Beware of the Phishing Scam

Hindi: इस पोस्ट को हिंदी में पढ़ने के लिए यहाँ क्लिक करें।

I had recently written this post on stock market scams that everyone should be aware of. It was about how fraud advisors get you to take positions in illiquid option contracts and intentionally create a loss, moving money from your account to theirs. Some of these advisors push investors to buy scammy penny stocks and run the price up, leaving investors trapped with low value, illiquid stocks that cannot be exited (“Pump and dump”).

We have seen a significant drop in these cases after we implemented a bunch of measures to prevent these scams on Kite — blocking illiquid option contracts, reporting any scammy trade to the exchanges, and alerting customers using Nudge about a stock being a risky penny stock on the buy order window.

We have now come across a new type of scam.

The Phishing Scam

Fraudsters set up phishing (fake) websites that mimic the look and feel of the login pages of the trading platforms offered by large stock brokers. These websites are then sent out to unsuspecting investors via SMSes, e-mails, and social media with contact data stolen from various sources.

Unsuspecting investors then happen to click on these links which lead to fake websites that mimic the login pages of the trading platforms they are used to, where they enter their login credentials (username, password, PIN, and other bits of information). This is captured by the fraudsters, which they then use to login to the investor’s trading account to execute buy/sell transactions on illiquid scammy penny stocks, generating a loss on the compromised account and a profit in theirs (counter-party to the scam orders). They can potentially also trade on illiquid option contracts or just buy scammy penny stocks to be sold later.

If you don’t have any cash balance in your account, they sell your existing holdings to fund these fraud trades. Check these trades on one of our client’s accounts (shared with the client’s consent) that we spotted recently. The customer got tricked into sharing his login credentials at around 9 AM, and by 10 AM the fraudsters logged into the trading account, sold stock holdings worth around Rs 70,000 and created a loss of over Rs 60,000 within a few minutes.

What can you do about it?

  • When using a web browser, only enter your login credentials on “kite.zerodha.com”. Look at the browser’s address bar and ensure that the URL begins with kite.zerodha.com with the padlock icon next to it. Even when you login to our partner applications, you will be redirected to our website to login.

    Always check your browser’s address bar and ensure that you are on the official login page that begins with “kite.zerodha.com”

  • If you receive an email, SMS, or call asking to login to any website that is not kite.zerodha.com, DO NOT click on the link or login. Email us on [email protected] reporting any such messages or calls and we will take necessary action against such websites.
  • If you spot any trades that were not executed by you in your account, report it to us immediately. We will help you file a police complaint against the counterparty of the trade and have any exchange payouts blocked immediately or get the trades reversed.
  • Enable 2-Factor TOTP on Kite instead of the PIN. Read this to learn how to do it. This involves installing a TOTP app on your mobile phone (eg: Google Authenticator), and connecting your Kite account to it. After that, on every login, after you enter your Kite password, you will be asked to enter a 6 digit code generated by the TOTP app. This code changes every minute and cannot be obtained by fraudsters.

What are we doing about it?

  • We have blocked new purchases in all illiquid penny stocks and illiquid option contracts which can potentially be used by fraudsters to create a loss in your account and profit in theirs. If you still wish to trade these stocks, you can do so after setting up TOTP for your account.
  • Exchanges already block intraday trading and allow only delivery based trades in many stocks (T2T category). We have extended this list to all stocks which are illiquid and where fake intraday trades can be executed.
  • We will start sending alerts and mandate an email or SMS OTP to be entered any time you log into Kite from a new device or location.

Once again, always check the browser’s address bar to make sure that you are entering your login credentials only on kite.zerodha.com and set up 2-Factor TOTP authentication on your account. Do share this post with your friends and family to prevent them from getting duped by fraudsters.

Nithin Kamath

CEO @ Zerodha and partnering startups through Rainmatter to help grow and improve the capital market ecosystem in India. Love playing poker, basketball, and guitar. @Nithin0dha on Twitter.

132 comments

  1. DR RATAN LUTHRA says:

    Hi Nitin thanks for your prompt support..was scary for a while but with Alok and you doing our hand holding…our hard earned savings a bit secure now…looking forward to your support in times to come too..regards..Dr Ratan Luthra

    • MANOJ KUMAR TRIPATHI says:

      Yese tamam prakar ke galat mail ya kall aate hai. Savdhani rakhna hai.

    • Deepak behera says:

      Very good information. Thanks for the updation.

    • SAURABH SINHA says:

      Hi Today i purchased (kokuyocmln 523207) script during trading hours, but when i want to take exit from the script i was not able to do the same. May i know the reason for that.
      Pls send me group detail of (kokuyocmln 523207) and on what basis zerodha is saying that this script falls in the illiquid script criteria list of BSE/NSE. And pls don’t send me refer link to check….
      I read all updates of bse/nse on hours basis… So still my question is that, that on what basis (kokuyocmln 523207) intraday trading is not allowed in zerodha

      • Himanshu says:

        Saurabh,

        same thing happen for me today with sagar cement, Please let me know if you able to see it on next trading day ?

  2. Mani says:

    Much needed – Its heartening to see Zerodha always looking to do the right thing. Keep piling on the good work !

    • Sanjeev says:

      Zerodha is charging huge commission on every transaction. It is becoming useless for trading intraday on Zerodha. So after 3 may many customers will move to another sites.

    • Sachin says:

      Zerodha charges minimum and is better than other brokers. Zerodha have 3 in 1 account facility. And has no cons. That is the reason it’s still on first place.
      I am happy to be with Zerodha

  3. Mahesh says:

    Guys, this is great. But you need to understand the risks involved in using Google authenticator. If I do a factory reset or lost my mobile or by mistake uninstalled the app, there should be a work around to login to Kite. This is what Google does by giving more than one option in 2FA. As of now, this is not in Kite. Also I enrolled and disable option is not working. Please fix that bug.

    One option is to save the QR code before scanning in app, so if I have to reinstall for any reason, I can scan the saved QR code to get back my access to Kite. Instead, allowing another way, like OTP to registered mobile will be good.

    I have suffered earlier in using this Google app when I did factory reset of my mobile without realising that it all works locally and not in cloud!!!

    • Matti says:

      Hi Mahesh. In such cases, just click on the “Forgot password” or “Forgot 2FA” link on the password or 2FA page and follow the on-screen instructions. Explained here in more detail.

    • Sathwik sk says:

      Use Authy, it has backup feature

    • Meenu nayer says:

      Shud I be sure abt zerodha platform. Smtimes it too behaves like a scam. I m trying to sell my holdings in mangalam drugs n unitech bt dis platform is nt allowing it. How cm I can’t sell my own holdings.

      • Matti says:

        Both these stocks are in the T2T category, which means you can only sell them once they are credited to your demat account. This is based on exchange rules for the stocks in question.

  4. Shekar K says:

    thanks a lot Nitin

  5. Sachin Shetty says:

    I also recently got sms to login and they sent link also..I didn’t move further

  6. Prateek Gupta says:

    I advise you to come to media before every body gets negative about zerodha, people will start negative publicity and innocent uneducated investors will boycott zerodha . This has recently happened with zoom meeting application. People are avoiding webinars because of zoom

  7. Hossain says:

    Is pi a safer alternative than kite

    • Matti says:

      This scam involves scamsters stealing your logon ID and password. The risk is the same for all platforms.

      • Satoshi says:

        Pi is a piece of software unlike web-based applications like Kite.

        Users can only get access of credentials in former case by using TeamViewer, Anydesk.

        • Matti says:

          The issue here is not about someone gaining access to your system, but getting your login credentials, which are the same for all Zerodha platforms.

  8. Mohd Shadab says:

    I purchased the stock of coffee day and BINANI they are not appearing in my holding kindly explain what is the reason

  9. Riddi says:

    Can we have OTP bases login system to make the system more robust?

  10. Anil Samar says:

    How to generate TOTP two factor password on kite Mobil app

  11. Vivek says:

    This is great… I switched to TOTP a few weeks back when you guys educated me about this… (:

  12. Joseph says:

    When we’r try to open chart some time they ask login again WhAt is that ?why like that? That’s from zarodha?please answers from company side

  13. Deepak says:

    Pw + pin + now sms OTP or totp?
    wow, instead of ease of digital world. It’s only getting complicated and insecure. ☹️ All because of fraud from physical to now digital. Hmmm

  14. Gulshan Sethi says:

    Yours team doing a great job congrats for this.

  15. Mathiyas Raj says:

    Yesterday i face this issue. Some trades i did not executed.It’s automatically cancelled my trigger orders and executed some orders it’s causing loss to me. I filled Complaint on zerodha. But still no response.

    • Matti says:

      This was your intraday position being squared off. You should square-off your intraday position before 3:20. If you don’t, our team will square it off for you.

      • Mathiyas Raj says:

        I know about that. But some orders automatically buy and automatically sell are educated. That was not made by me.

        • Matti says:

          Your pending orders would have been cancelled and exit orders would have been placed. If you’re still not convinced, create a ticket on our Support Portal with exact order details and someone will look into it and get back to you.

  16. Venkatesh says:

    Thank you zerodha for informing us well in time. I have been seeing the same fraud advisors online on various social media websites/apps. They claim massive profits via derivative trades.

  17. Arun Vasantrao Galgali says:

    Well done Mr.Kamat. Good & innovative Zerodha.

  18. Deepak says:

    Food for thought.

    Should it not be legalised that if any complaint on a number and email id the owner should be put behind bars this way the root is uprooted and there won’t be other rotten growth.

  19. Mehfooz says:

    does this type of phishing fraudes can be avoided by using secured DNS server or by Using VPN ?

    • Matti says:

      No, this scam involves the scamster stealing your login credentials. We’ve explained how to secure yourself in the above post.

  20. SamD says:

    Hi Nithin and team,
    Thanks for providing better security for our accounts. Similar to Gmail, is it possible to provide “Do not ask again on this device” option for TOTP? Through out the trading day, kite makes me type in the pin multiple times due to timeout. It was okayish when it was a pin from my memory. But it’ll be inconvenient to refer authenticator app again and again for the same during active trading when as a user you just want to glance how your positions are doing or a particular trade trigger has come.

    If kite mobile can remember login and not ask me credentials for 24 hours. That’ll work as well.

    Thanks,

    SamD

  21. Mayur Moolchandra Lashkari says:

    This help me alot nitin give time to time updates always good .

  22. Virendra Gupta says:

    I appreciate but I think Zerodha need to start sending sms or notification for executed order. It will help us to know if any transactions has been done or not.

  23. UMESH says:

    Hi, I have raised query in ticket option [Ticket no #20200319774279]- Zerodha Helpdesk and also called to call center regarding my issue. Still I have not received single call till date. And revert received in ticket which not satisfied.Team has assured to me for reverse the amt which was not mistaken from my end. Pls check and confirm before taking the legal and social media action in this regard.
    Thanks and Regards
    Umesh R
    9535897086

  24. Dinesh kumar verma says:

    I opened new Dekar account.I credited Rs 5000/ but kite is failing again and again to do any buying transactions.I am suffering such problem for last app two weeks but nobody is solving the grievances other than giving a ticket number several times.

  25. Pramodkumar says:

    Sir
    Yesterday I put a sell order(MIS) of stock ajmera @ 89.50.when I tried to exit the stocks @90.10.failed.but deducted rs.3000 from my account.actually what was happened.I have only limited knowledge in trading.pls give me a reply

    • Kavish says:

      Hi Pramod,
      You have sold approx 500 shares @89.5 and exit means buy 500 @90.1 So 500×.6=3000 loss.
      You are selling on low price and buying on high Difference will be your loss.

  26. Kaustubh says:

    I’m very pleased to see that Zerodha has taken so much efforts to make the customersvaware about scams and frauds. In today’s times when brokers are only interested in making money… This step by Zerodha is an ideal of humanitarian behaviour. Thanks a ton for the same…. Really you people are doing a great job… God bless you!

  27. mohammed junaid says:

    Last month in my account SNTCL was traded in don’t know how it was happen. How to complant

  28. Raja says:

    Dear Team,
    The referral URL also should be changed, which discloses the login id of the user, please create one extra field, “Referal Code”, in user master table. Generate unique codes for each user. I know, it involves some development effort, but It will make the referral links to be more safe, as we tend to share them on social media platforms.

  29. Naman says:

    It should not be just about new device, every time every device when we login otp should be generated 3 factor authentication should be there

  30. Kumar Iyer VS says:

    Thank you Nitin. Already noticed the same. Great service

  31. Pramod says:

    In your article you quoted “Report immediately to us.”

    How to report immediately ? Your telephone support is very very Bad. Even for normal query you guys deducting charges under the head ‘call and trade’ of about Rs. 20 (Now about Rs. 59). Zerodha deducted more than Rs. 1000 from me for just normal queries. I raise ticket many time on support but no answer received.

    Whom should I report this type of Fraud ? Can Mr. CEO Nithin reply.

  32. Saurav says:

    Please enable OTP base selling as like in Upstox it requires OTP to sell shares. It makes your holding safe

  33. Deepak behera says:

    Very good information. Thanks for the updation. So many fraudster are sending messages and emails. When I tried to called them by the sms number it was not the valid number. So we need to avoid this type of communication and be safe.

  34. Vijayakumar says:

    Thanks

  35. SUJIT KUMAR SARKAR says:

    I am very happy for updating about these types fraudsters. Thanks zerodha. But I have a objection on customer service of zerodha. Please inprove.

  36. Pravin patil says:

    Can online OTP system be implemented, OTP will be received on kite app (e.g. SBI secure OTP app)

    • Matti says:

      That is again a TOTP system. Only difference is that the TOTP is in an SBI app instead of using Google Authenticator, Authy, etc.

  37. Suraj rana says:

    Thanks for sharing this important information with us. 👍

  38. Ashwani kumar says:

    Thanks for the information

  39. Mohini says:

    Very nice information thanks lot

  40. Ashok Narkhede says:

    Can any one tell how to offer shares of Delta Corp for buy back.

  41. G Ramamoorthy naidu says:

    I am shokedon 30 /03 2020.put to loss 62000 thousands rupees on I reported teliphonically to you on the same day no proper response from u.. Fraud accured in my account my account is hacked.my 62000 rupees (in the form of equity shares)is ( swipened off ).lot off transactions for made in my account with out my knowledge.lot transactions of small shares were made.it is reported over phone to zerodha … I reported to all ready nse and police.please find the culprit.it is not known how meny members on duped like this in zerodha .please escalatethis to the all that higher autharity , name CEO , adit in charge, froud in charge, managing director .please help me to recover 62000 thousands immediately please treat the matter as most urgent thanq regards please provide the email ids of above the people g Ramamoorthy naidu

  42. Rishabh jain says:

    Mr Nithin Kamath , can you be on your words , kindly reduce the brokerage to 0.01% as it was highly advertised by you , If Zerodha is earning well , then why you are looting small investors , as they are paying three times of brokerage.

  43. Suryakant Borade says:

    Dear Nitin Sir You Are Absolutely Right,

    E.g.
    You have been advised to take short position of any stock intentionally and the advisors have intentions to buy such stock.
    If you short 100 share of Titan company, the advisor will buy 100 shares of Titan Company to execute their order for lower price in equity cash segment.
    That will be the kind of fraud like fishing just like NET BANKING and those persons were trapped who are beginners to the stock market. Hence Nitin Sir advised to newcomers to the stock market that to take position on your intellect, because of to get experience of stock market.

    Thank you…

  44. Syed Khadeer says:

    I was lost already my 2L above cash with zerodha sub broker? His Name is J Suraj his libing in in Banglore.
    And need my account opening date to up to till date’s statements and where was i buy &sell which candidates are robbering my money Mr. Jithin kamanth give the replay to me And your the zerodha’s custemer’s responsible person ask to J suraj and call to me 9705734052.

    • Matti says:

      Syed, we don’t have sub-brokers. We don’t allow our marketing partners to trade on behalf of clients. If you have shared your login credentials with a third-party, there is hardly anything we can do about it. As for an account statement, you can always find it on Console.

  45. Shishir sharma says:

    Hello Mr Nitin,
    I am in the business of cybersecutiy and we deal with these phishing activities very frequently, i would like to tell you how to solve this issue permanently so that in future you will never face this problem again reach me @7303626026.

  46. NARAYAN JOSHI says:

    IF I AM AVOIDING ANY SUCH MESSAGES, BY TOTALLY DELAYING SUCH SMS MESSAGES, ARE THERE ANY INCIDENTS OF HECKING OF CLIENT ACCOUNTS..? BECAUSE WE ARE NOT WELL VERSED WITH NEW TOTP SYSTEMS.

  47. C.Sarkar says:

    Good information.

  48. Tony says:

    Yesterday I placed a MIS order and then while placing my stop-loss order, it exited me frm the trade thus causing me loss… Kindly clarify. Thanks

  49. KALYAN SUNDAR GIRI says:

    Good job nithin

  50. Suresh says:

    I think sending OTP by the brokers on the registered mobile number may be the solution as is being done by the banks. Pl think over it instead of TOTP.

    • Matti says:

      OTP is a point of failure because the delivery may fail due to many reasons. However, TOTP is always available and hence is a better option.

  51. Ram says:

    Why you are asking pin after swipe the sale button. So i wont know what is the trade price while entering pin.this is the clear scam intentionally done by zerodha.you are telling someone else.you have already lost the trust.

    • Matti says:

      Ram, this is required by regulation. Since you haven’t submitted a PoA in favour of Zerodha for your demat account, all sell transactions need to be authorised using a PIN.

  52. Manohar says:

    After reading this, I am worried about uske of Imstrong, it’s safe to use it as it also needs to use Kite user ID and password.

  53. Manju says:

    Hi Nithin,

    Absolutely appreciate ZERODHA’s initiative in keeping your client’s credentials and investments safe.

    Keep up the great work !!!

  54. RAMANUJ GUPTA says:

    on dated 7/04/2020 when I picked my mobile about 10:30 am I saw notifications regarding 3 nos trades executed in my demat account. Then I log on the application on my mobile and I saw that all the shares in demat have been sold , I called to customer care immediately they have told to generate ticket. I lodged complaint ticket no 20200407910258 and 20200409749055 on dated 7 & 9/04/2020 respectively. They closed my complained and asking me that the order was placed from my side. I assure that I have not even logged on the app. on 7/04/2020 .The timing of order placed 9:34:34, 9:34:44and 9:34:51,

    • Matti says:

      Only selling shares that you hold would not be beneficial to anybody. Are you sure you hadn’t placed a GTT order for these stocks?

      • Ramanuj says:

        I have not placed GTT or any type of order to sell the shares. U can also check in your system. किसी को कोई बेनिफिट नहीं हुआ है लेकिन मुझे तो loss हो गया, मैंने ये shares long term के लिए खरीदे थे, किसी के account से unauthorised trading तो नहीं होना चाहिए

  55. Sandip Basumatary says:

    Sir, I have installed ur kite app in my mobile. So is there any fear about it also? Reply please…..

  56. mahalakshmi says:

    Please make necessary steps to open account, client ID- PP9382, I am waiting from 5th apr 2020.

  57. PRABHAKAR V says:

    I suffered in the hands of Zerodha as shares in my Zerodha demat account was sold and when I disputed the same as I had not done it and req Zerodha to block all settlement obligations and after promising to block the illegal trade Zerodha went back on their promise by promptly honoured the trade not done by me. I never though Zerodha will let me like this. Disgusting and shattering experiencing. God save Zerodha account holders. Zerodha demat account is not safe at all. If Zerodha has an iota of shame and self respect they should nullify the wrong trade done on my accountcandxrsstorezmy holdings immediately. They have to take all responsibilities as I had disputed the trade at the immediate.. God save

  58. Aalind Rastogi says:

    dear team , i have open demat account on 19 april , how much time it will take to get activated . please respond promptly.

    • Matti says:

      Hey Aalind, you haven’t completed the account opening process yet. I see that you are yet to e-sign your account opening forms. Please head over to signup.zerodha.com and complete this step to open your account.

  59. dilip raval says:

    Now zerodha start fraud to his customers. i have not purchase any share in lock down and zerodha automatically added unionbank share in my account. plz tell me how i can complaint to SEBI about this ?

  60. Lax says:

    It seems Zerodha has blocked trading in many small value stocks even though some of the companies are doing pretty well due to phishing issue. I am not sure how this will prevent phishing attacks. Somebody can please explain.

  61. Dinesh says:

    Many stocks bought and sold without my knowledge. So scary. Can u pls explain wats happening?or wil be filing a complain against zerodha

  62. Prabhakar says:

    I have posted my compliant on 21 St April. I have also reported this to Zerodha on 18nth April and Zerodha did not block the trade at all. Mr. MATTI WHATS YOUR COMMENT

  63. Prabhuswami hiremath says:

    FRUSTRATED WITH UNAUTHORIZED TRANSACTION IN ZERODHA DEMAT. ALL MY LIFETIME SAVING OF 8 LAKH LOST. PLZ ZERODHA HELP ME. REVERT MY ALL UNAUTHORIZED TRANSACTION. REQUESTING FREQUENTLY NO RESPONSE FROM YOU. NSE WANTS ZERODHA SHOULD TAKE QUICK ACTION. BUT U R NOT RESPONDING AT ALL

  64. Prabhuswami hiremath says:

    I have my demat account with Zerodha Broking Ltd, unauthorized transaction took place on 7.05.2020 and all my stocks worth 8 lakhs has been sold and with that amount SECL-SM (NSE) (Salasar Exteriors and Contour Limited) stock purchased. Now the valuation is 3. lakhs. On repeated request Zerodha broking is not responding to any call. Informed to SEBI, NSE and cyber crime for necessary help. The worst side of Zerodha is not initiating any action to safeguard the inventors. Even on repeated call to customer care center there is no response. I

  65. Prathmesh says:

    Hi, if anyone can answer me.
    In risky stocks also there might be some genuine stocks we can invest in. So how do we identify which are scamy stocks?? I have just started trading and found risky stocks to be attractive but after reading this article, my view has changed.

  66. Deepak shah says:

    Iam interested pennyk stock

  67. V T VISHWANATH says:

    Please add a nudge to MITTAL LIFE STYLE stock, it is highly operator driven stock and so many investors are stuck. And they don’t know that it will become penny stock after somedays. I am 200% damm sure that it will become penny stock. Please save investors now only not after it became penny stock. After became penny stock there is no point of adding nudge that won’t help any investors.

  68. Pravin Patil says:

    Thanks for update !!

  69. Rahul saini says:

    Buy rejected in penny stock

  70. Thomas says:

    Thanks for introducing TOTP. I never understood the risk before reading this article.
    I will activate immediately.

  71. Ravindra Singh says:

    Want to buy panny stock but can’t plz help me.

  72. Sanjay says:

    I am writing this with great frustration. I trusted Zerodha that at least they would look at what customers are facing issues but found that there is no one to even bother emails and phone calls. You call them 100 times you can’t get them. You send an email you will not have an response.

    I observed in all my trades (purposefully) to see how system works. I have captured those evidences as well to show if someone ask for it. The system has two section. price chart and dashboard. Keep a watch on those two in parallel. The price do not match or the dashboard that calculates your p&l will be faster during loss giving in correct prices values and price chart will show a different values. This is seen when we go for more than 100 qty as it make difference. I have never seen this when I trade below qty 10.

    Let Mr Kamat see this comment and let me see if I would be contacted.

    Regards
    Sanjay

  73. ak says:

    Hi,
    I am getting frequent mail of “Important: Login from new location” from “[email protected]” is it valid or fake mail. I am getting this even after changing password.

    • Charu says:

      I didnot login from any other network as well as device but still I received email from this web address during trading hours…why is it so ??

  74. GSR Murthy says:

    yes, Even I have received such mails on 16th & 22nd July regarding “Login to my account from other locations” .. Any update or support from the Zerodha team to understand this and action the same will be appreciated.

  75. Rohit says:

    I placed a GTT order in an illquid stock. The order was rejected the next day. I enabled TOTP. I will now place a GTT order in the same stock. Does Kite place the order directly tommorow OR ask for TOTP to place order?

    • Faisal says:

      Rohit,
      Yes, your order will go through as your account is already secured with TOTP. TOTP is only required to authenticate your account when you log in.

  76. rashid says:

    please explain me brothers,
    every day when i receive margin statement by email there is deducted 59RS. past few days going like that, if i get the reason then i can take care,
    thank you allll

  77. srk says:

    Is it possible to get a list of these illiquid stocks using API?

Post a comment

* Investments in securities market are subject to market risks; Read all the related documents carefully before investing.