I am in the process of selling a car and also installing a high security machine-readable number plate that is mandated by my state – Maharashtra. For these reasons I submitted two applications – for transfer of ownership on the Transport Authority website, and second – I booked the number plate change appointment on the authorized contractors website.

It looks like one of them has leaked out my car license plate number and my linked mobile number to a bad actor. I received a WhatsApp message mentioning that my car had been issued an e-challan ( ticket ) for a traffic violation. It was funny to me, since my car has never been driven for over a month plus. I could immediately smell that the SMS was fraudulent for the following reasons ( I hope these help you to detect fraudulent messages too! )

Indicator 1 – A 10 digit private number as sender

Any SMS from the authority would come through a valid authorized SMS ID like TM-PARIVAHAN. This one came from a 10 digit private mobile number that had changed its display image on WhatsApp to a cheaply impersonated Traffic authority logo.

Indicator 2 – APK file attachment

The SMS asked me to install an APK attachment to check the ticket details. Never ever install an APK file provided outside of the Android store – Never ever! Even if someone you worship tells you to do that!

Indicator 3 – Identity change

Trucaller indicated the number belonged to some Bhumika Gandhi. When I sms-ed the person asking if it was Bhumika, the identity on WhatsApp changed to something funny, in no time.

I also checked the identity of the original number whose bank verified name came out to be Suman Kirana Store. It could be possible the store owner is doing an actual fraud, or their identity has been hijacked by an APK file sent to them, and by listening to the OTP to that number, the bad actors have created a WhatsApp business account. But then why would the identity change when I send an SMS? ( good questions for someone to investigate ).

Moral of the story

Our authorities care a damn about privacy and how data is handled on their website. We need to be careful about how we respond to messages on WhatsApp or SMS. Anyone you see there, even with a familiar face or a number is not the same as the person you may know. Always be suspicious. If the person is really genuine they will visit you in person. ( verify their ID even in such cases ).

Never ever install APK or click any links. It is perfectly okay to ignore messages. If you want to be a good citizen, report the message on WhatsApp, Truecaller, and Chakshu ( Telecom ministry ).