Fraudsters target Singaporeans using local brands and ‘freebies’ in Rabbit Hole scheme — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: MEDIUM | View Full Scam Details

Beware in 2026: Rabbit Hole Phishing Scam Using Local Brands and ‘Freebies’ Targeting Singaporeans — What India Should Know

Fraudsters exploiting trusted local brands and ‘freebies’ in the Rabbit Hole phishing scheme now pose risks beyond Singapore, with lessons every Indian internet user must heed.

What Is the Fraudsters Target Singaporeans Using Local Brands and ‘Freebies’ in Rabbit Hole Scheme?

The Rabbit Hole scheme is a phishing scam where cybercriminals impersonate well-known local brands to lure victims—primarily Singaporeans—with bait like free products or exclusive discounts. Using fake social media profiles, especially on Instagram, and messaging apps, fraudsters cleverly exploit the trust consumers place in familiar brand names and the human tendency to grab “free” offers.

While the scam is largely reported in Singapore, its modus operandi is highly relevant to India’s digital ecosystem, given the growing reliance on social media and mobile payments such as UPI. Scammers can easily adapt the Rabbit Hole approach to Indian brands or international brands popular here, targeting unsuspecting users with fake giveaways on platforms like WhatsApp, Facebook, or Instagram. CERT-In (India’s Cyber Emergency Response Team) has issued advisories cautioning users about phishing scams that impersonate brands offering fake freebies, highlighting the importance of vigilance.

Reports indicate that these scams are becoming more frequent and sophisticated, with fraudsters using psychological tactics to create a sense of urgency and trust. Although the risk score for this scam is medium (5/10), the financial and emotional repercussions for victims can be severe, especially when personal details or payment information are stolen.

How This Scam Works — Step by Step

1. Fake Advertisement or Post: The scam starts with a convincing social media post or ad mimicking a popular brand offering freebies — for example, a “free gift” on Instagram or Facebook.

2. Engagement Through Comments or Direct Message (DM): Interested users comment or are prompted to DM the fake brand account to claim their freebies.

3. Personalized Conversation: The scammer initiates a one-on-one chat, pretending to be a brand representative. This builds trust and makes the victim feel special.

4. Urgency and Limited Offers: The scammer pressures the victim by saying the offers are limited-time only or for a select few, creating emotional urgency.

5. Request for Personal Details or Small Payment: To “process” the freebie, the victim is asked for personal details like Aadhaar number, address, or mobile number. Sometimes, they are asked for a small payment via UPI or bank transfer as “shipping charges” or “verification fees.”

6. Data or Money Theft: Once details or payment info is shared, fraudsters steal money via UPI transaction fraud or misuse the Aadhaar data for identity theft or SIM swapping.

7. Disappearance and No Freebies: After transaction or data handover, scammers vanish. The “freebie” never arrives, and victims face unauthorized withdrawals or other frauds.

Real Warning Signs to Watch For

• Unverified Social Media Accounts: Fake brand pages often lack the verified tick or official website links.
• Unsolicited Offers of Free Gifts: Legitimate brands rarely offer freebies via random DMs or posts without official contests.
• Pressure to Act Quickly: Urgent language like “offer valid for 1 hour only” is a red flag.
• Requests for Sensitive Information: No genuine brand asks for Aadhaar number or bank details for a free giveaway.
• Small Payment Requests for Free Products: “Shipping fees” collected via UPI are a common scam tactic.
• Poor Grammar or Odd Language: Fake accounts often use strange phrasing or spelling errors.
• Links to Unknown or Suspicious Websites: Scam messages may include links masquerading as brand sites but lead to phishing pages.

What Happens to Victims

Victims often face financial loss through unauthorized UPI payments, which can be hard to reverse once processed. In India, while there are grievance mechanisms for UPI fraud, many users struggle to get refunds. Additionally, sharing Aadhaar details or mobile numbers can lead to identity theft, SIM swap fraud, and further financial loss.

Emotionally, victims suffer stress and embarrassment, impacting trust in online transactions and social platforms. The ripple effect can affect victims’ credit scores or result in misuse of their identity for other fraudulent activities. This scam underlines how even low-risk cybercrimes can have deep, lasting consequences.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly warned users against falling for phishing scams involving payment apps and urged caution around unsolicited communications asking for money or personal details. RBI also emphasizes the limited liability feature but stresses prompt reporting.

CERT-In advocates digital hygiene, including verifying official brand communications and not sharing critical information online. The Ministry of Home Affairs’ cybercrime helpline (dial 1930) and the official cybercrime portal at cybercrime.gov.in are recommended for reporting such scams quickly.

Although there is no specific advisory yet on the Rabbit Hole scam, CERT-In’s ongoing alerts about phishing and identity theft in social media contexts are highly relevant for this threat.

How to Protect Yourself

1. Verify Official Brand Accounts: Check for verified badges and cross-confirm via official websites.
2. Avoid Sharing Aadhaar or Bank Details in Chats: Never share personal or financial info to claim freebies.
3. Refuse Small Payment Requests for Free Offers: Legitimate brands do not charge for giveaways.
4. Be Skeptical of Urgent Messages: Take time to verify before acting on limited-time offers.
5. Use UPI’s Secure Features: Always double-check payee details and use UPI PIN protections.
6. Report Suspicious Messages Immediately: Use WhatsApp’s “Report” feature or the cybercrime helpline.
7. Keep Your Mobile SIM Safe: Protect against SIM swap by not sharing OTPs or KYC details with anyone.

What to Do If You’ve Been Targeted

• Immediately block the scammer’s social media profile or contact.
• Report the incident to certified cybercrime portals: Visit cybercrime.gov.in and file a complaint.
• Call the cybercrime helpline at 1930 for guidance and urgent support.
• Inform your bank and UPI app provider about unauthorized transactions to seek a refund.
• Freeze or secure your Aadhaar via the official UIDAI website to prevent misuse.
• Change passwords and alert mobile network providers if SIM swap is suspected.
• Keep screenshots and message logs as evidence for investigations.

Frequently Asked Questions

Q: Can I really get my money back if I transfer via UPI in such scams?
A: RBI guidelines allow victims to claim refunds if the scam involves fraud or error, but the process can be time-consuming and requires prompt reporting to banks and cyber authorities.

Q: How can I verify if an Instagram or WhatsApp offer is genuine?
A: Always check for verified badges, compare with the brand’s official website announcements, and avoid clicking unknown links or sharing details in chats.

Q: What if I’ve shared my Aadhaar number with a suspicious account?
A: Immediately visit UIDAI’s official site to lock your Aadhaar biometrics, monitor your bank accounts carefully, and report the breach to cybercrime authorities.

Stay alert and verify any suspicious messages, freebies, or brand offers before you engage. Protect yourself from scams like Rabbit Hole by checking every link and never sharing sensitive details online. For more verified information on cyberfraud threats, always visit BharatSecure.app — your trusted source in digital safety.