One link, made to look like an ordinary gas bill, has been enough to rattle digital payers in Thane. It shows how a nudge can turn into a heavy loss in no time. If you’re an investor with an eye on fintech or utility-linked payments, this is a clear example of the kind of reputational and security costs that social engineering can bring to the table.
Why this matters for investors and users
The modus operandi here was to put a face on a well-known utility to get people to act. That kind of thing chews away at your faith in app-based channels. And when you can’t be sure what’s real, you don’t engage, and the cost of sorting out disputes goes up. Not exactly the kind of story you want for a smooth digital collection system.
There are two sides to the risk. You have the consumer who is out of pocket, and then the brand or platform that has to deal with the mess left in their name. All of which may force a hand when it comes to putting in place firmer rules for how you talk to your customers.
How the fraud worked, according to police
Thane police say a 60-year-old from Kalyan, now retired, was on the receiving end of a message on May 30 from someone calling himself ‘Divesh Joshi’. What he got was an APK file with the title ‘Mahanagar Gas bill update http://Online.apk’.
He was asked to put down Rs 10 on his debit card once the file was on his phone. When that didn’t go through, he was told to use another one. Before long, OTPs were coming in and so were unauthorised charges, they say.
In all, the victim was hit for Rs 8.68 lakh across six transactions from his two accounts. A bit of digging turned up 21 others in the same boat, with a combined tab of Rs 22.74 lakh.
Total exposure and alleged method
Put it all together and you have a loss of Rs 31.43 lakh, per the Khadakpada police. Their hunch is that the APK was laced with something to siphon off sensitive info and catch any OTPs the moment it was put in place, especially since it wasn’t from an official store.
Police action and legal footing
They’ve put in a case under section 318 (4) of the Bharatiya Nyaya Sanhita for cheating, along with the appropriate parts of the IT Act. Now they are on to the suspects and the tech they used to pull it off.
From what the complaint tells us, the guy made himself out to be a gas bill rep and used a small ask for payment to get in under the hood of the device. We’ll see if this is part of a bigger operation with fake messages being sent out in bulk.
Signals for platforms and policy
It’s a matter of having a good name and seeing it put to bad use. The onus is on the real operators to put out the fire. For any platform dealing with the public, a dent in that sense of security can put the brakes on new sign-ups, clog up your support lines and have regulators looking to put in some hard limits on unsolicited contact.
If you are in the business of billers or utilities, you have to make every point of contact bulletproof. Make it plain as day what a genuine message is and you can head off some of the clicks on shoddy links and hold on to your credibility.
What you should be on the lookout for:
– Social engineers will use a normal payment to make their move
– Copying a brand makes the fallout worse
– Dealing with fraud is an expense you can do without
Some user-side defences the case brings to light
This is a familiar problem: an APK comes in over a chat app and pretends to be an invoice or a KYC form. Since it isn’t in the app store, it can be in your business and reading your SMS OTPs without you knowing it.
You can stay on the right side of things with a few basics:
– Don’t put in an APK from a WhatsApp or text
– Check in with the provider if you get a bill update
– Your OTP is not for sharing
– Have your bank alerts on to see what’s happening
– Make sure your phone is up to date on the security front
What comes next
While the probe is on, the job is to put back some of the faith in how we handle bills online. You can bet there will be a focus on in-app updates and weeding out the unwanted links on these apps as firms try to put a wall around the trust of their customers.
For the time being, the situation in Thane is a lesson in itself: a ten-rupee request can lead to a 31.43 lakh headache.
