-
A new wave of phishing scams uses fake e-challan SMS messages to steal credit card details directly through fake payment portals.
-
The scam has shifted from using malicious apps to simple browser-based pages, making it easier to target any smartphone user.
-
The same criminal infrastructure is used to host multiple phishing sites, impersonating not just RTO services but also banks and delivery companies.
A dangerous new scam is hitting Indian vehicle owners right in their wallets. Fake traffic fine notices are being used to steal payment card information directly.
The scam uses cleverly designed text messages and fake websites. This underscores the inherent risk of traditional SMS, a fundamentally insecure channel that lacks the encryption and verification features of modern secure messaging platforms. It has moved away from complex malware, making it a threat to anyone with a phone.
How the E-Challan Phishing Trap Works
A new RTO scam targeting vehicle owners is gaining momentum in India. This one is not like the earlier campaigns where the fraudsters rely on slipping in Android malware in the victim’s phone. This new phishing campaign uses something as basic as your internet browser.
It starts with a threatening text message. You get an SMS saying you have an overdue traffic violation fine. The message warns of legal action or license suspension if you don’t pay immediately.
A link is included, made to look like a real government website. Clicking it takes you to a very convincing fake portal. It uses official logos from the Transport Ministry and NIC.
You are asked to enter your vehicle or license number. The site then shows a fake challan with a small fine, like ₹590 (6.50 USD approximately). It uses expiration dates to create a false sense of urgency that forces the potential victim to take action quickly.
Upon clicking “Pay Now,” it redirects you to a payment page. It only asks for credit or debit card details. Scammers block options like UPI to hide the transaction trail.
The page harvests your card number, CVV, and name. The system sends this data directly to scammers. This stolen financial information is the primary commodity for fraudsters, who often bulk-sell it on dark web marketplaces—a problem highlighted by the recent discovery of 1,800 UK bank cards for sale. No real payment is processed; only theft occurs.
A Shared Playbook for Multiple Scams
Researchers found this isn’t an isolated operation. The same servers host dozens of fake e-challan websites. They found over 36 phishing domains on just one server.
This shared criminal infrastructure runs other scams, too. The servers also host fake pages for banks like HSBC. They even mimic delivery companies like DTDC.
These sites all use the same payment-stealing trick. This shows a large, organized fraud network. They are targeting Indians across multiple trusted services. Reputable media outlets like Hindustan Times have reported a similar fake e-challan scam.
The use of Indian phone numbers and bank references adds credibility. It makes victims believe the message is legit and trustworthy.
How to Ensure You’re Safe from Fake Challans
Before you go ahead to make a payment or take any action, ensure you verify a challan by going to the official Parivahan website. Do not use links from text messages. Government agencies will not send APK files or demand immediate payment. This caution extends beyond scams in today’s digital India; even your search history can carry unforeseen risks, as recent legal developments have shown.
Never enter card details on a site reached via an SMS link. Legitimate payment gateways offer multiple secure options. Contact your local RTO if you are unsure about a notice.
Report suspicious messages to the cybercrime helpline immediately. Quick reporting can help authorities disrupt these fraud networks. Stay alert, especially on weekends when scams often increase.
