Stolen RDP/VPN Credentials Targeting Indian IT Firms — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Jun 09, 2026

Severity: Critical | View Full Scam Details

Stolen RDP and VPN Credentials Scam Hits Indian IT Firms in 2026: A Critical Cyber Threat

A new wave of cyberattacks involving stolen Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) credentials is targeting Indian IT firms, posing a serious threat to employees and businesses alike.

What Is the Stolen RDP/VPN Credentials Targeting Indian IT Firms?

This scam involves fraudsters, reportedly operating as initial access brokers (IABs), who focus on stealing RDP and VPN login details of employees working in mid- to large-sized Indian IT companies. RDP and VPN credentials are critical because they allow remote access to corporate networks, which is why they are prime targets.

In India, the IT sector is a backbone of the economy, employing millions and handling vast amounts of sensitive data. According to industry insiders and cybercrime reports, these scams have grown significantly in early 2026, with several cases reported across states like Karnataka, Maharashtra, and Telangana. The attackers typically pose as recruiters or HR personnel on professional job portals such as LinkedIn and Indeed, tricking employees into sharing their credentials through fake onboarding or testing procedures.

CERT-In (Indian Computer Emergency Response Team), the government’s nodal agency for cyber incidents, has issued advisories about phishing attacks and credential theft targeting employees of IT firms. The Ministry of Home Affairs’ I4C (Indian Cyber Crime Coordination Centre) has also prioritized addressing these scams due to their disruptive impact. The Reserve Bank of India (RBI) has continuously emphasized safeguarding credentials to protect corporate and customer data linked through financial networks.

How This Scam Works — Step by Step

1. Initial Contact through Job Portals: Fraudsters, acting as recruiters or HR representatives, send messages on LinkedIn or Indeed to IT employees, offering attractive job opportunities or project participation.

2. Building Trust with Fake Onboarding: They share documents or links about onboarding or software testing, claiming the employee must verify their RDP/VPN credentials to proceed.

3. Phishing to Steal Credentials: The victim receives an email or link that looks official but leads to a fraudulent website or installs malware designed to capture RDP/VPN login details.

4. Unauthorized Access to Corporate Networks: Once credentials are stolen, fraudsters log into company systems remotely using RDP or VPN, often bypassing normal security measures.

5. Data Theft and Financial Fraud: Access to IT systems may enable them to steal sensitive data, disrupt operations, or even initiate financial frauds such as unauthorized transactions via corporate banking platforms linked through UPI or internet banking.

6. Covering Tracks and Moving Funds: Attackers may use SIM swapping or Aadhaar-based KYC bypass methods to withdraw or transfer stolen funds quickly.

Real Warning Signs to Watch For

• Urgent messages on LinkedIn or job portals pushing for immediate credential sharing.
• Emails with generic greetings, spelling errors, or unusual sender domains pretending to be HR.
• Links that do not resolve to official company domains and ask for login credentials.
• Requests to download software or browser extensions outside your company’s IT guidelines.
• Notifications from your employer about unexpected login attempts or multiple device access.
• Sudden calls or WhatsApp messages claiming to be from the company’s IT helpdesk, requesting RDP/VPN details.
• Unsolicited job offers with promises of unusually high salaries or benefits.

What Happens to Victims

Victims of this scam face severe financial and emotional consequences. When fraudsters access corporate networks, they can initiate unauthorized transactions using company UPI IDs or banking interfaces linked to employee systems. Since UPI transactions are usually instant and irreversible after confirmation, victims and companies often face difficulties recovering funds.

Furthermore, compromised systems can lead to the theft of personal data, including Aadhaar information, which may then be misused for identity theft, SIM swap fraud, or opening fraudulent bank accounts. The emotional toll includes loss of trust in the employer, anxiety over data breaches, and potential job insecurity.

Elsewhere, victims may struggle with lengthy police and banking processes to regain control of accounts, often needing assistance from cybercrime cells or CERT-In.

What RBI and CERT-In Say

The Reserve Bank of India has regularly cautioned against sharing login credentials. RBI’s Cyber Security Framework mandates strong multi-factor authentication for remote access but recognizes challenges posed by credential theft. CERT-In has issued several alerts focusing on phishing and malware that target user credentials, advising organizations to implement strict access controls and employee awareness programs.

Victims of cyber fraud can call the National Cyber Crime Helpline 1930, managed by the Ministry of Home Affairs under I4C, for immediate support. RBI also provides helpline numbers for reporting banking frauds and suspicious activities.

How to Protect Yourself

1. Never Share Credentials: Avoid sharing RDP, VPN, or any login credentials over email, chat, or phone, even if the request appears to be from HR or your manager.

2. Verify Recruiter Identity: Confirm job offers or onboarding requests directly through official company contacts or your supervisor before responding.

3. Use Company-Approved Software: Only use VPN and remote access tools authorized by your IT department; never download unknown programs.

4. Enable Multi-Factor Authentication (MFA): Wherever possible, activate MFA to add an extra layer of security.

5. Check URLs Carefully: Always verify website URLs before entering login details, avoiding links from unsolicited emails or messages.

6. Report Suspicious Contact Immediately: Notify your company’s IT security team and block suspicious accounts messaging you on LinkedIn or WhatsApp.

7. Keep Software Updated: Regularly update your computer’s operating system, VPN clients, and security software to protect against malware.

What to Do If You've Been Targeted

• Disconnect Immediately: If you suspect your RDP or VPN credentials are compromised, disconnect from the corporate network right away.

• Inform Your IT Department: Report the incident immediately to your company’s cybersecurity or IT helpdesk.

• Change Passwords: Reset all related passwords, including email and banking accounts linked to your work systems.

• File a Police Complaint: Lodge an FIR at your local police station or through the cybercrime.gov.in portal.

• Contact the 1930 National Cyber Crime Helpline: Seek guidance and assistance on the next steps to secure your accounts.

• Inform Your Bank: If any financial transactions seem suspicious or unauthorized, notify your bank and request a freeze or reversal as possible.

Frequently Asked Questions

Q: Can scammers hack my system just by knowing my RDP or VPN credentials?
A: Yes, if they have valid credentials and your organization’s systems lack strong multi-factor authentication, fraudsters can remotely access your system and corporate networks, leading to data theft or unauthorized financial actions.

Q: I received a job offer via LinkedIn asking for my VPN login for testing. Is this normal?
A: Legitimate companies never request VPN or RDP credentials through social media or unsolicited communication. Always verify such requests independently through official company channels.

Q: What immediate steps should I take if I realize my credentials might be stolen?
A: Disconnect from corporate networks, inform your IT department, change passwords, and report the incident to cybercrime authorities through the 1930 helpline or cybercrime.gov.in portal.

For any suspicious message or communication, verify its authenticity at BharatSecure.app and report fraud promptly by calling 1930.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.