EvilProxy Reverse-Proxy MFA Bypass Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: CRITICAL | View Full Scam Details

EvilProxy Reverse-Proxy MFA Bypass Scam in India 2026: A Critical UPI Phishing Threat

The EvilProxy reverse-proxy scam is a serious new fraud targeting Indian users' UPI payments by stealthily bypassing OTP and multi-factor authentication protections.

What Is the EvilProxy Reverse-Proxy MFA Bypass Scam?

The EvilProxy scam is a sophisticated phishing fraud where callers or messages impersonate trusted entities like banks, payment apps, or government services to steal UPI credentials and bypass multi-factor authentication (MFA) protections such as OTPs (One Time Passwords). It is a growing threat in India as UPI-based payments become more widespread, and users increasingly rely on OTPs and app-based MFA to secure transactions.

According to public complaints reported across India, fraudsters use a technique called “reverse proxy” to intercept and relay users’ login credentials and OTPs in real time. This lets them bypass the user’s second factor of authentication while tricking the victim into approving fraudulent transactions. Government agencies like CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have flagged this scam due to its rapidly rising incidence, especially targeting Indians who rely heavily on WhatsApp and SMS for transaction alerts and verification.

While exact nationwide numbers are not publicly disclosed, multiple reports involving amounts ranging from a few thousand to lakhs of INR have surfaced, affecting users from metro cities to smaller towns. The scam exploits gaps in user awareness and the weaknesses inherent in SMS-based and app-based OTP verification for UPI payments.

How This Scam Works — Step by Step

1. Initial Contact & Setup: The victim receives a WhatsApp message, SMS, or call, often claiming to be from their bank or a government helpline. The message might urge urgent verification of UPI/ATM activities or Aadhaar linking, directing the user to a fake login page that looks identical to the genuine app or bank portal.

2. Phishing Login Credentials: When the victim tries to log in, their user ID and password (or UPI PIN) are captured by the attacker’s reverse-proxy server, which sits between the victim and the real service. This setup allows attackers to relay information back and forth seamlessly.

3. OTP Capture and Relay: When the real service sends an OTP (via SMS or app notification), the attacker immediately forwards this OTP prompt to the victim under a false pretext (e.g., “Please enter the OTP to verify your account”). The victim unwittingly shares this OTP with the fraudster.

4. MFA Bypass & Transaction Approval: Using the captured OTP, the attacker completes the UPI transaction on their device in real time. The victim sees transaction-confirmation messages on their phone but often assumes these are legitimate or triggered by themselves.

5. Loss of Funds: Once the transaction succeeds, the attacker transfers money out to fraudulent accounts beyond easy reversal. Because of the real-time nature of the scam and MFA bypass, traditional safeguards and delayed banking procedures like UPI reversals often fail.

Real Warning Signs to Watch For

• Unexpected messages or calls demanding immediate verification of banking or UPI credentials.
• URLs or apps asking for sensitive data outside official banking or payment app channels.
• Receiving OTP requests without initiating any transaction or login attempt.
• Surprise transaction alerts on WhatsApp or SMS for payments you did not authorize.
• Asking repeatedly for OTPs, passwords, or PINs under urgent or threatening language.
• Mismatched or misspelled URLs in the links sent via SMS or WhatsApp.
• Requests to share screenshots or photos of your banking app or UPI screens.

What Happens to Victims

Victims of this scam often suffer significant financial loss as amounts transferred via UPI are instantly credited to fraudster accounts and are tough to reverse. Many victims report losing money ranging from INR 5,000 to lakhs, which severely impacts household budgets.

Emotionally, the trauma is intense — victims feel violated, helpless, and anxious due to the ease with which their personal financial security was breached. SIM swap incidents linked to this scam can worsen problems by cutting victims off from important OTPs or bank calls. Misuse of Aadhaar details and personal data as part of the scam also raises concerns about long-term identity theft for many Indians.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly stressed vigilance against phishing scams that target UPI and OTP authentication. It advises users never to share OTPs, PINs, or passwords, no matter who asks. RBI’s framework places liability on banks if they fail to implement secure customer authentication.

CERT-In and I4C have issued cybersecurity guidelines urging users to verify URLs, avoid clicking on suspicious links, and report phishing attempts immediately. India's national cybercrime helpline, 1930, is a resource for victims to report scams and receive assistance. While no public advisory mentions EvilProxy by name, the general cautions against MFA bypass and phishing attacks apply strongly here.

How to Protect Yourself

1. Only use official bank or UPI app channels; never log in through random SMS or WhatsApp links.
2. Do not share OTPs or PINs with anyone — legitimate entities never ask for this over calls or messages.
3. Enable app-based or biometric MFA where possible over SMS OTP for added security.
4. Watch for any suspicious transaction alerts and immediately confirm your transaction history via your bank’s app.
5. Update your phone’s OS and apps regularly to patch security vulnerabilities.
6. Register your phone number with the Do Not Disturb (DND) service and avoid answering unknown calls demanding sensitive info.
7. Use RBI-approved two-factor authentication methods and keep your device’s SIM and Aadhaar details secure.

What to Do If You've Been Targeted

• Immediately block your UPI PIN via your bank’s app or customer care and notify your bank.
• Change all related passwords and enable multi-factor authentication for every financial app.
• Contact the 1930 cybercrime helpline to report the scam and get guidance on filing an FIR.
• Lodge a complaint on the cybercrime.gov.in portal with full details of the incident.
• Inform your telecom provider about any suspected SIM swap and request number blocking if needed.
• Monitor your bank statements closely for any further unauthorized transactions.
• If money has been lost, approach your bank for a petition under RBI grievance redressal guidelines.

Frequently Asked Questions

What makes the EvilProxy scam different from regular phishing?
Unlike typical phishing where attackers just steal credentials, EvilProxy uses a reverse-proxy setup that relays OTPs in real time to bypass multi-factor authentication, making it far more effective and harder to detect.

Can UPI transactions be reversed if done via this scam?
In most cases, no. Because UPI transactions happen instantly once authorized with an OTP, reversing them is difficult. Early reporting to the bank and cyber authorities improves chances but is not guaranteed.

Is WhatsApp a secure platform against these scams?
WhatsApp itself has end-to-end encryption, but scammers exploit user trust on this platform to send fake links or impersonate contacts. Always verify links and never share sensitive information via WhatsApp messages.

If you receive suspicious messages or calls about your UPI or bank account, verify their authenticity immediately at BharatSecure.app. To report fraud, call India’s cybercrime helpline at 1930 without delay.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.