CAPTCHA-Gated QR Phishing Campaign

How CAPTCHA-Gated QR Phishing Campaign Works

Overview: In this modern scam, cybercriminals exploit the trust Indians have in QR codes and familiar security features like CAPTCHAs. Victims receive messages—often via email or app notifications—with QR codes that appear related to parking bills, online rewards, or utility payments. Scanning the QR leads to a fake website, usually starting with a phony CAPTCHA step, and ultimately harvests login credentials or banking details. These scams have doubled in India, as criminals outsmart email security filters by embedding QR code images. How It Works: The scam starts with an email, SMS, or app alert. The pitch might be a "parking bill payment" or a "pending e-wallet reward." The included QR code, when scanned, launches a site that mimics government portals or trusted services. Before revealing the supposed content, it asks the user to solve a CAPTCHA and then enter personal or financial data, often disguised as the only way to "claim your money" or "clear a penalty." These pages skip browser safety checks using deep links or obscure URLs. India Angle: These phishing campaigns target both urban professionals and digitally active homemakers, mostly in cities where QR-based services are common. Scammers use Hindi, English, and sometimes local languages, distributing campaigns widely within metros and tier-1 cities. Big spikes occur during peak online shopping or local festival days. Real Examples: - "Dear User, claim your cashback now! Scan the QR below and verify you are not a robot to continue." - "Your car is parked illegally. Pay your fine by scanning the attached QR and completing CAPTCHA verification." Red Flags: - QR codes in unsolicited emails, especially for bill payments or rewards - Initial CAPTCHA on a mobile site before form or payment prompts - Weird links or URLs displayed after scanning (e.g., random characters, unfamiliar domains) - Domains misspelling popular Indian portals (eg. paytmm.in, sarkaribill.xyz) Protective Measures: - Do not scan QR codes from untrusted messages or emails. - Scrutinize URLs after scanning; avoid completing any forms if the address[ADDRESS_REDACTED]. - Stick to official apps for all bill/recharge payments. - Warn friends or family if you notice this scam variant. If Victimised: - Change passwords for any accounts entered after scanning. - Call 1930 or visit cybercrime.gov.in to report the phishing attempt. - Alert your bank if you entered payment details. - Enable two-factor authentication immediately. Related Scams: - Parking penalty phishing via SMS - Fake KYC link scams mimicking e-wallet rewards - Browser push notification scams for credential harvesting

How This Scam Works — Detailed Explanation

In India, a concerning trend has emerged where cybercriminals leverage the trust placed in QR codes and CAPTCHAs to lure unsuspecting victims into KYC-related scams. These scams often begin with messages received via WhatsApp or email, impersonating official communication from banks or utility companies. By tapping into popular digital payment methods like UPI (Unified Payments Interface), scammers exploit everyone from tech-savvy users to the less digitally literate. The messages typically include a QR code suggesting that it is necessary for payment or for claiming rewards, driving urgency among potential victims.

Once the QR code is scanned, the victim is redirected to a fraudulent website where a fake CAPTCHA appears, supposedly to verify their identity and security. This tactic creates a false sense of security, making victims less cautious. In this stage, the URL often looks suspicious with odd spellings or unfamiliar domains. Scammers employ common psychological traps—fear of missing out on rewards, or urgency to settle bills—which further compels victims to bypass their regular caution when entering sensitive information.

As the victim progresses through the fake site, they are prompted to share sensitive information such as their bank account numbers, passwords, or Aadhaar details. For example, a user may be led to believe they are paying for a parking bill and end up submitting their UPI PIN or net banking credentials. Of the reported incidents, many victims widely report losing substantial amounts, with cases registered having lost a total of ₹150 crore to these QR phishing scams just in the past year alone. Victims often find their accounts emptied or unauthorized transactions made using their details, leading to further financial difficulties.

The impact of CAPTCHA-Gated QR phishing campaigns in India cannot be overstated. The Ministry of Home Affairs has recorded a significant surge in cybercrime, with banks also reporting a staggering rise in fraudulent transactions. CERT-In, India's cybersecurity agency, has issued advisories stressing the need for vigilance against such phishing attacks. Scammers continuously adapt their methods, making it crucial for consumers to remain aware and informed. In many instances, victims find it challenging to retrieve their lost funds, primarily due to the lack of immediate reporting and action. The aftermath of these scams often entails lengthy processes of reporting and verification at both the bank and law enforcement, compelling many to feel powerless.

To differentiate between real communications and scams, one must look out for specific signs. Genuine messages from banks will never ask for sensitive information through unsolicited emails or messages. Look closely at the URL after scanning a QR code; legitimate sites will have official domains, not misspelled versions. Official institutions have strict protocols that do not include CAPTCHA requests during sensitive operations. Staying educated about these clear distinctions can empower consumers, enabling them to guard against these sophisticated scams.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does CAPTCHA-Gated QR Phishing Campaign Target?

General public across India

Red Flags — How to Identify CAPTCHA-Gated QR Phishing Campaign

• QR codes via unsolicited emails or messages
• CAPTCHA prompt appears before payment or login
• Unusual or misspelled URL after scanning
• Request for banking or login information on non-official sites

What To Do If You Encounter CAPTCHA-Gated QR Phishing Campaign

1. Report any suspicious QR code encountered by calling the cybercrime helpline at 1930 or visiting cybercrime.gov.in.
2. Verify the authenticity of any message prompting you to scan a QR code by contacting your bank directly using their official helpline numbers.
3. Never share personal or banking information on websites that prompt CAPTCHA validation if insufficiently verified.
4. Monitor your bank account statements regularly for any unauthorized transactions.
5. Educate friends and family about these scams to raise awareness and reduce the risk of victimization.
6. Keep your banking apps and software updated to ensure maximum security against potential phishing attacks.

How to Report CAPTCHA-Gated QR Phishing Campaign in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a KYC scam?

Immediately contact your bank's customer service; for SBI, call 1800-11-1109 and for HDFC, dial 1800-202-6161. Report the incident to the cybercrime helpline at 1930.

How do I identify this CAPTCHA-Gated QR phishing scam?

Watch for messages that require you to scan a QR code unexpectedly, especially those that prompt for sensitive information in a non-official domain.

How do I report this type of scam in India?

You can report scams by calling 1930 or by visiting cybercrime.gov.in. Additionally, it's advisable to inform your bank about any suspicious activity.

Can I recover money after falling victim to this scam?

Recovery may be possible by reporting to your bank immediately and documenting the transaction. Contact your bank's customer service and follow their guidelines for fraud claims.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.