Clicking on Happy New Year Link on Whatsapp Could Empty Your Bank Account

The Telangana Cyber Security Bureau (TCDSB) and Hyderabad police are sharing the alerts, while highlighting about fraudsters disguising malware as festive New Year 2026 wishes to steal personal data and drain the bank accounts.

The scam has spread quickly in the recent days, by capitalising on the digital greetings during holiday season.

These messages frequently appear harmless, promising personalised cards, digital gifts, or exclusive rewards, but clicking on the embedded links can result in severe financial losses.

How does this scam operate:
The scammers send messages through various messaging apps such as Whatsapp, Telegram, or even SMS, posed as greetings from the familiar contacts, often because their account has already been compromised.

They use the usual greeting messages such as "Click here for your New Year greeting," "Open your personalised card," or "Claim your New Year Gift."

As the user clicks on a link, it prompts them to download a malicious AFK file (Android app package). The file silently installs a spyware in the users device, that grants hackers a wide access to:

Reading incoming SMS, including the banking one-time passwords (OTPs)

Access to contacts, photos, galleries, and notifications

Take remote control of the phone, including activating of microphone in some cases

Hijack the victim's whatsapp account and automatically forward the scam message to the users entire contact list, which creates a viral chain reaction

Once they get the control of the device, fraudsters can begin unauthorised transactions through UPI, banking apps, or digital wallets.

Some reports suggest that hackers often use tactics of small, repeated transactions to evade immediate detection.

These scams exploit the festive goodwill, and take advantage of the lower user vigilance during the celebrations. The android users in India are especially at risk due to the widespread use of whatsapp and the ease with which APKs can be sideloaded.

How to stay safe from such scams this New Year

Authorities are urging users to stay extra cautious to evade falling victim to such scams:

Do not click on the suspicious links, even if they are from the known contacts. Verify the links separately through a separate text or call, and avoid any such greeting that requires you to install an app or update phone or app.

Stick to safe sharing by sending and receiving texts through simple texts, photos, videos, and stickers from official and trusted sources only.

Secure your accounts by enabling two-step verification on WhatsApp, and install apps exclusively from the Google Play Store or other official platforms.

Be alert to warning signs such as messages labelled “forwarded many times,” urgent claims of gifts or rewards, or requests for sensitive permissions like SMS access. If you suspect a compromise, disconnect from the internet immediately, uninstall any unknown apps, change all passwords, and inform your bank to block transactions.

Victims should contact the national cyber crime helpline at 1930 or file a complaint via cybercrime.gov.in. Prompt reporting during the “golden hour”—the first hour after fraud—significantly improves the chances of recovering lost funds.