What to do if I shared my OTP in a WhatsApp scam?

Contact your bank immediately using helplines like SBI at 1800-11-1109 or HDFC at 1800-202-6161. Change your account passwords and inform them about the incident.

How can I identify a targeted government portal phishing scam?

Be cautious of unofficial requests for sensitive information or links that appear suspicious. Legitimate communications do not pressure users into immediate responses.

How can I report this type of scam in India?

You can report phishing scams by calling the cybercrime helpline at 1930 or by visiting cybercrime.gov.in for further reporting processes.

What steps should I take to recover money after this scam?

Contact your bank immediately to report unauthorized transactions. Follow up by filing a complaint with the cybercrime helpline or your local police.

Targeted Government Portal Phishing (APT36)

Verdict: Suspicious | Risk Score: 9/10 | Severity: critical

Category: WhatsApp, Phishing

How Targeted Government Portal Phishing (APT36) Works

Overview: Targeted government portal phishing scams—primarily led by groups like APT36—are a rising threat for Indian government employees and partners. These highly specific attacks aim to breach official networks, steal confidential data, or install malicious software. The scam is dangerous due to its convincing nature, often mimicking internal communications and legitimate request processes, putting sensitive state and citizen information at risk. How It Works: 1. The attacker researches the organization and employees, sometimes scraping data from public sources. 2. They craft an authentic-looking email or message, usually appearing to come from a government superior or IT wing. 3. The message urges the recipient to click a link purportedly related to their work—such as a portal update, compliance notice, or urgent directive. 4. The link leads to a fake government login page or to the download of a malicious file (like an MSI installer). 5. On providing credentials or running the file, the attacker either harvests sensitive login details or installs malicious software for deeper access. India Angle: This scam is tailored for Indian government departments and public sector units. Attacks frequently occur via official email channels, WhatsApp (for urgent calls to action), and sometimes direct SMS. Targeted states include Delhi, Maharashtra, Karnataka, and southern regions where major government IT hubs exist. Real Examples: - An email with the subject: "Urgent Portal Update Required for Compliance—Click Here to Proceed." - A WhatsApp message: “This is to inform you of a mandatory security update on your Gov portal. Download the update using this link." Red Flags: - Unfamiliar or suspicious sender email address[ADDRESS_REDACTED]. - Requests for credentials or to download files outside the official portal. - Stressed urgency: "Immediate action required" or "Final warning." - Attached files with unusual extensions. - Links that do not match legitimate government domains. Protective Measures: - Double-check sender details for authenticity. - Never download files or click links from unexpected sources. - Log in to portals only through direct URLs or official bookmarks. - Report any suspicious communication to your IT department and CERT-In. If Victimised: - Immediately disconnect the affected system from the network. - Notify your department's cybersecurity cell. - Report the incident to CERT-In and file a case on cybercrime.gov.in. Related Scams: - Internal HR policy update frauds. - Fake government grant notifications. - Ransomware disguised as official updates.

How This Scam Works — Detailed Explanation

Targeted government portal phishing scams, particularly those executed by groups like APT36, leverage sophisticated methods to identify and approach victims amongst government employees and their partners. They often initiate contact through platforms such as WhatsApp, where phishing attempts are disguised as official messages. Through the use of social engineering tactics, these attackers research their targets meticulously, gathering insights from social media and public databases. Once they identify potential victims—often those involved in sensitive operations—they deploy tailored messages that seem to originate from trusted sources within the government. This methodology makes it easier for them to penetrate the already tight-knit communications of governmental bodies.

The specific tactics employed by these cybercriminals revolve around creating a sense of urgency and authority. For instance, they might send a WhatsApp message claiming to be from a senior government official, asking the target to immediately log into a seemingly official website to update their credentials. These messages often contain psychological triggers, such as emphasizing a critical deadline for 'system updates' or alerting victims about 'suspicious activity.' The subtle manipulation in language, such as the use of urgency and the appeal to authority, plays a significant role in deceiving recipients into believing that the request is both genuine and time-sensitive. Additionally, these messages may contain hints of threats about potential job impacts if immediate action is not taken.

Once a victim engages with the phishing attempt, they may be directed to a counterfeit portal that closely resembles a legitimate government site. Here, they are likely asked to enter sensitive information, such as their Aadhaar number or work email credentials. In case the target is not careful, they may unwittingly use the link embedded in the WhatsApp message, which could lead them to a webpage set up by the attackers. After entering their details, the victims ultimately hand over their personal and confidential data, which can then be misused to siphon off funds or even compromise larger systems that deal with citizen data. Reports indicate that similar scams have led to considerable financial losses, with victims losing substantial amounts as a result of unauthorized UPI transactions—often in crores, affecting individual savings and government resources alike.

The real-world impact of these scams is significant, with recent estimates suggesting that India's fight against cybercrime is costing the economy approximately ₹2,000 crore annually. Entities like the Ministry of Home Affairs (MHA), the Reserve Bank of India (RBI), and the Computer Emergency Response Team (CERT-In) have issued advisories highlighting the rise of these phishing scams, recognizing that targeted attacks contribute heavily to the growing momentum of cybercrimes in the nation. Reports of incidents where government employees fell victim to these phishing attempts showcase how cybercriminals exploit vulnerabilities in the trust within public systems, aggravating the potential for irreversible damage not just to individuals but to broader state mechanisms as well.

To differentiate between these scams and legitimate government communications, it is crucial for recipients to be vigilant. A real government message may come from verified official channels—however, attackers often mimic these communications so closely that they appear almost identical. Red flags to watch out for include requests to enter credentials on unofficial portals, messages containing minor spelling mistakes or grammatical errors, or links that don’t lead to verified domains. Moreover, always scrutinize the urgency of the request; legitimate government activities usually permit a reasonable time frame for actions and do not press for immediate responses. Recognizing these nuances can significantly aid individuals in staying alert against such insidious threats.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does Targeted Government Portal Phishing (APT36) Target?

General public across India

Red Flags — How to Identify Targeted Government Portal Phishing (APT36)

Requests to enter credentials on unofficial portals
Emails or links with slight spelling mistakes in official addresses
Files sent in formats uncommon for government communications
Unusual urgency—pressure to act immediately

What To Do If You Encounter Targeted Government Portal Phishing (APT36)

Report any suspicious communication immediately by calling 1930 or visiting cybercrime.gov.in.
Verify the message sender's identity by contacting your department’s IT or security team.
Do not share sensitive information like Aadhaar or bank credentials without verifying the request.
Change passwords of affected accounts immediately if you've shared any credentials.
Educate colleagues and fellow government employees about recognizing phishing attempts.
Monitor your bank accounts and UPI transactions for any unauthorized activities.

How to Report Targeted Government Portal Phishing (APT36) in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a WhatsApp scam?: Contact your bank immediately using helplines like SBI at 1800-11-1109 or HDFC at 1800-202-6161. Change your account passwords and inform them about the incident.
How can I identify a targeted government portal phishing scam?: Be cautious of unofficial requests for sensitive information or links that appear suspicious. Legitimate communications do not pressure users into immediate responses.
How can I report this type of scam in India?: You can report phishing scams by calling the cybercrime helpline at 1930 or by visiting cybercrime.gov.in for further reporting processes.
What steps should I take to recover money after this scam?: Contact your bank immediately to report unauthorized transactions. Follow up by filing a complaint with the cybercrime helpline or your local police.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.