Phone Cloned, OTPs Forwarded: How Delhi Techie Lost ₹1.3 Lakh from Two Credit Cards in Cyber Scam

New Delhi: In a concerning case of cyber fraud, Nishant, an engineer from Delhi-NCR working at an MNC in Noida, lost ₹1.3 lakh after falling victim to a sophisticated hacking scam on Wednesday. The ordeal began when Nishant applied for a PNB credit card online, only to receive a call the next day from someone posing as a PNB representative, asking him to complete a video KYC (Know Your Customer) process.

The caller, who was actually a hacker, sent Nishant a link via SMS under the pretense of conducting the video KYC. When Nishant ed on the link, his phone was instantly compromised, unknowingly sharing his screen with the hacker. The situation worsened when the hacker sent an APK file that was automatically downloaded via WhatsApp, giving the hacker full control over Nishant’s device.

Realizing something was amiss, Nishant quickly disconnected the call. However, the damage had already been done. The hacker gained access to OTPs from Nishant's accounts with HSBC and IndusInd Bank, which were automatically forwarded to another number. The hacker then used these OTPs to log into various financial apps, including IndusInd Bank and Paytm, and siphoned off over ₹1.3 lakh through small transactions to platforms like Paytm, Razorpay, Lazypay, MobiKwik, and Freecharge.

"I immediately reported the fraudulent activity to the banks and got my cards blocked,” Nishant recounted. “The hacker had all my information, including that I had applied for a PNB card, and even knew my parents' names. This convinced me he was a genuine employee. But as soon as he asked for video KYC on Google Meet, I suspected something was wrong. Unfortunately, by the time I realized it was a scam, it was too late.”

In a panic, Nishant and his wife spent hours trying to report the fraud by calling the government's cyber crime helpline at 1930, but they were unable to connect as all representatives were busy. The online portal, cybercrime.gov.in, also failed to load initially. Desperate, Nishant went to the cyber police station in Dwarka, Sector 17, where he was able to file a complaint after a long wait. However, the police advised him to keep trying to report the issue on the helpline. It wasn't until 1 AM that their call to 1930 finally connected.

Expert Advice on Preventing Cyber Fraud

In response to this alarming incident, Republic spoke with Nishikant Ojha, a cyber security expert, to gather advice on how individuals can protect themselves from such scams and what steps to take if they become victims.

“These types of attacks are categorized under financial fraud, where hackers use APK files—application files for Android devices. These files are often sent via SMS or WhatsApp and are encrypted to avoid detection. Once the APK file is downloaded, it compromises the device, giving hackers control over the operating system and access to personal data, including financial credentials,” Ojha explained.

Ojha emphasized the need for vigilance when receiving unsolicited messages or links, especially those claiming urgency or offering incentives. “The APK fraud scheme often starts with messages that seem harmless but are actually loaded with malware. Once the link is ed, the malware is installed, and hackers can mirror your phone, intercept OTPs, and even make transactions without your direct authorization.”

Precautions to Take:

• Enable Two-Factor Authentication: Always use two-factor authentication (2FA) for banking apps and other sensitive accounts.
• Install Ad Blockers: These can prevent pop-ups that may carry malicious links.
• Use Anti-Virus Software: Ensure that your phone has robust anti-virus protection to detect and block potential threats.
• Be Cautious with Links: Never on links from unknown sources, especially those received via SMS or social media.
• Monitor OTPs: If you receive an OTP without initiating a transaction, be immediately alert and report it to your bank.

Steps to Take After Being Scammed:

• Switch Off Your Phone: This can help break the hacker’s access to your device.
• Uninstall Suspicious Apps: Check for and remove any apps that you did not install.
• Report to Law Enforcement: File a complaint with the cybercrime cell and provide all relevant details.
• Contact Customer Support: Immediately notify your bank and request them to block any further transactions.

Ojha also stressed the need for banks to adopt more secure transaction methods and AI-based algorithms to detect and prevent fraudulent activities. “Banks often place the responsibility on the customer, arguing that they installed the malicious software. However, with advancements in hacking techniques, banks need to recognize that traditional OTP-based security is no longer foolproof. They should take proactive measures to safeguard customer funds and ensure that transactions are thoroughly vetted.”

Do Victims Get Refunded? Who Is Liable?

"In some cases, banks may refund stolen money if they are proven to be at fault, but quick action is crucial. Reporting the fraud within half an hour of the incident significantly increases the chances of recovering the funds, as banks can freeze the transactions for further investigation," the cyber security expert, Nishikant Ojha said.