account or credit and debit card details and login credentials for financial transactions such as username and password.
These forms may appear genuine, using logos and branding from well-known organisations, even copying layouts from legitimate sites. Once the user submits her information, it is transmitted to a server controlled by cybercriminals, who can then use it for identity theft, financial fraud, or to launch further targeted attacks.
According to Avast, online website builders, like Weebly and Wix, are popular tools for creating websites without coding skills. "Their accessibility and user-friendly drag-and-drop interfaces make them appealing not only to legitimate users but also to cybercriminals."
Phishing and brand impersonation play a crucial role in the proliferation of fake online forms. These scams are meticulously crafted to mimic emails or websites of trusted brands—banks, telecom operators, government agencies, or popular e-commerce platforms.
A typical phishing message may include:
• Professional branding and logos
• Urgent messaging (like 'your account has been suspended' and 'claim your reward'.)
• Links that lead to counterfeit websites with forms. For example, SBIbank.weebly.com or updatefacebook.weebly.com.
Further, cybercriminals often purchase lookalike domains (like amaz0n.in or facebok.com) and use HTTPS to lend legitimacy to them. When a user clicks on the provided link and lands on the fake page, they are less likely to detect the fraud, especially if distracted by urgency or fear tactics.
"Some phishing pages are shockingly sophisticated, closely mimicking the legitimate login forms of major companies or institutions. Others are poorly constructed, with red flags like inconsistent layouts, mismatched fonts, or visible passwords. However, even low-effort phishing pages can succeed because they are often hosted on trusted domains, making them harder for filters to detect," Avast says.
Over the years, cybersecurity researchers have been uncovering large phishing campaigns in India. In some cases, victims were directed to a fake Aadhaar update portal which captured scanned ID documents, email addresses and mobile numbers. This data was later sold on the dark web and used to create forged identity cards for financial fraud, reports say.
In March this year, artificial intelligence (AI)-based threat intelligence company
CloudSEK's investigation revealed how 'PrintSteal', a highly organised criminal network, was running over 1,800 fake domains, impersonating government websites, and using cyber cafes, Telegram groups, and illicit APIs to distribute fraudulent KYC documents.
"A critical element in the PrintSteal operation's success is its use of deceptive QR codes to enhance the credibility of fraudulent documents. These QR codes, generated using the legitimate api.qrserver.com service, are embedded within the fraudulent documents (Aadhaar cards, birth certificates, death certificates). However, instead of linking to official government verification websites, these QR codes direct users to counterfeit URLs designed to mimic legitimate verification pages," CloudSEK says.
The above example is just to demonstrate how and where your personal and financial details shared via fake online forms could end up.
The question, therefore, is how and why fake online forms work.
Several psychological and technical factors make fake online forms highly effective. It includes,
• Urgency and fear: Users are often tricked into acting quickly due to fear of losing access to an account or missing out on a reward.
• Trust in brand appearance: A familiar logo and layout create a false sense of security.
• Lack of technical awareness: Many users, especially the elderly or digitally untrained, do not verify URLs or SSL certificates.
• Mobile vulnerabilities: On smartphones, it is harder to verify URLs or identify suspicious design elements, increasing the risk.
Fake online forms are distributed through various channels such as,
• Email: Classic phishing messages with embedded form links or HTML forms.
• SMS and WhatsApp: Messages pretending to be from banks or delivery services.
• Social media ads: Fraudulent job applications or survey forms offering cash rewards.
• Search engine ads: Paid ads leading to cloned websites with fake forms.
• Fake Apps: Android APKs that simulate government portals or service providers.
The CloudSEK investigation shared above shows the extreme consequences of falling for fake online forms.
For a common user, the aftermath of submitting data to a fake form can be devastating. The victim may suffer,
• Financial loss: Fraudsters use banking information and OTPs to drain funds.
• Identity theft: Aadhaar, PAN, and other personal data can be misused to open fraudulent accounts or commit crimes.
• Loss of privacy: Sensitive information can be posted online or sold on the dark web.
• Targeted attacks: Stolen data can be used to create more convincing scams in the future.
This brings us to the most important question about how users can protect themselves from becoming a victim of fake online forms.
Here are a few suggestions...
1. Verify the source
Always double-check the source of a message or form. Never click on links received from unknown senders. If you receive a form link claiming to be from your bank, go directly to the official website or call customer support.
2. Inspect the URL
Look closely at the website address. Watch for misspellings, extra characters, or incorrect domains (e.g., .net instead of .com). Legitimate government and bank websites generally use secure (HTTPS) connections and known domain names. For example, the State Bank of India (SBI), the country's largest lender, uses a .sbi, a generic top-level domain (gTLD) for online banking. Reserve Bank of India (RBI), the banking regulator has asked all banks in the country to use an exclusive domain, bank.in to curb phishing attacks and online impersonation.
3. Avoid sharing sensitive data via links
Legitimate companies and financial institutions, including banks, rarely ask for personal data or credentials through email, SMS, or online forms. Be suspicious of any form requesting Aadhaar numbers, OTPs, or passwords.
4. Use multi-factor authentication (MFA)
Enable MFA on all accounts, especially financial ones. Even if your password is compromised, an additional authentication mechanism can prevent misuse of your account.
5. Educate yourself and others
Awareness is key. Stay updated about the latest scams and share information with friends and family, especially those less tech-savvy.
6. Use security tools
Install good antivirus and anti-phishing browser extensions. They can warn you if you land on a malicious site.
7. Report suspicious forms
Report fake websites and forms to CERT-In, your bank, or the platform where you found the link (e.g., Google, Facebook). Quick reporting helps in taking down fraudulent pages.
The use of fake online forms to steal personal data is a rapidly growing menace in the digital world. With cybercriminals deploying increasingly convincing techniques that mimic trusted brands and institutions, even the most cautious users can fall victim. However, awareness, vigilance and the right digital hygiene practices can provide a strong defence against such scams.
For every form you fill out online, ask yourself: Is this request genuine?
A few seconds of verification can save you from months of financial distress, identity theft and emotional trauma.
Remember, in the digital age, your data is your identity—guard it with utmost care.
Stay Alert, Stay Safe!
