What should I do if I've shared my account details with scammers?

Immediately contact your bank's fraud department (SBI: 1800-11-1109, HDFC: 1800-202-6161) to lock your account and report the fraud.

How can I identify if the recovery service is legitimate?

Check if the recovery service has a verified website, official emails from recognized domains, and avoid those asking for immediate payment or remote access.

How do I report this type of scam in India?

Report the incident through the cybercrime helpline 1930 or at cybercrime.gov.in, and inform your bank about any unauthorized transactions.

What steps can I take to recover funds lost in this scam?

Gather all transaction evidence and report it immediately to your bank; they may be able to reverse UPI transactions if reported quickly.

CERT-In Recovery Service Impersonation Scam

Verdict: Suspicious | Risk Score: 8/10 | Severity: high

Category: UPI, WhatsApp

How CERT-In Recovery Service Impersonation Scam Works

Overview: Scammers exploit real ransomware cases in India by pretending to be 'CERT-In approved' recovery agents. They reach out after an incident—typically when a ransomware attack becomes public or the victim has posted about it online. Playing on the victim's urgency and panic, these fraudsters offer recovery or decryption services in exchange for hefty upfront payments that can reach up to ₹50,000. These services are fake—there is no decryption, victims often lose both their data and their money. How It Works: 1. Scammers monitor forums, social media groups, and public breach notifications for fresh ransomware victims. 2. They contact the victim via WhatsApp, email, or phone, introducing themselves as 'CERT-In-certified recovery technician' or similar. 3. The fraudster offers a quick solution—decryption software or recovery—in exchange for payment via UPI, bank transfer, or cryptocurrency. 4. The scammer may ask for remote desktop access to the victim's system, sometimes actually installing more malware. 5. After payment, the 'technician' disappears, leaving the files inaccessible and the victim at a double loss. India Angle: These criminals often use Indian phone numbers and WhatsApp profiles, sometimes spoofing caller IDs to mimic government helplines. They may show fake ID cards with CERT-In logos, use Hindi or vernacular messages, and refer to current Indian security advisories for credibility. Real Examples: - WhatsApp: "Namaste, this is Rajesh from CERT-In cyber response. We noticed your company's attack. Send UPI advance for decryption—₹7,000 to [UPI_REDACTED]." - Call: "Hello sir, we can restore your files within hours. Our services are licensed by CERTIN. Please download this remote tool to proceed." Red Flags: 1. Requests for upfront payment before resolving the issue 2. No written contract or verifiable government email address 3. Demanding remote access or installing unknown apps 4. Lack of official receipt or GST invoice 5. Profiles with limited digital presence or stolen profile images Protective Measures: - Always check with CERT-In’s official website if you are contacted by someone claiming to represent them. - Never pay in advance or via UPI/crypto to so-called technicians. - Avoid granting remote access to unknown individuals. - Seek help from credible, known cybersecurity firms; focus on restoring from backups. If Victimised: - Stop all financial transactions and alert your bank immediately. - Report scam contacts to CERT-In, cybercrime.gov.in, and call 1930 for help. - Scan your computer for malware before further use. Related Scams: - Fake tech-support pop-ups impersonating Microsoft or Apple - Remote access scams offering fixes for imaginary viruses - Ransomware decryption 'key sellers' on Telegram

How This Scam Works — Detailed Explanation

In India, scammers have become increasingly sophisticated in targeting individuals who have experienced ransomware attacks. They often monitor news articles, social media platforms like Facebook and WhatsApp, or victim forums where individuals discuss their cyber issues. Once a ransomware incident becomes public, these scammers act swiftly, approaching victims with promises of swift recovery solutions. The scammers might contact potential victims through phone calls, emails, or direct messages on social media. They often claim to be representatives from CERT-In or other legitimate recovery services, leveraging trust in governmental organizations to lend legitimacy to their fraudulent activities.

The psychological tactics used by these scammers are highly effective. They prey on the victims' feelings of urgency, panic, and fear of losing valuable data such as family photos, business information, or sensitive personal documents. By presenting themselves as 'CERT-In approved' agents, they create an illusion of credibility. They further exploit this situation by assuring victims of instant ransomware removal for a fee, often ranging from ₹10,000 to ₹50,000. This manipulation plays on the victims’ desperation to recover their data quickly, causing them to overlook the red flags of these fraudulent approaches.

Once a victim engages with these impostors, the deception escalates. Initially, the scammer might request remote access to the victim's computer or mobile device under the pretext of establishing a connection to begin the recovery process. This is where the real danger lies, as they can potentially access sensitive information such as banking details, passwords, and even Aadhaar numbers. As the victim cooperates, they are often directed to transfer payments through UPI or digital wallets before any so-called recovery work begins. After receiving the payment, these scammers typically go silent, leaving the victim without assistance, having lost both their funds and the data they desperately wanted to recover.

The impact of the CERT-In Recovery Service Impersonation Scam is staggering. Reports indicate that individuals lost over ₹20 crore in 2022 due to various impersonation scams, with ransomware recovery scams contributing significantly to this figure. Many victims find themselves navigating a complex recovery process afterwards, feeling a mix of shame and anger—not only for losing their money but also for the breach of trust. The Ministry of Home Affairs (MHA), in conjunction with the Reserve Bank of India (RBI) and CERT-In, has repeatedly alerted the public about these scams, warning that there are no official services offering guaranteed recovery from ransomware attacks unless in conjunction with law enforcement agencies.

To protect yourself from falling victim to this scam, it’s essential to be able to differentiate between legitimate communication and fraudulent approaches. Official representatives will never ask for immediate payments or request remote access without going through verified channels. CERT-In and other legitimate organizations provide information through their official web portals or authorized communication platforms, where they clearly lay out processes for reporting and addressing cyber incidents. If you receive an unsolicited message claiming to help you recover lost data—especially following a ransomware attack—verify its legitimacy by contacting official helplines or checking their websites, rather than responding impulsively to the offered help.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does CERT-In Recovery Service Impersonation Scam Target?

General public across India

Red Flags — How to Identify CERT-In Recovery Service Impersonation Scam

Promises of instant ransomware removal for a fee
Contacts arrive soon after a ransomware attack becomes public
Requests remote desktop or mobile access
Asks for payment via UPI, wallet or crypto before starting
No official emails or proper GST billing

What To Do If You Encounter CERT-In Recovery Service Impersonation Scam

Report any suspicious communication to the cybercrime helpline at 1930 or visit cybercrime.gov.in.
Verify the identity of any recovery agent claiming to be from CERT-In before engaging in any recovery process.
Do not share sensitive information or provide remote access to your devices during the recovery process.
Contact your bank immediately if you have made any payments to suspected fraudsters using UPI or other payment methods.
Collect all available evidence of the scam, including screenshots and communication records, for reporting.
Stay informed about ongoing scams by following updates from CERT-In and your bank regarding cybersecurity threats.

How to Report CERT-In Recovery Service Impersonation Scam in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What should I do if I've shared my account details with scammers?: Immediately contact your bank's fraud department (SBI: 1800-11-1109, HDFC: 1800-202-6161) to lock your account and report the fraud.
How can I identify if the recovery service is legitimate?: Check if the recovery service has a verified website, official emails from recognized domains, and avoid those asking for immediate payment or remote access.
How do I report this type of scam in India?: Report the incident through the cybercrime helpline 1930 or at cybercrime.gov.in, and inform your bank about any unauthorized transactions.
What steps can I take to recover funds lost in this scam?: Gather all transaction evidence and report it immediately to your bank; they may be able to reverse UPI transactions if reported quickly.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.