40 lakh & counting: Scammers use NY event deals to dupe revellers
Times of India | 3 January 2026
Kolkata: As the city welcomed the New Year, scammers resorted to a new trick to commit online frauds using fake event tickets, hotel deals and delivery links to steal money and personal data, cyber security experts and police said.
Victims of such fraud schemes lost about Rs 40 lakh over the last month by clicking on .apk files related to the fake deals.
Officials said victims were lured through social media ads, messaging apps and search results that mimicked legitimate brands. The fraud typically began with discounted offers for New Year's concerts, travel packages or last-minute restaurant reservations.
Users were directed to cloned websites or asked to pay through QR codes and instant payment links, or merely respond through a number to show consent, after which the seller became unreachable.
Cybersecurity analysts said another common tactic involved "delivery reschedule" and "courier pending" messages that contained shortened URLs.
When clicked, the links led to phishing pages that asked for card details, UPI PINs or one-time passwords, or prompted users to install malicious apps disguised as tracking tools.
In some cases, the malware enabled remote access to the phone, allowing criminals to initiate transactions. Police officials in multiple cities, including Kolkata, Barasat and Bidhannagar said they received complaints involving fake customer care numbers posted online.
Callers seeking help for refunds, booking changes or payment failures were persuaded to share screen access or install remote support applications. Investigators said this method was used to drain bank accounts within minutes.
Banks and payment platforms issued advisories urging users not to share OTPs, UPI PINs or card CVV numbers, and to verify merchant identities before making payments.
Experts recommended checking website URLs, avoiding deals with immediate payment pressure, and using official apps or verified handles for bookings and support.
Authorities said victims should report incidents to National Cyber Crime Reporting Portal and local police, and immediately contact their bank to block cards or freeze accounts if credentials were compromised.
Cyber teams said they were monitoring scam domains and coordinating takedown requests, but warned that new links and pages were being created rapidly during the holiday period.