Brokered Session Cookie Bank Hijack Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: HIGH | View Full Scam Details

Brokered Session Cookie Bank Hijack Scam in India 2026: How UPI Users on WhatsApp Are at Risk

In 2026, a high-risk banking scam known as the Brokered Session Cookie Bank Hijack Scam is targeting Indian users through WhatsApp and UPI platforms, leading to unauthorized access to bank accounts and financial losses.

What Is the Brokered Session Cookie Bank Hijack Scam?

The Brokered Session Cookie Bank Hijack Scam is a sophisticated cybercrime technique aimed at stealing banking session cookies—small files that allow users to stay logged into online banking sites. These session cookies are exploited by fraudsters to hijack active banking sessions without needing the user’s login credentials again. This scam primarily targets Indian digital banking users engaged heavily with Unified Payments Interface (UPI) apps and web banking services, especially small business owners, freelancers, and everyday consumers who exchange financial information over WhatsApp or social media.

In India, where billions of transactions happen monthly via UPI, this scam poses a significant threat. Attackers typically pose as legitimate tech support or financial advisors, often initiating video calls or chat conversations, exploiting users’ trust. According to advisories from CERT-In (India’s Computer Emergency Response Team), and warnings from RBI on increasing phishing attacks via messaging apps, this scam has seen a spike in reported complaints in urban and semi-urban areas alike, stressing the urgent need for user caution.

How This Scam Works — Step by Step

1. Initial Contact: The fraudster approaches the victim through WhatsApp, social media, or targeted ads, presenting themselves as a tech support agent or financial consultant offering help with UPI or banking setup.

2. Building Trust: They may conduct a video call or chat session to appear credible, using legitimate-sounding URLs and convincing language to reduce suspicion.

3. Phishing Link: Next, they send a link that supposedly provides software updates or bank-related tools. Clicking the link downloads malware disguised as a legitimate app or update.

4. Malware Installation: The malware stealthily records browsing activity and captures session cookies from active online banking sessions. Once harvested, session cookies allow attackers to impersonate the user’s banking session.

5. Session Hijacking: Using stolen session cookies, fraudsters replay the information to access the victim’s bank account online without additional authentication.

6. Unauthorized Transactions: They initiate UPI payments or bank transfers, often in small, multiple installments to avoid immediate detection.

7. Covering Tracks: The fraudsters quickly terminate the hijacked sessions, making detection by the victim harder until the losses appear on bank statements or UPI transaction histories.

Real Warning Signs to Watch For

• Unexpected WhatsApp messages or calls claiming to be bank or tech support.
• Receiving links with unusual URLs that don’t match official bank or payment app domains.
• Requests to install unfamiliar software or browser extensions.
• Urgency or pressure to follow instructions immediately, especially involving banks or UPI apps.
• Notifications from your bank about login attempts or transactions you did not initiate.
• Unusual delays or errors in UPI transaction approvals.
• Multiple small debit alerts from your bank or UPI app which you don’t recognize.

What Happens to Victims

Victims of this scam often face significant financial loss as attackers extract money directly from bank accounts or UPI wallets. Unlike disputed credit card transactions, UPI payments are generally “final” and irreversible unless the payee consents, making recovery difficult in many cases. Emotional distress adds to the burden, with victims struggling to secure their online identity and financial credentials as well as dealing with the shock of losing hard-earned money.

In cases reported to the police and cybercrime cells, victims narrated issues such as unauthorized UPI payment failures, SIM swap fraud, or Aadhaar number misuse coinciding with the hijack. This multipronged attack harms not only the wallets but also long-term digital trust.

What RBI and CERT-In Say

RBI has repeatedly warned users about phishing and malware targeting UPI apps and online banking portals. Its circulars emphasize never sharing OTPs, credentials, or clicking unknown links. CERT-In acknowledges the rise of session hijacking through malware as a growing concern and advises immediate system scans and account freezes if such breaches are suspected.

For reporting cybercrime, the Government of India’s Indian Cyber Crime Coordination Centre (I4C) recommends contacting the national helpline at 1930 and filing complaints at cybercrime.gov.in. Users are also urged to use RBI's banking grievance redressal mechanisms and consult bank helplines promptly on suspicion.

How to Protect Yourself

1. Only download apps or software updates from official websites or app stores.
2. Do not click on links or attachments received from unknown or unexpected WhatsApp contacts.
3. Verify any requests for remote access or installation help by calling your bank through official numbers.
4. Regularly update your mobile OS and banking apps to the latest versions.
5. Use strong, unique passwords and enable multi-factor authentication where available.
6. Log out of bank accounts after every session and close browser tabs.
7. Immediately report unauthorized UPI transactions to your bank and block your UPI ID if needed.

What to Do If You’ve Been Targeted

• Immediately contact your bank’s customer support and block all online banking access.
• Freeze or deactivate your UPI ID or mobile number associated with banking.
• Report the incident to the 1930 cybercrime helpline or file a complaint at cybercrime.gov.in.
• Inform your mobile operator for a SIM card block or reissue to prevent misuse.
• Change all banking-related passwords and monitor account statements closely for irregular transactions.
• Consider filing an FIR at your local cybercrime police station along with evidence like chat transcripts or screenshots.
• Run anti-malware scans on your device and avoid using compromised devices for sensitive transactions until cleaned.

Frequently Asked Questions

What is a session cookie, and why is it valuable to scammers?
Session cookies are small files used by web browsers that remember your login status on banking or UPI websites. Fraudsters steal these to hijack your current logged-in banking session without needing your username or password again.

Can UPI transactions be reversed if fraudulent?
UPI transactions are mostly immediate and irreversible once successful. Victims should contact their bank as soon as they detect fraud to try and recover funds, but prevention and prompt reporting are crucial.

How do I know if my device has malware from these phishing links?
Signs include slow device performance, unusual pop-ups, unauthorized app installations, or unfamiliar browser behaviors. Running a trusted antivirus or anti-malware app and seeking professional help can confirm infections.

If you receive suspicious messages or calls claiming to be from your bank or tech support, always verify their authenticity before responding. Visit BharatSecure.app to check for verified scam alerts, and report any fraud immediately at 1930.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.