Hackers can empty accounts even without an OTP; how does this scam work?

Cyber ​​Scam: While OTPs, ATM PINs, or bank details were previously required for fraud, several methods have now emerged where bank accounts can be drained without the victim ever sharing an OTP.

Cyber ​​Fraud: Cyber ​​fraudsters have become increasingly active these days. They are constantly devising new ways to siphon money from people's bank accounts. Methods such as fake links, malicious APK files, remote access malware-based payment systems, and screen-sharing tools are being used to target victims.

Cybercriminals now send fake messages posing as banks or major companies. These messages lure recipients with offers of discounts, cashback, gift vouchers, or prizes. As soon as a person clicks the link provided in the message, malware or a fake app may get installed on their mobile phone. Hackers then gain control over the device, access banking apps, and—in many instances—execute transactions without requiring an OTP.

A woman in Delhi recently faced such an attempt; she had purchased a laptop from an electronics store and, a few days later, received a message stating she had won a voucher for her purchase. The message asked her to enter her bank details and click a link. However, she became suspicious because the company name in the message was incorrect, and she managed to avoid falling victim to the scam.

Cybercriminals are also utilizing dangerous malware such as APK files and Remote Access Trojans (RATs). These files are disguised as legitimate apps and distributed via WhatsApp, Telegram, or fake websites. Often, they are also made available for download through fake Play Store listings.

As soon as the user installs the APK file and grants the necessary permissions... Once the malware becomes active in the background, hackers gain remote access to the phone and can operate banking apps, digital payment apps, fintech apps, and even crypto apps just like the actual user.

Cybersecurity experts have also warned Android users about a banking malware named 'Albiriox'. This virus infiltrates phones via fake apps and exploits Android's accessibility features. It allows hackers to perform various actions within banking apps without needing login credentials or OTPs.

According to reports, over 400 such fake apps have already been identified. This malware is being made available to cybercriminals on the dark web under a 'Malware-as-a-Service' model.

Experts advise that to avoid online fraud, one should not trust messages or calls from unknown numbers. Links should be verified before clicking, and apps should only be downloaded from the official Play Store.

Additionally, cyber experts recommend avoiding the installation of apps from APK files or unknown sources and keeping the 'Install Unknown Apps' setting disabled on the mobile. Google Play Protect should always remain enabled, and one should never share OTPs, bank details, or KYC-related information with anyone.

Furthermore, screen-sharing or remote access apps should only be used in trusted situations. Use a 'Masked Aadhaar' when sharing copies of your Aadhaar card, and keep your phone and all apps updated regularly.