Phishing Scam Uses Fake PNB MetLife Payment Gateway for UPI Fraud Targeting Policyholders
Published
Key Takeaways
- Deceptive Tactics: Mobile-optimized phishing sites impersonate PNB MetLife to steal policyholder data and facilitate fraudulent transactions.
- Data Exfiltration: The malicious pages use Telegram bots to silently exfiltrate sensitive user information, including names, policy numbers, and mobile numbers, in real time.
- UPI Fraud: Victims are coerced into making payments via fraudulent UPI QR codes or deep links to legitimate payment apps, bypassing standard gateway verifications.
A highly targeted PNB MetLife phishing scam has been identified, leveraging fake payment gateways to deceive customers into transferring funds and surrendering sensitive personal data. Security researchers have uncovered multiple fraudulent web pages designed to mimic the official PNB MetLife premium payment interface.
The activity appears focused on Indian users, exploiting UPI-based payment flows and domestic insurance branding.
These sites are optimized for mobile devices to exploit the urgency and trust associated with insurance renewals. The primary objective is UPI payment fraud and may be distributed via SMS phishing (smishing), email, social media platforms, or messaging apps.
Fake UPI Payment Gateway
The architecture of this fake payment gateway reveals a calculated effort to bypass traditional security controls, according to a Malware Analysis, Phishing, and Email Scams report released today. Unlike legitimate portals, these phishing sites do not perform any backend validation of the entered policy details.
Instead, JavaScript generates a UPI payment URI as a QR code, and the victim completes the transaction in a legitimate UPI app. In some cases, users are also redirected via deep links to apps like PhonePe or Paytm.
The use of UPI QR codes and deep links to PhonePe and Paytm further indicates an India-specific fraud operation.
Escalation to Financial Credential Harvesting
Advanced variants of this campaign escalate beyond simple payment fraud to full-scale credential harvesting. These templates simulate legitimate policy services, offering options like "Update Amount" or "Refund." Once engaged, users are prompted to provide critical banking and credit card details for "verification.”
User inputs are captured and exfiltrated directly to attacker-controlled Telegram bots via the Telegram API, including:
- Name, policy number, mobile number for basic form
- Banking and card details for the advanced form
To mitigate these risks, cybersecurity awareness is paramount. Users are strongly advised to verify the authenticity of URLs, avoid clicking links in unsolicited SMS messages, and make premium payments only through the official PNB MetLife application or website.
A recent report focuses on what online scams look like in 2026 and how to stop them. A December report warned about fake IKEA, Zalando, Dr. Martens, and Mango online stores.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular