Executive Summary
Festive season is a business making opportunity for both good and bad. During the 2024 Diwali celebration, CloudSEK’s Threat Research team has observed a rise in online scams and phishing attacks targeting Indian consumers. Scammers are exploiting the festive season’s surge in online shopping and the public’s enthusiasm for discounts to trick users into revealing personal information and making payments on fake platforms. These scams include fake e-commerce sites, fraudulent job offers, firecracker sales scams, and pages impersonating well-known brands. Such scams pose significant financial and data privacy risks to unsuspecting users.
This report tries to classify and raise awareness about the type of scams in the market during festivities.
Trending online scams amidst Diwali celebration
CloudSEK's Threat Research team has been actively monitoring online scams that are on the rise during the festive season and has noted down the top trending scams targeting Indian citizens during Diwali.
E-commerce Scams
During Diwali, e-commerce scams become increasingly common as scammers take advantage of the high volume of online shopping and the festive season's attractive discounts. These scams often involve fake websites or social media ads impersonating well-known e-commerce brands and promoting “too-good-to-be-true” deals on popular items, like electronics, home appliances, and festival essentials.
Modus Operandi:
- Fake Discounts and Deals: Scammers create fraudulent websites or ads offering products at deep discounts, sometimes more than 50% off. These sites look similar to reputable brands, luring users into believing they’re making purchases from trusted sources.
- Phishing for Personal Information: When users add items to their cart, these fake sites prompt them to enter sensitive information, including phone numbers, addresses, and sometimes even payment details. Some may request users to "sign up" or "register," collecting even more personal data.
- Payment Traps: Users are often directed to payment pages where they’re asked to transfer money directly via bank account details, UPI, or QR codes, which is unusual for genuine e-commerce sites that typically offer secure payment gateways.
- Non-Delivery of Goods: After payment, the scammers vanish, leaving users without the purchased items. There’s no customer service or refund option, making it impossible for victims to recover their money.
Victims not only lose money but also risk exposing their personal information, which can be misused for further scams, identity theft, or unauthorized access to financial accounts.
Job Scams
In addition to e-commerce scams, job scams are increasingly targeting individuals during the festive season. Scammers exploit job seekers’ desire for stability by impersonating trusted entities like government service centers, using deception to gather personal data.
Modus Operandi:
- Impersonation of CSC: Scammers create fake websites mimicking the official Common Service Center (CSC) website, a well-known provider of government and employment services.
- Fake Job Listings: These fraudulent sites advertise various job opportunities, enticing users with promises of stable employment, especially targeting individuals actively seeking jobs.
- Phishing for Personal Data: Users are prompted to register for jobs by submitting personal information, including full names, phone numbers, addresses, and sometimes financial details, under the guise of “job registration” or “profile verification.”
- Data Misuse: The information gathered is often used for identity theft or sold on the dark web. Scammers may also launch additional scams targeting these individuals, who are now known to be job seekers.
- Further Fraud Attempts: Collected information allows scammers to target victims with subsequent schemes, potentially leading to financial fraud, unauthorized transactions, or identity-related crimes.
Firecracker Scams
During the Diwali season, scammers have launched multiple fake websites advertising discounted firecrackers, capitalizing on the festive demand. These websites claim to offer over 50% off on firecrackers as part of a Diwali sale, luring users with seemingly attractive deals.
Modus Operandi:
- Fake Discounts: Fraudulent sites advertise massive discounts on firecrackers, drawing attention through promotions and social media ads to create a sense of urgency.
- Payment Traps: Once users add items to their cart, they are directed to a payment page where bank account details or QR codes are displayed, often requiring direct bank transfers, which genuine e-commerce sites typically avoid.
- Immediate Disappearance: After payment is made, the scammers disappear, leaving no customer service or refund options.
Victims of these scams lose money with no chance of receiving their purchases. Additionally, they risk exposing personal information, potentially leading to further scams, identity theft, or unauthorized financial transactions.
Fake Firecracker scam pages advertising diwali offer on crackers
Payment details on a fake firecracker scam websites asking user to send money through QR or direct bank deposits
AD to Brag scams
We have also seen recently registered fake websites impersonating major Indian e-commerce companies. One such deceptive site, called "AD to Brag," claims to allow users to "brag" about products they've purchased during the Diwali sale by sharing with friends. By mimicking the legitimate brand, this scam leverages a social sharing concept to entice users into providing sensitive information.
Modus Operandi:
- Impersonation of E-commerce Brand: The fake site replicates the branding and appearance of a well-known company, making it appear legitimate.
- Fake Social Feature: The site encourages users to share purchases by entering friends’ phone numbers, choosing products, and creating personalized messages or posters.
- Phishing for Contact Information: By asking users to input phone numbers of friends and family, the site collects a wide range of contact details under the guise of a fun sharing feature.
Victims risk exposing both their own and their friends' personal contact information. This data can be misused for further scams, including phishing attacks and privacy invasions, as scammers may leverage these numbers to conduct targeted campaigns or sell them to other malicious actors.
We have also noticed fake pages impersonating popular mobile brand in India, collecting phone numbers and IMEI numbers, poses significant risks:
- Device Tracking & Surveillance: IMEI and phone numbers allow scammers to monitor users’ locations and activity.
- SIM Swap Attacks: With both details, attackers could attempt SIM swaps, gaining unauthorized access to accounts linked to the phone number, like banking apps.
- Phishing & Device Cloning: Scammers can target users with personalized phishing, potentially clone devices, or sell data on the dark web for further fraudulent activities.
Table: Recently Registered Fake Site impersonating a major mobile brand
In addition to the Diwali-related scams highlighted above, several other scams are actively targeting users across various platforms. These scams are not specific to the festival season but continue to trend due to their widespread impact. They include:
- Fake Donation or Charity Scams: Scammers set up fake websites or social media posts claiming donations will go to the needy, preying on individuals' desire to help.
- Lottery Scams: Users are prompted to pay a fee to claim a “prize” from a fake lottery.
- Gift Card Scams: Fraudulent pages offer gift cards, collecting both personal and financial data under the guise of claiming rewards.
- Investment Scams: Victims are lured into fraudulent investment opportunities, often involving fake stock or cryptocurrency schemes.
- Digital Arrest Scams: Scammers impersonate law enforcement officers, contacting victims with threats of arrest or legal action. They pressure victims into providing personal data and often demand immediate payment to "settle" the issue, leading to potential financial fraud and identity theft.
- Delivery and Courier Scams: Scammers impersonate courier services like FedEx, notifying victims of “delivery issues” and requesting sensitive data to resolve them. Victims are often asked to pay additional fees, resulting in financial loss along with compromised personal information.
- Loan Scams: Users are promised quick loans in exchange for an upfront fee, with no actual loan provided.
- Credit Card Scams: Scammers impersonate bank representatives, offering credit card services or support. They frequently circulate malicious apps (APKs) that, once installed, steal credit card details, leading to unauthorized transactions and financial loss.
- Telecom Scams: Users receive calls from scammers posing as telecom providers, claiming suspicious activity on their SIM cards to obtain personal data.
These scams collectively contribute to a high risk environment for users, underscoring the need for heightened vigilance.
Impact
- Financial Losses: Victims lose money by making payments on fake platforms, with no chance of receiving purchased items.
- Data Privacy Breaches: Scammers collect personal information, including phone numbers, addresses, and IMEI numbers, which may be misused or sold.
- Phishing and Identity Theft: Harvested data increases the risk of targeted phishing, and potential identity theft.
- Device Security Risks: Collected IMEI numbers enable device tracking and possible cloning, further compromising users' security.
Recommendation
- Verify Authenticity of Websites: Always use official websites or apps of well-known brands. Avoid clicking on links from unknown sources, as these can lead to fake sites. Look for red flags like unusual URLs, poor-quality content, or requests for unnecessary personal details.
- Avoid Direct Bank Transfers: Only pay through secure payment options provided by trusted platforms. Be cautious if a site asks you to transfer money directly to a bank account or through a QR code, as these are not typical for reliable e-commerce sites.
- Limit Personal Information Sharing: Only share essential information on verified websites. Avoid giving out excessive details like phone numbers, addresses, or ID numbers on sites that seem suspicious.
- Enable Security Features: Protect your accounts by using strong passwords and enabling two-factor authentication (2FA) to prevent unauthorized access.
- Report Suspicious Sites: If you come across a site that looks fake, report it to relevant authorities or the platform itself. This helps prevent others from falling victim to the same scam.
- Educate Your Close Ones: Share these safety tips with family and friends to help them avoid falling for online scams. Explain how to spot red flags, verify websites, and protect their personal information, so everyone can enjoy a safer shopping experience during the festive season.
References