Hackers use phishing to swindle crores from potential EV buyers, dealers

On December 6 last year, Twitter user Aniket Mudame posted a picture on Twitter detailing a document he received about opening an Ola dealership. Mudame wrote that he had received an email “for dealership of Ola Electric vehicles”, which demanded ₹25000 from him, presumably to start his own dealership of the Ola Electric scooters.

Mudame, like many others, tagged Ola Electric’s Twitter account to ask whether the letter was real or not. But while these users had the wherewithal to seek advice, thousands have fallen prey to phishing scams designed to take advantage of gullible users looking to jump on the ‘electric vehicle (EV) revolution’.

In these scams, attackers send emails or advertisements to users offering them opportunities to become dealers or buyers of electric vehicles. They use such emails to direct users to fake websites and scam them out of money by asking for registration fees, etc.

Also read: Cybercriminals now mimicking income tax portal to install malware through smishing

On Wednesday, Bengaluru-based security firm CloudSEK said it had noticed a spike in phishing campaigns designed to take advantage of the growing demand for EVs since the second half of 2021. 

According to the company, scammers were using Google ads to misdirect users to phishing sites that collect user data and money. They estimated that such scams had been used to scam ₹4-8 crore from users so far, with each site demanding ₹2-4 lakh for various reasons.

Other than Google ads, the CloudSEK research revealed that scammers are registering fake internet domains that resemble those owned by legitimate EV manufacturers and marketplaces. They are also manipulating search engine optimization (SEO) techniques to appear on generic searches as well as searches for specific EV brands. The money is collected in the guise of reservation or booking fees, security deposits, or to become an EV dealer.

To be sure, EV makers are aware of the problem as well. “The growing demand for EVs has proved a boon for businesses and individuals. However, it has also opened another avenue for scamming or exploiting the masses,” said Sohinder Gill, chief executive officer of Hero Electric. 

A spokesperson from Ather Energy, one of the oldest EV startups in India, agreed. According to the spokesperson, the company first encountered such a scam last year, and has been looking out for such activities “proactively” since. 

“In the past few months, we have encountered a handful of fake websites, such as atherenergydealership.com, atherenergydealer.in, atherelectricdealer.com, which are deceptively similar to our website, with our name and trademarks. Those website(s) also provide a link to apply and make payments. These fraudulent websites made fake vehicle bookings, issued a ‘Letter of Intent’ and asked users to pay an amount of INR 2,999 towards registration, security,” the spokesperson said.

An ex-employee of Ola Electric, who has left the firm now, said the company was well aware of such scams when it first started registrations. The employee, who did not wish to be named, added that while some EV firms have tried to warn users through social media posts, etc., it’s unlikely that they are “trying to spot and foil these scams” actively by forming teams, he noted. Ola Electric didn’t respond to a request for comment on this story.

According to Faisal Kawoosa, founder and chief analyst at market research firm techARC, the problem is rampant and happens with any sector where there is high consumer interest. “When a larger player causes a disruption in the way products are booked, consumers end up thinking that this sector works like this and this allows fraudsters to trick them,” Kawoosa added. 

Google ads are also used by EV firms to generate leads, and the scamsters take advantage of that too. “They even bid high on keywords and take the prime position and if anyone searches their results show on top and users end up clicking on them,” Kawoosa added.

Ather said it had also filed cyber fraud complaints and directed victims to jurisdictional police when it learned about the scams. It has also notified abuse to domain registries and search engines, and to raise awareness among stakeholders, it has issued public notices through social and national print media informing everyone about its official website. “We have also put up a caution notice on our website and have been actively sending emails to our stakeholders and posting disclaimer information on our social media handles,” the spokesperson said.