Fake Vendor Addition WhatsApp Scam — How to Identify & Stay Safe
INDIA — By BharatSecure Threat Intelligence Team ·
Severity: HIGH | View Full Scam Details
🛡️ Want to check if you've received this scam?
Check This Scam on BharatSecure →Beware in 2026: The Fake Vendor Addition WhatsApp Scam Targeting Indian Businesses
Scammers are increasingly exploiting WhatsApp and UPI to trick Indian companies into unauthorized vendor payments.
What Is the Fake Vendor Addition WhatsApp Scam?
The Fake Vendor Addition WhatsApp Scam is a growing threat in India’s digital business landscape, especially among small and medium-sized enterprises (SMEs). In this scam, fraudsters use WhatsApp to impersonate company executives or trusted officials to trick finance or procurement team members into adding fake vendors into the company’s payment systems. Once added, these vendors’ bank accounts—controlled by scammers—receive unauthorized payments, often routed via UPI.
This scam primarily targets employees who handle vendor management, payments, or procurement. Because many Indian businesses rely on WhatsApp for quick communication, scammers exploit this familiarity and perceived trust to bypass formal verification processes.
According to reports from agencies like CERT-In and advisories from the Indian Cyber Crime Coordination Centre (I4C), this scam’s prevalence has surged in 2025-26. The Reserve Bank of India (RBI) has also warned businesses to strengthen their internal controls against fraudulent vendor entries leading to theft through UPI and other online transfer methods.
How This Scam Works — Step by Step
Initial Access and Research: Scammers gain access to employees’ phone contacts using social engineering or by infiltrating company WhatsApp groups. They aim for finance or procurement staff.
Impersonation Message: The scammer sends a WhatsApp message claiming to be a senior official like the CISO or CFO, urging the victim to add a new urgent vendor due to operational needs.
Vendor Details Provided: The fraudster provides fake vendor details including a bank account or UPI ID (like us**@bank) for payments, urging immediate action.
Pressure and Urgency: To prevent the victim from verifying details through normal channels, the scammers create urgency, sometimes threatening operational delays or penalties.
Vendor Added & Payment Initiated: The victim processes payment through UPI or bank transfer to the fake vendor. Because UPI transactions are often irreversible, money is lost instantly.
Scammer Disappears: After funds transfer, scammers become unreachable. The company realizes the vendor is fake when invoices or deliveries never arrive.
Real Warning Signs to Watch For
- Unsolicited WhatsApp messages from unknown or newly added contacts posing as company seniors.
- Requests to add or pay a new vendor without prior official email confirmation or internal approvals.
- Pressure to complete vendor addition or payment urgently, bypassing normal workflows.
- Vendor bank account or UPI details sent only via WhatsApp with no supporting documents.
- Lack of proper vendor records in the company’s ERP or accounting software.
- Use of unofficial phone numbers or personal WhatsApp accounts rather than company communication channels.
- New "vendors" whose names do not match any known suppliers or market checks.
What Happens to Victims
Victims of this scam often face significant financial loss as UPI payments once made cannot be reversed easily, unlike certain other banking transactions under RBI’s mandate. In Indian SMEs, where margins are tight, losing tens or hundreds of thousands of INR can jeopardize business operations.
Beyond the financial harm, employees targeted may experience stress and feel personal accountability for security breaches. The scam also exposes companies to internal trust issues, reputational damage, and even legal scrutiny if vendor payments are linked to compliance lapses.
Worse, many victims find their Aadhaar or bank-linked phone numbers spoofed or SIM-swapped later by fraudsters, amplifying risks connected to identity theft or further financial crime.
What RBI and CERT-In Say
The Reserve Bank of India emphasizes vigilance and strong internal controls to prevent frauds linked to digital payments, including UPI-based scams. RBI has released circulars advising companies to implement multi-factor authentication and verification protocols before adding new vendors and processing payments.
CERT-In and I4C promote awareness about social engineering tactics and recommend organisations train staff to spot suspicious communications, especially on informal platforms like WhatsApp. The National Cyber Crime Reporting Portal (cybercrime.gov.in) encourages victims to lodge complaints promptly, and the 1930 helpline offers immediate assistance on cyber fraud cases.
How to Protect Yourself
Verify Through Official Channels: Always cross-check vendor addition requests via company email or internal communication tools, not just WhatsApp.
Use Multi-Factor Verification: Implement multi-level approvals for adding new vendors and initiating payments.
Employ Payment Limits: Set transaction thresholds on UPI and banking apps; flag payments above a certain INR limit for additional scrutiny.
Educate Employees: Conduct regular training sessions on common fraud patterns, especially targeted social engineering and WhatsApp-related scams.
Maintain Vendor Records: Keep a validated and updated vendor master list accessible to authorized personnel only.
Monitor WhatsApp Usage: Discourage using personal WhatsApp numbers for official vendor communication; use verified business communication platforms.
Use UPI Secure Features: Enable features like UPI mandate approvals and notification alerts for all transactions on linked bank accounts.
What to Do If You've Been Targeted
If you suspect a fake vendor addition scam:
- Immediately notify your company’s finance and IT security teams.
- Report the incident to your bank and request a temporary freeze or watch on the accounts involved.
- File a complaint online at the National Cyber Crime Reporting Portal (cybercrime.gov.in).
- Call the 1930 cybercrime helpline for guidance and assistance.
- Change passwords for work accounts and WhatsApp, enable two-factor authentication.
- Inform RBI via their customer helpline if you suspect UPI fraud linked to your bank account.
- Preserve all chat screenshots and transaction records for investigations.
Frequently Asked Questions
Q: Can UPI payments be reversed if I paid a fake vendor?
A: Generally, UPI payments are final and non-reversible unless the beneficiary voluntarily refunds. Immediate reporting to the bank and cyber authorities improves chances of recovery, but prevention is critical.
Q: How do scammers get access to internal company WhatsApp groups?
A: Through social engineering, leaking of phone numbers, or by impersonating company staff to join groups. Unauthorized access is common if group admins are not vigilant about participant approvals.
Q: Can using WhatsApp for professional communication increase fraud risk?
A: Yes. WhatsApp lacks formal audit trails and multi-layered controls found in enterprise tools, making it easier for scammers to impersonate or pressure employees.
Stay alert and verify any suspicious WhatsApp messages requesting vendor or payment updates at BharatSecure.app. If you suspect fraud, report immediately at the 1930 helpline.
Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.
Related Scams in Our Database
- Fake ITR Consultant Social Media Ads — Severity: MEDIUM
- Merchant Audio Payment Fakery — Severity: MEDIUM
- Social Media Fraud Using RBI 2FA Misinformation — Severity: MEDIUM
Verify Any Suspicious Message
Check any suspicious message, link, or call for free at bharatsecure.app.