Earlier this week, we were all surprised to receive a know-your-customer (KYC) update message in the name of Bank of Maharashtra (BoM) from a media friend, Sumeet (name changed), on one of our WhatsApp groups. There were two posts from Sumeet. One was about completing re-KYC through an attached portable document format (PDF) file, and the second was the attachment. After reading the message and checking the name of the attached file, I realised it was a scam and immediately deleted both messages for all, as one of the admins. I also alerted everyone not to respond or open the attached file from any message sent by Sumeet for KYC or re-KYC.
After some time, another friend met Sumeet. After discussing the issue, he called me. He told me Sumeet received the message on his WhatsApp in the name of Bank of Maharashtra (on WhatsApp, you can use any name for the account). Since he had opened his daughter's account in BoM a few days earlier, he thought it was a genuine message and opened the attached file. The file was not a PDF but an Android package kit (APK) file that is used to install apps on Android devices. The moment Sumeet opened this file, he lost access to his WhatsApp account. From his hacked accounts, the cybercriminals created several groups and also tried to take over groups where he was an admin. They sent a similar message for re-KYC with the APK attachment to several of his contacts. I told Sumeet to follow certain steps (check the box at the end) to recover his WhatsApp account and keep his account secure.
In the ever-evolving world of cybercrime, fraudsters are adopting increasingly sophisticated methods to deceive users and compromise their data. One alarming trend gaining traction across India and other parts of the world involves false bank KYC alerts sent via WhatsApp. These fraudulent messages often carry seemingly legitimate PDF attachments, which, in reality, are embedded with malware or links designed to hijack WhatsApp accounts and compromise sensitive information. For some attachments, cybercriminals are not even pretending to send PDFs and are directly sending APK files.
This deceptive tactic is part of a wider strategy by cybercriminals to prey on people’s trust in financial institutions and the widespread use of WhatsApp for both personal and professional communication.
Anatomy of the Scam
The scam typically begins with a WhatsApp message that appears to originate from a bank or its customer care representative. The message warns the user that their KYC is either incomplete or expired and that failure to update it will lead to account suspension or restrictions. It may also include a short deadline to provoke immediate action.
Here is the message originally received and then shared by Sumeet. It says, "URGENTLY REQUIRED:- Your Bank of Maharashtra ReKYC pending for Bank of Maharashtra CustId XXXX.Complete ReKYC Last 13.may2025.to avoid A/c blocking. Open PDF file. Immediately Thank you!"
In this case, the cybercriminals simply shared the APK file in the name of the Bank of Maharashtra. In most other cases, the attachment is usually named something like 'KYC_Update_Form.pdf' or 'Bank_Notice.pdf', which, of course, is not a genuine document. In some cases, it is a cleverly disguised APK file that contains links to phishing sites that install spyware or steal one-time passcodes (OTPs).
When unsuspecting users open the file or click the link, they inadvertently give the fraudsters access to their phone’s data, including WhatsApp. With OTPs intercepted or devices compromised, criminals can then clone or take over the user's WhatsApp account, sending out further scam messages from the hijacked number to expand their reach.
In March 2025, a 38-year-old chartered accountant (CA) from Pune received a WhatsApp message claiming to be from the 'ICICI Bank KYC team'. The message stated that unless he updated his KYC details by the end of the day, his account would be temporarily disabled.
Attached was a PDF file titled 'KYC_Update_ICICI.pdf'. On opening the file, the CA was directed to a webpage that looked identical to the bank’s official website. He entered his customer ID and phone number, following the instructions to receive an OTP.
Minutes later, he was logged out of his WhatsApp account, and his friends and clients started receiving messages from his number requesting urgent UPI payments. The fraudsters siphoned off around Rs72,000 from multiple victims before he alerted all his contacts and reactivated his WhatsApp account.
According to cybersecurity analysts, these fraudulent PDFs, .doc files (MS Word files), .zip or .rar (compressed files), and executable (.exe) files are sometimes booby-trapped with malicious scripts or serve as containers for APK files masquerading as documents. Though less common, attackers sometimes embed malicious code in images (JPEG, PNG) and audio files to exploit system vulnerabilities.
Once the user clicks on them, the malware can:
• Harvest contacts, messages, and media files
• Intercept SMS messages, including OTPs
• Install hidden apps for remote control
• Disable security features
• Hijack social media and messaging apps, including WhatsApp
Remember, malware can steal banking credentials, credit card information, and payment details, leading to unauthorised transactions. Cybercriminals can also access your personal information, such as ID proofs, phone numbers, and addresses, to commit fraud in your name.
As WhatsApp accounts are linked to mobile numbers and verified via SMS OTP, once the OTP is intercepted or a device is cloned, access can be gained remotely. From there, fraudsters can enable two-step verification on the compromised WhatsApp account, locking the legitimate user out completely.
Not Just Banks: Other Baits Used
While bank KYC alerts are the most common bait, fraudsters are using similar tactics for:
• SIM card re-verification: Messages claiming that SIM services will be blocked unless re-verified.
• Income tax alerts: Fake notices about unverified PAN/Aadhaar details or refunds.
• Loan approval messages: Offering instant personal loans with malicious attachments.
• Insurance policy updates: Claiming urgent action is required to keep policies active.
Each of these schemes involves an element of urgency, fear, or reward—psychological triggers designed to lower your defences.
Rise in Social Engineering Scams
According to the Indian Computer Emergency Response Team (CERT-In), there has been a 17% increase in mobile-targeted phishing scams in the first quarter of 2025, compared to the same period last year. A significant portion of these is delivered through platforms like WhatsApp and Telegram, where traditional spam filters and cyber defences are often less effective.
The reason is that bank customers increasingly tend to trust messages received on WhatsApp more than they would on email. The problem is that fraudsters have realised this and are tailoring their scams accordingly.
No wonder, WhatsApp has become a fertile ground for these scams due to its wide user base, lack of proper verification, apart from gaining instant credibility through familiar logos and business templates.
1. Wide user base: With over 400mn million users in India alone, the platform offers massive reach.
2. Lack of verification: Anyone can register a WhatsApp Business account and name it 'HDFC Support' or 'SBI Helpdesk'.
3. Instant credibility: The use of familiar logos, business templates, and polite language creates a false sense of authenticity.
Now we come to the most crucial question as to how we can protect our WhatsApp account from fraudsters and prevent hacking attempts.
Here are a Few Suggestions...
• Never open unknown attachments on WhatsApp, especially if they claim to be PDF, .doc, .zip, .rar, or .exe files linked to financial matters.
• Verify with the bank directly using official contact numbers or through the bank’s website or app.
• WhatsApp offers a two-step verification feature requiring a second PIN code (besides the 6-digit SMS code) to log in. Go to Settings > Account > Two-step verification > Turn on or Set up a PIN. However, remember to set a PIN that is easy to remember because if you forget it, you will have to wait for seven days before WhatsApp allows you to reset the PIN.
• Avoid downloading APK files or enabling permissions from unofficial sources.
• Enable Google Play Protect on Android devices to scan for harmful apps. You can also enable the 'App blocker' feature. Go to Settings -> Security & Privacy -> Auto blocker. Enable it.
• Enable two-step verification on WhatsApp, which adds an extra layer of protection beyond OTPs.
• Conduct a privacy check on WhatsApp. Go to Settings>Privacy>Privacy Checkup and select the option that you need to strengthen the privacy and security of your WhatsApp account.
• If you are an admin of a WhatsApp group and have received a similar message, then go to group info (touch three vertical dots on the right-hand top corner), open Group link and reset the group invite link. This will protect your group from being flooded by ‘unnecessary’ new members.
• Regularly check your WhatsApp Web sessions to ensure no unauthorised devices are connected. Go to Settings > Linked Devices to view and log out of sessions that you do not recognise or have not started.
• Report and block numbers that send suspicious messages.
• Educate others, especially the elderly, about such tactics.
Also, it is a good practice to turn off the auto download of any file (images, videos, or document files like a PDF) on your device. On WhatsApp, go to Settings (click on three vertical dots)> Storage and data> Media auto-download. Here, uncheck or disable downloading photos, audio, videos, and documents when using mobile data, Wi-Fi, or roaming.
Turning off media auto-download has two advantages. One, you will consume less data; two, your device will not be clogged by unnecessary messages (for example, n number of good morning and good night images or video clips!).
Cybersecurity experts also recommend installing trusted mobile security apps that can detect malware in real time and warn users about suspicious downloads or phishing links.
In response to growing fraud reports, the Reserve Bank of India (RBI) has repeatedly urged users not to respond to KYC update messages sent via unofficial channels. Meanwhile, WhatsApp says it is working closely with local authorities to detect and block accounts involved in phishing and fraud.
However, this is not enough. WhatsApp needs to implement more stringent verification mechanisms for business accounts. Even telecom operators must play a bigger role in detecting and curbing SMS and WhatsApp-based fraud.
The rise in fraudulent KYC messages on WhatsApp is a reminder that even trusted apps can be weaponised by cybercriminals. With financial losses mounting and personal data at risk, public awareness is the first line of defence. Users must adopt a cautious approach when receiving unsolicited messages, especially those involving personal finance, and take proactive steps to secure their digital lives.
Stay Alert, Stay Safe!
Few months ago, Airtel deducted Rs.25 from my Airtel Wallet saying they have created a digital debit card against my Wallet. Note that I dont have an Airtel Payment Bank Account and the Wallet came part of their Thankless App. We are forced to install the app as Airtel now a days dont send missed call notification on SMS. Rather they send a link to their app.
Now below is another SMS I received from Airtel. Another way to loot people. When will this stop?
A maintenance charge of Rs.20 incl. GST will be applied on your Airtel Money Wallet as you have not used it for the last 3 months. If you do not wish to have this charge applied, simply use your wallet for any transaction before 19-May-25 Please do refer https://i.airtel.in/AIRBNK/walletTnCs or call 1800-23400 for details.