Cybersecurity specialists in India have warned that online fraud is surging during the festive season as shoppers flock to digital payments and discount offers.
SecurEyes, a Bangalore-based cybersecurity consulting, product and training firm, said criminals are exploiting higher transaction volumes and lowered vigilance among consumers.
The company highlighted recent fraud data from Karnataka and described common online scams that target users of eCommerce platforms, messaging apps and digital wallets.
In 2025, reported cyber fraud losses in Karnataka exceeded ₹2,000 crores, according to the firm. It said the figure illustrates the growing financial impact of online crime during peak shopping periods.
"Vigilance is our strongest shield," said Uma Pendyala, Head Business Operations, SecurEyes. "By committing to simple security habits, we can ensure the festive season remains a time of joy, not a time of financial loss."
Pendyala said fraudsters use the atmosphere of celebration and urgency around deals and deliveries. She said this environment makes people more likely to overlook basic security checks.
Themed scams
The company said many scams now mimic the look and feel of genuine festive campaigns. Fraudsters copy brand colours and logos and use countdown-style "only for today" offers.
These tactics aim to make users click quickly. They reduce the time people spend checking links, domains and sender identities.
One major tactic involves phishing links and fake vouchers. Messages arrive via SMS, WhatsApp or email with subject lines around "New Year Mega Offers" or "Christmas Gift Card Wins".
The messages often appear harmless at first glance. They may use familiar brand names and polished imagery.
However, the included links can redirect users to fake websites. These pages collect personal data, card numbers, internet banking credentials or UPI PINs.
Once the data is entered, attackers can attempt unauthorised transactions. They may also store the information for later use or sale.
Fake shopping sites
SecurEyes said another pattern involves fraudulent shopping portals. Criminals register domains that closely resemble well-known retailers and marketplaces.
The fake sites often carry large discounts on high-value items such as smartphones, electronics and jewellery. Pricing is set at levels that are rarely sustainable for authorised sellers.
Small spelling errors in the website address are common. These can be easy to miss on mobile screens.
Victims who pay on such sites may receive no product at all. In some cases they receive low-quality or counterfeit goods that differ from what was displayed.
Payment information entered on these portals can also be harvested. This can lead to further unauthorised charges beyond the initial purchase.
Impersonation and QR fraud
Impersonation scams remain a regular feature of the festive fraud landscape, according to SecurEyes. Attackers pose as bank staff, delivery agents or customer support representatives.
They contact consumers through calls or messages and claim there is an issue with an account, card or parcel. The message often demands immediate action.
The goal is to pressure the recipient into sharing sensitive details. These include one-time passwords, card PINs or UPI PINs.
Once shared, such information allows direct access to funds. It also undermines protections that banks design around two-stage verification.
QR code fraud is another method highlighted by the firm. Messages describe cashback, prizes or surprise gifts that appear on scanning a QR code.
In many of these cases, the QR code prepares a payment from the victim rather than to the victim. The person who scans then authorises a debit from their account.
SecurEyes pointed out that scanning a QR code through a payment app initiates a transfer from the scanner to the recipient. It does not receive money automatically.
Lowered vigilance
The company said many successful attacks share a common factor. Victims relax the digital safety practices they normally follow.
Festive shopping, travel planning and gift purchases add time pressure. This pressure can cause people to overlook steps such as checking URLs, confirming with official customer care lines or ignoring unsolicited links.
Emotional states such as excitement or anxiety about missing a deal can also affect judgement. This can make social engineering attempts more effective.
Pendyala said cybersecurity is not limited to technical systems. She said it relies heavily on individual behaviour, daily habits and awareness.
Practical safeguards
SecurEyes outlined several basic checks that consumers can adopt during the festive period and beyond.
It advised users to assess any discount that appears extreme. Deep cuts such as 90% off on expensive new devices are described as likely indicators of fraud.
The firm recommended that customers open retailer apps or type web addresses manually. It said users should avoid clicking on deal links that arrive from unknown numbers or short-code senders.
It also advised people to confirm that any site handling payments uses "https" and displays a padlock symbol in the browser. Spelling mistakes or extra characters in domain names should act as warning signs.
The company repeated that no legitimate bank, retailer or delivery company asks for OTPs, card PINs or UPI PINs over calls or messages. Any such request should be treated as suspicious.
SecurEyes said multi-factor or two-factor authentication across banking, shopping and social media accounts adds another barrier against fraud. One example is a one-time password or app-based prompt in addition to a regular login.
The firm expects cybercriminals to continue adjusting their methods as more Indians use digital payments for everyday purchases. It said awareness and regular checks will remain central to limiting financial losses during future festive seasons.
