Indian vehicle owners are facing a fresh and increasingly sophisticated cyber threat, as security researchers have uncovered a large-scale phishing campaign impersonating official Regional Transport Office (RTO) e-Challan services.
The scam, which relies entirely on browser-based deception rather than malware, has already been linked to more than 36 fake domains designed to steal banking and card details from unsuspecting users.
The findings come from Cyble Research and Intelligence Labs (CRIL), whose investigation mirrors recent warnings flagged by mainstream media, including the Hindustan Times. Researchers say the campaign is active, well-organised and deliberately designed to exploit trust in government services.
A Shift From Malware to Browser-Based Fraud
Unlike earlier scams that depended on malicious Android applications, this operation marks a strategic shift towards browser-based phishing. According to CRIL, this change dramatically lowers the technical barrier for attackers while expanding the pool of potential victims.
“This campaign demonstrates a pivot from the previously observed Android malware use to browser-based fraud, which significantly lowers the technical barriers and expands the pool of potential victims,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble.
By using fake websites that closely resemble genuine government portals, attackers are able to trap users without requiring them to install any suspicious apps, making the fraud harder for many people to detect.
How the Fake e-Challan Scam Works
The attack typically begins with an SMS message claiming that the recipient has an unpaid traffic fine. These messages are crafted to create panic, often warning of licence suspension, court summons or legal action if payment is not made immediately.
The SMS contains a shortened link that appears to redirect users to an official e-Challan website. In reality, the link leads to a professionally cloned portal designed to look like legitimate government infrastructure.
Once on the site, victims are asked to enter basic details such as a vehicle number. Regardless of what information is provided, the portal generates a convincing-looking violation record.
Psychological Tricks Built Into the Scam
CRIL’s analysis found that the portals use several psychological tactics to pressure victims:
The fine amount is kept modest, typically around Rs 590, making it easier for people to pay without second thought
Expiry dates are set close to the current date, increasing urgency
No backend verification takes place; violation records are entirely fabricated
Government branding, including references to the Ministry of Road Transport and Highways and NIC-style insignia, is replicated to boost credibility
Payment Pages Designed to Steal Card Data
One of the clearest red flags lies in the payment process. The fake portals deliberately restrict payment options to credit and debit cards only, avoiding UPI and net banking, which are more traceable.
Victims are asked to enter full card details, including card number, CVV and expiry date. The site falsely claims that payments are being processed through Indian banks. Researchers noted that the portals accept repeated submissions, silently sending every set of card details to servers controlled by the attackers.
Local Infrastructure Used to Build Trust
To further increase legitimacy, the campaign uses highly localised infrastructure. The phishing SMS messages originate from Indian mobile numbers registered with Reliance Jio Infocomm Limited. In some cases, these numbers are linked to State Bank of India accounts.
“The use of Indian mobile numbers registered with popular telecom operators and linked to State Bank of India accounts shows how attackers deliberately exploit trust in familiar institutions to increase success rates,” Nakra said.
This local setup makes the messages appear far more authentic than scams sent through international gateways.
A Wider Fraud Network Beyond Traffic Fines
CRIL’s infrastructure analysis suggests the operation is not limited to fake e-Challan portals. The same backend systems are being used to target multiple sectors.
Researchers identified phishing domains impersonating banking services, including HSBC-themed payment lures, logistics firms such as DTDC and Delhivery, and government transport services like Parivahan.
The reuse of user interfaces, payment-harvesting logic and domain-generation techniques points to a professional phishing network rather than isolated scams.
The campaign also employs several anti-detection techniques. Content on some phishing pages was originally written in Spanish and later translated via browser prompts, suggesting template reuse across geographies. Domains are frequently rotated to evade takedowns and blocklists. While browser warnings from tools such as Microsoft Defender do appear, the urgency created by the messages often leads users to ignore them.
At the time of publication, many of the identified phishing domains were still active, underlining the ongoing nature of the threat.
What Vehicle Owners Should Do
Cybersecurity experts urge the public to remain cautious:
- Never click on links in unsolicited SMS messages claiming traffic violations
- Verify fines only through official portals such as parivahan.gov.in
- Check website URLs carefully for spelling errors or unusual domain extensions
- Be wary of payment pages that accept only credit or debit cards
- Report suspicious messages to cybercrime authorities immediately
CRIL has published detailed technical indicators, detection guidance and threat mappings in its full blog post, along with indicators of compromise that have been shared publicly to help security teams block the campaign.
For everyday users, the key takeaway is simple: a moment’s verification can prevent significant financial loss. As digital services grow, so too does the need for vigilance.
