Cracked in under a minute: (nearly) every other password — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 22, 2026

Severity: CRITICAL | View Full Scam Details

Cracked in Under a Minute: Nearly Every Other Password Scam in India 2026 — A Critical Phishing Alert

Millions of Indians are at risk as cybercriminals target reused passwords to hack personal accounts in under a minute, causing severe financial and privacy damage.

What Is the Cracked in Under a Minute: Nearly Every Other Password Scam?

This scam exploits one of the most common online security mistakes among Indian internet users—password reuse. Cybercriminals send phishing messages, often via WhatsApp or social media, pretending to be trusted contacts or official organizations. Once victims click on malicious links and enter their login details, scammers harvest these credentials. Because many Indians reuse passwords for multiple apps—ranging from UPI-enabled payment wallets to Aadhaar-linked services—hackers quickly gain access to numerous accounts.

The scale of this scam in India is alarming. According to CERT-In (Indian Computer Emergency Response Team) reports, phishing attacks targeting mobile users increased by nearly 40% in 2025, with many resulting in immediate account takeovers. The Indian government’s I4C (Integrated Cyber Crime Prevention Centre) has issued advisories warning citizens to avoid clicking suspicious links, particularly those related to banking or government IPLC messages. RBI has also urged users to create unique, strong passwords for UPI apps and avoid sharing OTPs or passwords with anyone.

Given India’s huge population relying on digital payments and mobile apps, this form of phishing—where attackers “crack” accounts in under a minute—is a significant threat to everyday users.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or Social Media: The victim receives a seemingly genuine message from a known contact or a fake official account. Example: “Your Aadhaar verification is pending. Click here to update.”

2. Link to a Fake Phishing Website: The message contains a link redirecting to a fraudulent site mimicking official government, banking, or UPI app login pages.

3. Credential Theft: When the victim inputs their login details—often passwords or OTPs—the scammers instantly capture them.

4. Password Reuse Exploited: Using these stolen credentials, attackers try to access other services where the victim reuses the same password.

5. Account Takeover and Money Theft: Criminals quickly log in to UPI apps, bank accounts, or wallets linked to Aadhaar and initiate unauthorized money transfers, often exploiting India's instant payment systems to drain funds immediately.

6. Covering Tracks: Some fraudsters then conduct SIM swaps, taking control of the victim’s phone number to intercept future OTPs or communication, making recovery difficult.

Real Warning Signs to Watch For

• Unexpected Messages Urging Immediate Action: Messages pressuring you to click links “immediately” to avoid account suspension or to complete verification.
• Links with Misspelled or Strange URLs: Websites not matching official government/UIP/bank domain names (e.g., www.rbl-bank.insteadofrblbank.com).
• Requests for Passwords or OTPs: Legitimate organizations like RBI or UPI apps never ask you to share passwords or OTPs via WhatsApp or SMS.
• Poor Language or Grammar: Many phishing messages contain spelling errors or awkward phrasing.
• Promises of Prizes or Cashback for Quick Verification: Scammers lure victims by offering unrealistic rewards.
• Repeated Messages from Unknown Contacts: Receiving the same message multiple times from unfamiliar numbers.
• Simultaneous Login Alerts from Different Devices: Sudden alerts about logins on devices or locations you don’t recognize.

What Happens to Victims

Victims often suffer immediate financial loss as hackers exploit the speed of India’s UPI system and immediate fund transfers. ₹10,000 or ₹50,000 can disappear before the victim notices. Because many apps are linked to Aadhaar and bank accounts, the damage extends beyond money: personal data leaks increase the risk of identity theft, fake loans taken in the victim's name, or fraudulent SIM swaps that block access to services.

Emotionally, victims experience stress and helplessness, especially when their trusted contacts unknowingly become part of the scam by forwarding phishing messages. UPI reversals are difficult once money leaves the account, and victims often report frustration with slow complaint redressal, despite RBI directives for timely resolution.

What RBI and CERT-In Say

RBI has issued multiple warnings about phishing attacks targeting digital banking services, emphasizing never sharing PINs or OTPs. They advise users to immediately report unauthorized transactions via the RBI helpline or through banking grievance redressal systems. CERT-In regularly updates alerts on phishing and malware; they recommend verifying URLs before entering any credentials and blocking suspicious numbers.

The Indian government’s 1930 cybercrime helpline is a primary contact point for victims of online fraud, including phishing. I4C also promotes awareness campaigns explaining how scammers operate on social media and messaging apps, urging users to report suspicious links and messages.

How to Protect Yourself

1. Never reuse passwords across multiple platforms, especially your UPI apps, banking, and Aadhaar-linked accounts.
2. Enable two-factor authentication (2FA) wherever available—but remember, don’t share OTPs or verification codes.
3. Verify any unexpected messages from contacts by calling them or checking official websites; avoid clicking links in unexpected WhatsApp or SMS messages.
4. Keep your mobile SIM secure: Report immediately if you lose access or suspect a SIM swap.
5. Use password managers to create and store strong, unique passwords.
6. Update apps and phone software regularly to patch security vulnerabilities.
7. Educate family and friends to not forward suspicious messages and understand phishing tactics.

What to Do If You've Been Targeted

1. Immediately change passwords on all accounts, prioritizing UPI, banking, and email services.
2. Contact your bank and UPI provider to block or freeze accounts to prevent further transactions.
3. Report the incident to local cybercrime police through cybercrime.gov.in.
4. Call the 1930 Indian cybercrime helpline to log your complaint and get guidance.
5. Inform your mobile operator to check for SIM swap and secure your number.
6. Monitor your Aadhaar and credit reports for any suspicious activity.
7. Keep documentation of the scam messages, transactions, and complaints filed for reference.

Frequently Asked Questions

Q: Can I recover money lost through this scam if I report quickly?
A: Recovery depends on how fast you report the fraud. RBI guidelines encourage banks to reverse unauthorized UPI payments in many cases, but timely action is critical.

Q: How can scammers crack passwords so fast?
A: Attackers use automated tools with databases of leaked passwords and leverage password reuse across multiple accounts. Once one password leaks, they access many apps instantly.

Q: Is WhatsApp safe if scammers use it to send phishing links?
A: WhatsApp itself is secure but scammers exploit trust by impersonating your contacts. Always verify unexpected links and never share OTPs or passwords there.

If you receive suspicious messages or links asking for your passwords or personal info, don’t wait—verify with BharatSecure.app to protect yourself and your money from the Cracked in Under a Minute scam and similar cyber threats. Stay alert, stay safe!