As India gears up for New Year celebrations, cybercrime authorities have sounded a high alert over a dangerous new “greeting scam” targeting millions of users on popular messaging platforms. The Telangana Cyber Security Bureau (TGCSB) and Hyderabad police are sharing the warnings, highlighting how fraudsters are disguising malware as festive New Year 2026 wishes to steal personal data and empty bank accounts.
The scam has gained traction rapidly in recent days, exploiting the surge in digital greetings during the holiday season. Messages often appear innocent, promising personalised cards, digital gifts, or exclusive rewards, but clicking the embedded links can lead to devastating financial losses.
How the scam operates
Scammers send messages via WhatsApp, Telegram, or even SMS that mimic greetings from known contacts, often because they’ve already compromised a victim’s account. Common lures include phrases like “Click here for your special New Year greeting,” “Open your personalised card,” or “Claim your New Year surprise gift.”
Once users click the link, it prompts the download of a malicious APK file (Android app package), which installs spyware silently on the device. This malware grants hackers extensive access for:
- Reading incoming SMS, including banking one-time passwords (OTPs)
- Accessing contacts, photos, galleries, and notifications
- Taking remote control of the phone, including the microphone in some cases
- Hijacking the victim’s WhatsApp account to auto-forward the scam to their entire contact list, creating a viral chain reaction
Once in control, fraudsters can initiate unauthorised transactions via UPI, banking apps, or digital wallets. Reports indicate tactics like small, repeated transfers to avoid immediate detection.
TGCSB chief Shikha Goel highlighted the deceptive nature of the scam. “People believe they are opening a greeting card, but in reality, they are handing over the keys to their bank account,” she said.
These scams thrive on festive trust, with lower user vigilance during celebrations. Android users in India are particularly at risk due to widespread WhatsApp usage and the ability to sideload APKs.
How you can stay safe this New Year
Authorities urge immediate caution to avoid falling victim:
- Never click suspicious links. Even if from known contacts, verify separately via call or text. Avoid any greeting requiring an app download or update.
- Stick to safe sharing. Use plain text wishes, direct images, videos, or stickers from official sources.
- Secure your accounts. Enable two-step verification on WhatsApp. Only install apps from the Google Play
Store or official sources. - Messages marked “forwarded many times,” urgent claims of gifts/rewards, or requests for permissions like SMS access.
- Disconnect from the internet immediately, uninstall unknown apps, change passwords, and notify your bank to block transactions.
- Contact the national cybercrime helpline 1930 or file a complaint at cybercrime.gov.in. Quick reporting during the “golden hour” (first hour after fraud) boosts recovery chances.
