Poisoned Password Manager CLI, Fake Teams Help Desks, and More — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Apr 29, 2026

Severity: HIGH | View Full Scam Details

Poisoned Password Managers & Fake Help Desks: A 2024 Phishing Scam Hitting India Hard

This phishing scam uses fake password manager updates and bogus tech support to steal your money and data.

What Is the Poisoned Password Manager CLI, Fake Teams Help Desks, and More?

This is a sophisticated phishing attack targeting Indian internet users who are tech-savvy or work in IT-related fields. It combines several techniques to trick victims into downloading malicious software (malware), giving up sensitive information, or granting remote access to their computers. The scam often begins with a user being tricked into downloading what they believe is a legitimate command-line interface (CLI) update for a popular password manager. This "update" is actually malware designed to steal passwords, banking details, and other valuable information.

Another common element involves fake tech support, often impersonating Microsoft Teams help desks or internal IT departments. Victims might receive unsolicited messages or calls claiming there's a problem with their account or device, urging them to download software or provide remote access "to fix the issue." These fake help desks are often linked to the poisoned password manager tactic, with the initial malware opening the door to further intrusion. This scam is particularly dangerous because it targets trust in recognized brands and established tech tools, making it harder to spot than typical phishing attempts. While specific figures are hard to pinpoint, reports indicate an increase in these types of attacks targeting Indian professionals, with potential losses ranging from small amounts to lakhs of rupees.

How This Scam Works — Step by Step

Here's how fraudsters typically execute this scam:

1. Initial Contact: The victim receives an email, SMS (text message), or even a WhatsApp message. This message may impersonate the password manager provider, Microsoft, or an internal company IT support. The message will create a sense of urgency, suggesting a critical update is needed or a security vulnerability has been detected.
2. Malicious Download or Link: The message includes a link to download a "CLI update" for their password manager or directs them to a fake website. Clicking this link leads to a download of malware disguised as a legitimate software update or program. In some cases, the file is sent directly as a WhatsApp attachment.
3. Installation & Infection: The victim, believing the download is legitimate, installs the file. This installs malware onto their computer, often working silently in the background.
4. Fake Tech Support Contact: Soon after, the victim receives a call or message from someone claiming to be from Microsoft Teams support, the company's IT department, or even the password manager's official support. They claim to have detected an issue on the victim's device.
5. Remote Access and Data Theft: The "support" person guides the victim to download a remote access tool like AnyDesk or TeamViewer (often, this is another avenue for installing malware). They then convince the victim to grant them access to their computer "to fix the problem." This is where the fraudsters steal passwords, banking details, OTPs, and other sensitive information or use the remote access to initiate fraudulent transactions.
6. Financial Loss: With access to banking credentials, OTPs, or UPI PINs, the fraudsters transfer money out of the victim's accounts, make fraudulent purchases, or apply for unauthorized loans in the victim's name. They may also misuse harvested data for identity theft.

Real Warning Signs to Watch For

• Unsolicited Messages: Be suspicious of any unexpected emails, SMS, or WhatsApp messages asking you to download software or click on links, especially if they create a sense of urgency.
• Unknown Senders: Verify the sender of any message carefully. Double-check the email address or phone number against the official website or contact information of the company they claim to represent. Pay close attention to potential misspellings or slight variations in the domain name.
• Poor Grammar & Spelling: Phishing messages often contain grammatical errors and spelling mistakes. This is a common indicator of a scam.
• Requests for Remote Access: Never grant remote access to your computer to anyone you don't know and trust implicitly. Legitimate support personnel will rarely, if ever, request full remote access to your system.
• Suspicious Downloads: Scrutinize file names and file extensions before downloading anything. Be wary of executable files (.exe) or other unfamiliar file types.
• Sense of Urgency: Scammers often use urgency to pressure you into acting quickly without thinking. Take a moment to pause and verify the authenticity of the request before proceeding.
• Inconsistencies: If something feels "off" about the communication, trust your instincts. Research the company or service mentioned in the message to confirm the legitimacy of the request.

What Happens to Victims

The consequences of falling victim to this scam can be severe. Victims can suffer significant financial losses through fraudulent bank transfers or unauthorized purchases. They can also have their personal data—including Aadhaar details, PAN card information, and banking passwords—stolen and misused for identity theft, opening fake accounts, or even taking out loans in their name. This can lead to a damaged credit score or even a SIM swap scam where the fraudster takes over your mobile number and gains access to OTPs. Emotionally, victims can experience feelings of shame, anger, and anxiety. The recovery process can be time-consuming and stressful, involving reporting the crime to authorities and dealing with banks and other financial institutions to reverse fraudulent transactions.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) frequently advises the public to be cautious about unsolicited communications and to never share sensitive information like UPI PINs, OTPs, or banking passwords with anyone. CERT-In (the Indian Computer Emergency Response Team) issues advisories about emerging cyber threats and provides guidelines for protecting personal information online. These advisories generally emphasize the importance of verifying the authenticity of any communications requesting sensitive information and of being wary of suspicious links and downloads. Users are advised to regularly update their software and operating systems and to install and maintain reputable antivirus software.

How to Protect Yourself

1. Verify the Sender: Always independently verify the sender of any message asking you to download software or provide personal information. Use official contact details listed on the company's website. Don't rely on contact information provided in the suspicious message.
2. Download Software From Official Sources Only: Only download software and updates from the official website of the software provider. Never trust links provided in unsolicited messages or emails.
3. Enable Two-Factor Authentication (2FA): Use 2FA on all your important accounts, including your email, banking, and social media accounts. This adds an extra layer of security, making it harder for scammers to access your information.
4. Use a Strong Password Manager: A reputable password manager can generate strong, unique passwords for each of your accounts and store them securely. This reduces the risk of your passwords being compromised in a data breach. However download it directly on your computer rather than from a link.
5. Be Suspicious of Remote Access Requests: Never grant remote access to your computer to anyone unless you initiated the support request and you are absolutely certain of their identity.
6. Keep Your Software Up to Date: Regularly update your operating system, web browser, and antivirus software. Security updates often include patches for vulnerabilities that scammers can exploit.
7. Use a Reputable Antivirus Program: A good antivirus program can detect and remove malware from your computer, preventing it from stealing your data and causing damage.

What to Do If You've Been Targeted

If you suspect you've been targeted by this scam, take the following steps immediately:

1. Disconnect: Disconnect your computer from the internet to prevent further damage or data theft.
2. Change Passwords: Change all your important passwords immediately, including your email, banking, and social media accounts. Use strong, unique passwords for each account.
3. Contact Your Bank: Contact your bank immediately to report the fraudulent activity and freeze your accounts. Ask them to reverse any unauthorized transactions.
4. Report to Cybercrime Helpline: Call the national cybercrime helpline at 1930 to report the incident.
5. File a Complaint: File a complaint with the cybercrime cell at cybercrime.gov.in. Provide as much detail as possible about the scam, including the sender's contact information, the date and time of the incident, and the amount of money lost.
6. Scan Your Computer: Run a full scan of your computer with a reputable antivirus program to remove any malware.
7. Monitor Your Credit Report: Monitor your credit report for any unauthorized activity, such as new accounts opened in your name.

Frequently Asked Questions

Q: How can I tell if a software update is fake? A: Always download software updates directly from the official website of the software provider. Never trust links provided in unsolicited messages or emails. Double-check the website address and look for the padlock icon in the address bar, indicating a secure connection. If in doubt, contact the company's official support channels for confirmation.

Q: What should I do if someone calls claiming to be from Microsoft or my company's IT department? A: Be very cautious. Ask for their name, employee ID, and contact information, and then independently verify their identity by calling the company's official support number. Never provide them with remote access to your computer or