A new wave of cyber fraud is rapidly spreading across India, targeting mobile users through fake LPG payment and KYC update messages. Indian Bank has issued an urgent advisory warning customers about these scams, which are designed to steal banking credentials and drain accounts.
The campaign is highly coordinated and leverages public concern around LPG cylinder availability. Cybercriminals are distributing fraudulent messages via SMS, WhatsApp, and social media platforms, impersonating trusted gas providers such as Indane, Bharat Gas, and HP Gas.
These messages typically create urgency, warning users that their LPG connection will be suspended unless they immediately complete a KYC update or make a pending payment. Phrases like “Limited stock available” or “Immediate action required” are strategically used to trigger panic and push users into quick decisions.
The scam follows a classic social engineering model. Victims receive a message containing a malicious link. Once clicked, the link redirects them to a fake website that closely resembles an official LPG provider portal.
Users are then prompted to enter sensitive details such as banking credentials, debit or credit card information, UPI PINs, and OTPs. This information is instantly captured by attackers, allowing them to access bank accounts and initiate unauthorized transactions.
In more advanced variants, attackers send malicious APK files through WhatsApp. When installed, these applications silently gain control over the victim’s device, exposing saved passwords, banking apps, and personal data.
Some fraudsters go a step further by impersonating bank officials through WhatsApp calls, guiding users to click links or share confidential information under the pretext of urgent account verification.
Authorities, including cybercrime units, have reported a growing number of complaints related to these scams. Victims are being targeted at scale, with attackers also using fake advertisements and social media campaigns to lure users into fraudulent payment portals.
Security experts classify this as an event-driven phishing attack, where real-world concerns—in this case LPG availability—are exploited to increase success rates. A similar alert has also been issued in Jammu & Kashmir, indicating that the campaign is expanding geographically and targeting mobile-first users across regions.
To counter this threat, Indian Bank and cybersecurity authorities have issued clear safety guidelines:
Do not click on links received via SMS, WhatsApp, or social media
Never share OTPs, UPI PINs, Aadhaar details, or banking credentials
Always verify LPG-related information through official apps or helplines
Avoid installing APK files from unknown sources
Report suspicious messages to the cybercrime helpline 1930
It is important to remember that no legitimate LPG provider or bank will request sensitive information through unsolicited links or messages.
This incident highlights how cybercriminals are evolving their tactics—combining phishing, malware, and impersonation to exploit everyday services.
For users, the key defense is awareness. Always verify before taking action, especially when urgency is involved. When in doubt, contact your LPG provider or bank directly using official channels.