How to protect yourself from OAuth App Permission Phishing Attack?

Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared

OAuth App Permission Phishing Attack

Verdict: Suspicious | Risk Score: 8/10 | Severity: high

Category: UPI, Job, Phishing

How OAuth App Permission Phishing Attack Works

Overview: This dangerous scam tricks Indians into giving criminal apps unrestricted access to their Google, email, or social media accounts—without asking for your password. Victims believe they're simply logging in, but end up giving scammers direct access to email, Google Drive, or even payment-linked accounts like Paytm or UPI, often leading to major data and financial losses. How It Works: The scam often begins with a message, ad, or link found on questionable e-commerce websites, social media, or emails. It offers a tempting deal, chance to win, or requires 'login' to view some restricted content. Instead of a typical username-[NAME_REDACTED], it shows a 'Sign in with Google' (or Facebook, Microsoft, etc.) dialog. Approving this gives the attacker broad access (via OAuth tokens), often to your emails, documents, and linked financial details—without ever seeing your actual credentials. India Angle: These scams are growing on Indian sites selling electronics, job portals, and promotional quizzes. Major targets are students, job seekers, and people frequently using third-party apps with Google sign-in. Metro and tier-2 city residents who shop online or use job search services are at high risk, with a spurt in cases reported in Bengaluru, Pune, and Gurugram recently. Real Examples: One Bangalore student got a message: "Get Rs 1,000 cashback! Login with Google to claim your reward: [fake app link]." Elsewhere, a job applicant was prompted, "Sign in with Microsoft to download offer letter," through an unauthorised site. Shortly after, key email and bank accounts were compromised. Red Flags: - Popup login screens demanding broad permissions - Unknown apps requesting access to email, Drive, or payment info - Unexpected requests for "third-party access" - Offers requiring social login for prizes or downloads Protective Measures: Use sharing permissions cautiously—never approve unknown apps for your Google, Microsoft, or payment logins. Regularly review third-party app access in your account settings and revoke anything suspicious. Never click unknown pop-up login forms or URLs, and stay wary of prizes/benefits requiring email authorisation. If Victimised: Immediately revoke access for the app in your Google/Microsoft account settings. Change your passwords. Inform your bank if financial accounts may be accessed. Report the matter to 1930 (helpline) and file a case on cybercrime.gov.in. Related Scams: Fake lottery websites, job offer download links, and social media "win a smartphone" messages that ask for OAuth login are all common variants.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does OAuth App Permission Phishing Attack Target?

General public across India

Red Flags — How to Identify OAuth App Permission Phishing Attack

Pop-ups asking for Google/social logins on unknown sites
Requests for broad email, drive, or payment access
Login prompts outside usual app or website
Offers tied to social logins or authorisations

What To Do If You Encounter OAuth App Permission Phishing Attack

Do not click any links or share personal information
Block and report the sender immediately
Report at cybercrime.gov.in or call 1930
Inform your bank if financial details were shared

How to Report OAuth App Permission Phishing Attack in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What is OAuth App Permission Phishing Attack?: Overview: This dangerous scam tricks Indians into giving criminal apps unrestricted access to their Google, email, or social media accounts—without asking for your password. Victims believe they're simply logging in, but end up giving scammers direct access to email, Google Drive, or even payment-linked accounts like Paytm or UPI, often leading to major data and financial losses. How It Works: The scam often begins with a message, ad, or link found on questionable e-commerce websites, social me
How does OAuth App Permission Phishing Attack work?: Overview: This dangerous scam tricks Indians into giving criminal apps unrestricted access to their Google, email, or social media accounts—without asking for your password. Victims believe they're simply logging in, but end up giving scammers direct access to email, Google Drive, or even payment-linked accounts like Paytm or UPI, often leading to major data and financial losses. How It Works: Th
How to protect yourself from OAuth App Permission Phishing Attack?: Do not click any links or share personal information Block and report the sender immediately Report at cybercrime.gov.in or call 1930 Inform your bank if financial details were shared
How to report OAuth App Permission Phishing Attack in India?: Report to cybercrime.gov.in or call 1930 (National Cyber Crime Helpline). You can also contact your local police station's cyber cell.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.