KYC (Know Your Customer) scams involve fraudulent activities where scammers impersonate banks, crypto exchanges, payment platforms, or regulatory authorities to verify user identity. Their objective is to harvest sensitive personal data, including Aadhaar numbers, PAN cards, selfies, and OTPs, often through phishing websites mimicking legitimate KYC portals or malicious Android apps disguised as KYC verification tools. This stolen information is then exploited for financial fraud, identity theft, and unauthorized account access.
Anatomy of the Scam :
Scammers reach out via email, SMS, or messaging apps, claiming incomplete KYC status. Victims are tricked into clicking a link or downloading an app, leading to phishing sites or malware installation. Fake input fields harvest sensitive user data, which is then transmitted to scammers. The stolen data is used for fraudulent activities or account hijacking. Users are left vulnerable to financial loss and identity theft.
Threat Infrastructure:
The infrastructure supporting KYC scams is crafted to mimic legitimacy while serving malicious purposes. Key components include:
- Phishing domains: Attackers register domains that closely resemble those of banks or financial institutions, often using typosquatting or homoglyph tactics.
- Hosting: These domains are typically hosted on low-cost or compromised servers, with frequent changes to evade detection (fast-flux DNS).
- Fake Android apps: Malicious apps are either built from scratch or created by repackaging legitimate apps with added malicious code.
- Command and control (C2) communication: HTTP POST requests are used for communication, while Telegram bots often handle data exfiltration in mobile-based scams, bypassing traditional security measures.
Attack Vectors :
| Vector | Description |
| Email phishing | Spoofed emails claiming KYC suspension |
| SMS smishing | Fake KYC update messages with shortened URLs |
| WhatsApp/Telegram | Messages from “official” looking profiles with fake links |
| Social Media | KYC notices posted in crypto/finance groups |
| Malvertising | Fake KYC ads shown in search results via Google Ads or SEO poisoning |
Usage of Phishing Websites:
Phishing websites in KYC scams typically feature:
- Cloned branding and logos of legitimate financial institutions
- Simple HTML pages with input fields requesting sensitive information, such as:
- Personal details (name, Aadhaar number, PAN)
- File uploads (ID proofs, selfies)
- A backend PHP script that:
- Logs submitted data into a text file or emails it to the attacker
- Uses simple code to evade detection by basic antivirus or firewall systems, making it harder to flag as malicious.
KYC Scam Victims – Age Group Classification
| Age Group | Victim Percentage |
| < 18 years | 2–3% |
| 18–25 years (Youth/Students) | 18–22% |
| 26–35 years (Young professionals) | 25–30% |
| 36–50 years (Mid-age adults) | 20–25% |
| 51–65 years (Older adults) | 12–15% |
| 65+ years (Senior citizens) | 5–8% |
APK Behavior:
Android malware in KYC scams disguises itself as legitimate KYC apps, requesting excessive permissions such as:
APK Capabilities
| Feature | Purpose |
| RECEIVE_SMS | Steal OTP |
| READ_CONTACTS | Social engineering expansion |
| INTERNET | C2 communication |
| SYSTEM_ALERT_WINDOW | Fake overlays for UPI apps |
| BROADCAST_RECEIVER | Start on boot |
Once installed, the malware:
- Intercepts SMS messages to capture OTPs
- Reads contacts for further targeting
- Uses overlay attacks to mimic banking interfaces
The malware communicates with command-and-control servers via HTTP requests or Telegram bot APIs. To maintain persistence, it may register as a boot receiver, allowing it to survive device reboots. Additionally, it employs anti-emulation techniques to evade detection in sandbox environments.
Indicators of Compromise :
KYC scams generate technical artifacts that can be used as Indicators of Compromise (IOCs), including:
- Suspicious URLs (e.g., kyc-update-info[.]com)
- https://hdfc-verifykyc[.]com
- https://kyc-update-rbi[.]org
- https://rbi-kycverify[.]in/update
- Anonymously registered domains with recent WHOIS records
- IP addresses associated with command-and-control (C2) servers
- SHA256 hashes of malicious APK files
- Telegram bot usernames used for data exfiltration
IOC EXAMPLES
| Type | IOC |
| Domain | kyc-verify-app[.]info |
| APK Hash | SHA256: b8f4c0d2e0e49df7… |
| IP Address | 45.76.123.90 (C2) |
| Telegram Bot | @kyc_notify_bot |
| Email used | kyc-support [@] outlook [.] com |
By monitoring these IOCs through a Security Information and Event Management (SIEM) system, defenders can proactively identify and block these threats before they cause damage.
Spyware Behavior Simulation (Android Demo) :
Note: No real malware is used, only for knowledge purposes for the safety of readers.
Fake app interface
Intercepts SMS
Mimics background mic recording
Usage of MITRE ATT&CK mapping Technique
The MITRE ATT&CK framework can be used to categorize and understand the tactics used in KYC scams, including:
- T1204 (User Execution):
- T1111 (Two-Factor Authentication Interception):
- T1059 (Command and Scripting Interpreter):
- T1071.001 (Application Layer Protocol: Web Protocols):
By mapping these techniques, security teams can gain insights into attacker behavior and develop more effective defenses.
MITRE ATT&CK MAPPING
| Technique ID | Description |
| T1059 | Command and Scripting Interpreter (for JavaScript on phishing page) |
| T1204 | User Execution – malicious APK installation |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1083 | File and Directory Discovery |
| T1111 | Two-Factor Authentication Interception |
YARA rules of Detection :
YARA rules can detect malicious patterns in files or programs associated with KYC scams, such as:
- Phishing HTML forms requesting sensitive information (Aadhaar or PAN numbers)
- APKs with suspicious permission requests and strings (e.g., SmsMessage.createFromPdu)
These rules enable antivirus engines and sandbox tools to identify suspicious applications or websites, even if the malware is new or variant. YARA rules can be applied across:
- File systems
- Email attachments
- Web gateways
to enhance early detection and improve security posture.
Phishing Email Analysis :
KYC scam emails often:
- Impersonate customer care or security departments
- Use urgent subjects like “Your KYC Has Expired”
- Have sender addresses similar to official domains
- Contain phishing links disguised as “Verify Now” buttons
Email headers may reveal suspicious details like:
- Return-Path and Reply-To addresses (often free email providers)
- Fake message IDs
Email security tools like Secure Email Gateways (SEGs) and DMARC records can help detect and block these threats when properly configured.
Preventive measures for KYC Scams:
- Never share OTPs, CVV, PIN, or account details with anyone.
- Avoid clicking on unknown links or uploading KYC documents on suspicious websites/apps.
- Verify sender identity by contacting official customer care numbers.
- Update KYC only via official bank apps or by visiting the branch.
- Install trusted antivirus and anti-fraud apps to block phishing links.
- Report fraud calls/SMS to 1930 or log complaints at cybercrime.gov.in.
QUICK HEAL ANTIFRAUD.AI PROTECTION FOR KYC SCAMS:
| Feature / Technology | How It Helps Against KYC Scams |
| AI-Based Threat Detection | Uses machine learning models to detect suspicious links, apps, or behavior mimicking KYC processes. |
| SMS & Call Protection | Flags and blocks phishing SMS or calls requesting KYC re-verification. |
| Real-time App Monitoring | Monitors apps for hidden permissions (camera, mic, SMS, etc.) common in KYC scam apps. |
| Fake App Detection | Detects cloned or fake versions of banking/KYC apps designed for phishing. |
| Website Reputation Scanning | Alerts users about malicious URLs disguised as official KYC update pages. |
| Social Engineering Detection | Analyzes patterns in communication that mimic support staff asking for KYC documents. |
| Cloud Threat Intelligence | Regularly updates threat databases with newly reported KYC scams and fraud domains. |
| User Alerts & Warnings | Sends alerts before users click malicious links or install suspicious apps. |
| Permission Analyzer | Checks if apps are requesting excessive permissions that could be used for KYC data theft. |
| Behavioral Analysis | Flags abnormal user behavior patterns typically triggered during social engineering KYC scams. |
Conclusion:
Be cautious of KYC scams that impersonate banks, mobile operators, or financial service providers. Scammers create a sense of urgency to trick individuals into sharing sensitive information. To stay safe, never share OTPs or personal documents, and verify communications from legitimate sources. Legitimate institutions never request KYC details via calls, SMS, or WhatsApp.
