I had recently written this post on stock market scams that everyone should be aware of. It was about how fraud advisors get you to take positions in illiquid option contracts and intentionally create a loss, moving money from your account to theirs. Some of these advisors push investors to buy scammy penny stocks and run the price up, leaving investors trapped with low value, illiquid stocks that cannot be exited (“Pump and dump”).
We have seen a significant drop in these cases after we implemented a bunch of measures to prevent these scams on Kite — blocking illiquid option contracts, reporting any scammy trade to the exchanges, and alerting customers using Nudge about a stock being a risky penny stock on the buy order window.
We have now come across a new type of scam.
The Phishing Scam
Fraudsters set up phishing (fake) websites that mimic the look and feel of the login pages of the trading platforms offered by large stock brokers. These websites are then sent out to unsuspecting investors via SMSes, e-mails, and social media with contact data stolen from various sources.
Unsuspecting investors then happen to click on these links which lead to fake websites that mimic the login pages of the trading platforms they are used to, where they enter their login credentials (username, password, PIN, and other bits of information). This is captured by the fraudsters, which they then use to login to the investor’s trading account to execute buy/sell transactions on illiquid scammy penny stocks, generating a loss on the compromised account and a profit in theirs (counter-party to the scam orders). They can potentially also trade on illiquid option contracts or just buy scammy penny stocks to be sold later.
If you don’t have any cash balance in your account, they sell your existing holdings to fund these fraud trades. Check these trades on one of our client’s accounts (shared with the client’s consent) that we spotted recently. The customer got tricked into sharing his login credentials at around 9 AM, and by 10 AM the fraudsters logged into the trading account, sold stock holdings worth around Rs 70,000 and created a loss of over Rs 60,000 within a few minutes.
What can you do about it?
- When using a web browser, only enter your login credentials on “kite.zerodha.com”. Look at the browser’s address bar and ensure that the URL begins with kite.zerodha.com with the padlock icon next to it. Even when you login to our partner applications, you will be redirected to our website to login.
- If you receive an email, SMS, or call asking to login to any website that is not kite.zerodha.com, DO NOT click on the link or login. Email us on [email protected] reporting any such messages or calls and we will take necessary action against such websites.
- If you spot any trades that were not executed by you in your account, report it to us immediately. We will file a police complaint against the counterparty of the trade and have any exchange payouts blocked immediately or get the trades reversed.
- Enable 2-Factor TOTP on Kite instead of the PIN. Read this to learn how to do it. This involves installing a TOTP app on your mobile phone (eg: Google Authenticator), and connecting your Kite account to it. After that, on every login, after you enter your Kite password, you will be asked to enter a 6 digit code generated by the TOTP app. This code changes every minute and cannot be obtained by fraudsters.
What are we doing about it?
- We have blocked new purchases in all illiquid penny stocks and illiquid option contracts which can potentially be used by fraudsters to create a loss in your account and profit in theirs. If you still wish to trade these stocks, you can do so after setting up TOTP for your account.
- Exchanges already block intraday trading and allow only delivery based trades in many stocks (T2T category). We have extended this list to all stocks which are illiquid and where fake intraday trades can be executed.
- We will start sending alerts and mandate an email or SMS OTP to be entered any time you log into Kite from a new device or location.
Once again, always check the browser’s address bar to make sure that you are entering your login credentials only on kite.zerodha.com and set up 2-Factor TOTP authentication on your account. Do share this post with your friends and family to prevent them from getting duped by fraudsters.