The most common stock market frauds

July 19, 2022
Trading @ Zerodha

Hindi: इस पोस्ट को हिंदी में पढ़ने के लिए यहाँ क्लिक करें।

With the rise in cybersecurity incidents, it’s extremely important that you are aware of the risks and possible ways in which accounts can be compromised.

Firstly, any measure from our side is helpful only if the customer doesn’t willingly share account access with others by giving in to the lure of quick and easy money. As we have shared many times, fraudulent actors can create artificial losses in the customer account using penny stocks or illiquid options—read more here. The first, most basic step everyone should take is to enable 2FA on email and social media accounts & set up biometric authorisation on the mobile and most importantly ensure that login credentials aren’t shared with anyone else.  

Zerodha login

  1. All Zerodha accounts have a two-factor authentication (2FA) login. To log in, you need to enter your client ID and the password and then authenticate the login with a 6-digit pin. Users can also enable biometric authentication with either Fingerprint or Face ID on the Kite mobile app. 
  2. As an added layer of security, we introduced a time-based one-time password or TOTP in 2020. TOTP is a temporary OTP that expires every 30 seconds. Users can enable TOTP as their secondary factor (2FA) to replace the 6-digit PIN. 
  3. We have email login alerts whenever there is a log in from a different IP or address. 
  4. We don’t have relationship managers call our customers for any reason. So this way it is tough for anyone to spoof they are from Zerodha. Neither do we call users for anything or ask for any account specific information. 

For more about how we ensure the security of Zerodha accounts, see Security practices at Zerodha

TOTP for trading in penny stocks and illiquid options 

From our interactions with the exchanges and our own experiences, penny stocks and illiquid options are by far the most used routes to move money. Here are the checks we have in place to prevent such instances: 

  1. We have mandated TOTP when trading in penny stocks and illiquid options that we monitor based on open interest (OI), active market depth, and trading volumes where there could be potential trades to create artificial losses to move money. Exchange regulations require that all brokers make 2FA mandatory starting 30th September.
  2. For users who opened their account after 2019, (eDIS) an OTP and TPIN from CDSL are required to sell the stocks. If you opened an account before 2019, here’s how to convert the account
  3. We are working on a new risk management tool that will disallow users from placing orders in illiquid option contracts at a much higher price than the theoretical price for buy orders, and vice versa for sell orders. We will share the details soon. 

How are accounts typically compromised? 

  1. By far, the most common way that trading accounts are compromised is when users share their login details with others. We’ve seen instances, not just with us but across brokers, where users share their login details with people pretending to be advisors, promising extraordinary returns in a short span of time. Once the user has shared the login details, these frauds create artificial losses through illiquid options and penny stocks to move money out of the accounts. 
  2. Phishing attempts are quite common too. Fake websites that resemble the login pages of brokers are created to capture the login details of users. We’ve long warned against such risks
  3. Using email service providers with poor security, like Rediffmail. Such email providers tend to have weak spam filters, allow weak passwords, and don’t have checks to block suspicious logins, making them vulnerable to hacks. We are stopping all Rediffmail accounts, 80% of all cases we’ve observed where people have lost money are users with Rediffmail accounts.  

A few common sense security best practices

  1. Never ever share your Zerodha account details with anyone. 
  2. Don’t fall for sales pitches by fraudulent actors promising super high returns in a short span of time by offering to manage your account. 
  3. We never call users asking for any account-specific information. If you get such calls, please ignore them and report them here
  4. Ensure that you have TOTP enabled on your Zerodha account as well as your email. 
  5. Stop using email service providers with poor security. 

But like we mentioned in the beginning, all these measures will be moot if users are not careful in ensuring the security of their accounts.

Team Zerodha

India's largest retail brokerage

106 comments

  1. Sameer Mehta says:

    I and my family members have acct with Zerodha. Is there a way to inter link all accts under one log in access or something. However Tax liabilities would remain at Individuals level. it just that I can find ease to access / switch acct for Trading investments

    • Hemanth says:

      Yes.. when you login to console, under holdings, There is an option called family

    • Shubham says:

      Hey Sameer, regulations do not allow one account to place orders on behalf of another, even if the other account belongs to a family member. However, you can link family accounts on Console to view their portfolio. You can learn more on this here.

      • Pranay says:

        Hi ! I am zerodha account holder and a long term investor. What system zerodha has in place to ensure that DIS slip is not misused to illegally transfer shares from Dmat account. A rogue employee at a brokerage firm can easily get access to DIS slip showing in person delivery and forge signature of account holder for his personal gain.

  2. Rushin says:

    A lot of people like me trust zerodha and trust is based on proactive communication like this.

  3. Harshiv Gajjar says:

    I believe that trusted devices feature should be added to increase the security. I have stopped using any cracked apps in my android mobile phone and windows pc to avoid any unwanted viruses entering. Also took iPhone device for my parents specifically for using banking and stock apps. So trusted devices feature might be a helpful feature for avoiding such fraudulent activities.

  4. Atul Kumar Pandey says:

    Thanks for enlighting us on the most crucial topic, in the last few days I have seen many investors and traders reporting that their account was compromised. Please guys never share any financial detail online, keep your social data hidden as most attacks are coming from social engineering.

  5. Srinivasa Sriram says:

    Sir,
    The password and 2FA PIN should auto expire in every 30/45 days and should also expire if the account is not logged in for 30 days. This is a must, as most of us do not care to change the password/PIN quite often.

  6. Suhas.R.Sonawane says:

    Thanks for penny stock awareness.

  7. rajendra mudliar says:

    sir,
    I usually don’t share my log in details with anyone. I have never done it till now from the time I opened account with Zerodha (may be from 2016). is my account safe from fraudsters.even fund transfers I do it thru net banking.I don’t use the mobile for transferring funds etc. what other precautions should I take, I suppose your new time based OTPs will be effective. how do I register for this new added security feature.pl advise.

  8. Shivnath Dalvi says:

    👌

  9. Ashok says:

    How to freeze account immediately, if such unwanted activity found… ?

    • Shubham says:

      Hey Ashok, you can reach out to on hour helpline number 080 4718 1888. We have a dedicated team to handle such queries. You can also activate Kill Switch from Console, this will deactivate the segments and can be activated only after 12 hours. More here.

      • Mohanavadivelu says:

        I personally experienced your service line non availability.Do you took care on the availability of these phone line . Atleast check it tomorrow.

      • Vikas R says:

        While individual segment wise Kill switch is good….why not have Temporary Freeze on all activities in one click?
        i.e. One single kill switch easily visible on account Management page and not hidden under segments etc.

        Also pls Add Call feature directly embedded in Kite mobile app which connects to your fraud reporting line directly.
        Publishing contact numbers on web calls for additional possible frauds.

      • Bikramjit says:

        Why zerodha is not setting up a hotline like credit card company to block the account immediately

  10. BS Dhillon says:

    Good piece of information. Recommended zerodha should send sms immediately on execution of order to the client as being done by some other security house.

  11. Preyas Patel says:

    How to enable TOPT ? Is it available in web version or just for App ?

  12. URJA SHAH says:

    Accepted your reasoning and care we as clients have to take . But !!!! … Can you set up an dedicated Help line for reporting the hacking of account . In Spite of taking care …if our account is compromised …there should be immediate way to stop trading and freeze the account. This is of utmost importance .

    • Shubham says:

      Hey Urja, you can reach out to us at 080 4718 1888 or 080 4718 1999. We have a dedicated team to handle such queries.

  13. micheal says:

    Sounds good, thanks!

  14. ananda raki says:

    precautions advised above are an eye opener for us to keep vigil of safeguarding our accounts from any fraudulent people. Thank you. We follow strictly adhere to keep our accounts safe.

  15. Amit Kale says:

    Excellent write-up and clarification especially when today Zee Business is running demat fraud program where 2 of the victims had Zerodha demat account. I had asked for the clarification on security practices followed at Zerodha and they have come up with this great great info that should allay a lot of fears about using Zerodha as a broker. Thanks Zerodha..

  16. Laxman jadhav says:

    Pls zerodha I’m emergency contact number send me. exenge our zerodha dono ka number hona chahiye pls.z business show dekha 3 demat daka. pls emergency contact helpline number hona jaruri hai

    • Shubham says:

      Hey Laxman, you can reach out to us at 080 4718 1888 or 080 4718 1999. We have a dedicated team to handle such queries.

  17. Kedar D says:

    We want
    1. Quick customer call support
    2. If user account access from new device and transaction happened, it is an red flag, you have to response fast and inform user
    3. Develope “temporary block demat account” feature
    4. another red flag things, account password change multiple times in the day, suddenly the long time investor started doing f&O
    If Anything above happens zerodha team have to be take action fast ,
    5. Secure your system hacker might hack while user changing password by tapping “forgot password”

    Thank you zerodha you are the best

    • Smita Bellur says:

      I too agree, we need these security features.
      Pls consider as top priority, the temporary block where fraudster cannot go on making transactions even when the account owner is trying to place a complaint.

      Also, customer service response has not been agile enough during these episodes brought out by Zee biz. Pls ensure customer support training to handle such emergency type situations where quick action is key.

  18. Kewal says:

    We have mandated TOTP when trading in penny stocks and illiquid options that we monitor based on open interest (OI), active market depth and trading volumes where there could be potential trades to create artificial losses to move money. Exchange regulations require that all brokers make 2FA mandatory starting 31st September.

    in above para date is mention as 31st Sep can you recheck the date again

  19. Amrut says:

    They are some good safety measures however, I am not sure it will be ever enough. I think, adding temporary block feature or similar in seetings can help the retailers in panic situations. Something to think about.

  20. Harsha says:

    So many telegram channel groups blatantly ask for account details to manage accounts for trade purpose

  21. Sudha Devi says:

    Please provide online facility to hold/stop /block in trading account screen in emergency with password and OTP based action as banks provide. It can also be unblock through trading screen. There will be no panic in emergency as you are not providing relation manager to customer where they can resolve it.

    • Rajiv says:

      Sir my question is that if our account has been compromised or hacked ,then how can we get control of our account .is there any procedure to get control back our account from hacker . Another thing if we cant have any control on account then how we can use kill switch option . One more thing most people dont know customercare number kindly provide a seprate mail and message regarding customer care number to all customers. Even most customer dont know that there is one support code in there profile which is required to connect with customercare executive. All my concern is that if anybody has not remember his support code then can he talk to customer care executive directly on any other number in case he has no control on his account after hacker attack. How he can find the way to freeze his account . Even ticket will also be raised through account login only. Kindly help out please.

  22. Ashish Ostwal says:

    After seeing today’s show on Zee business, we are really worried and scared, Help us provide proper security. Few suggestions which might help to improve on our security-
    – Share Emergency contact number immediately with each user, so if we detect the Fraud we can get instant support from your end. Also, Listen to the user instead of proving them wrong (questioning them).
    – Need instant alert on mobile if any sell / Purchase transactions.
    – Provide control to us (user) to lock security – so no one can play with portfolio
    – Maintain the history of logins for each user.
    – If larger transactions are carried out (say more than 1 Lakhs) instant call should be given to the user asking if they have initiated those transactions or not. Don’t wait for user to call you instead you call us.
    – When we login from a new system, you send an email that you have logged into from location but that location is always wrong. When I login from Pune it shows your have login from Kolhapur, When I login from Nashik it shows you have logged in from Panvel. Revalidate your system for such location email.  

  23. Sudarshan says:

    There must be an immediate Account freezing or hotlisting option like the ones we have in banks or Credit cards.

    • Shubham says:

      Hey Sudarshan, you can reach out to us at 080 4718 1888. We have a dedicated team to handle such queries.

      • A k sahoo says:

        What is the point to have argumentative people at the other end.
        Please have a red coloured freeze, kill facility on the screen

  24. Milind says:

    Noted

  25. Nitish Bodhankar says:

    it was the nice article.also make a one article about advicing on youtube or telegram about any buy/sell tips. because as per sebi its illegal except for sebi registered but still people add educational purpose disclaimer, so try to give a one article about it that how and upto which level it is safe to give calls usuing that disclaimer.

  26. JEEVAN Salke says:

    Please start special customer care number and changes in system to block and reverse any transaction in dmat account. Fraud management framework should be established with exchanges and regulator.
    Reset password operation must must be more safer

  27. Adinath shelke says:

    Please provide hotline number to block our demat account instantly 🙏

    • Shubham says:

      Hey Adinath, you can reach out to us at 080 4718 1888 or 080 4718 1999. We have a dedicated team to handle such queries.

      • ASHIS ROY says:

        Dear Zerodha Team,

        One request to direct your so called”DEDICATED TEAM,” when any zerodha account holders calls up for immediate stoppage of their own account, plssss do not waste time asking and discussing useless matters resulting in wastage of most crucial and valuable time while the hacker is active in cleaning the account.
        I hope you understand my point.

      • ankur says:

        ideally hotline nos. and temporary block of account button should be in the app only so that in case of any emergency we can block our account ourself only.

  28. Sanjeev Gk says:

    Aprt from email allert for the log in, pls impliment the SMS allert for the rigisted mobile no.

  29. Nagori says:

    Thanks for your pro-active actions. Will appreciate if you can guide your clients the process to be followed once the account is compromised or hacked.

  30. N K Srivastava says:

    Will be grateful if some one could enunciate the modus-operandi as to how the money gets siphoned off by placing orders in illiquid option contracts at a much higher price than the theoretical price for buy orders, and vice versa for sell orders.
    Regards

  31. bhavin says:

    Hi, thanks for the good post and clarity. What if our phone is hacked and someone can access the screen of the mobile. In such case, if someone’s money is lost, can that be recovered. I mean the fraud guys are getting smarter and smarter. Do we have any kind of process in line to report a fraud and act against it to the earliest.

  32. Zaheer says:

    TOTP is good 1 way to secure login
    Sms allert can be good implement if zerodha work on it..

  33. Kailash jain says:

    Keep practice
    daily check your holdings
    make in habits

  34. Pradeep Kumar says:

    I have a query. The 2 level security of OTP or TOTP is done by MOBILE. What if the mobile number itself gets compromised? What action has Zerodha taken in this regard, say to check the mobile number changes? Secondly, is there any mechanisms or automatic security features, wherein the account gets temporarily locked, if the password is changed many times in a short span of time OR if wrong OTP /password is repeatedly entered, say, post 3 wrong attempts and post that REVIVE the account only through proper channel, as per your rules . Appreciate, if a response is given to this, which could help all. Thank you.

  35. Geeta says:

    How to update email id

  36. V K Upadhyaya says:

    Thanks for providing this information.

  37. Sanjeev Gk says:

    Impliment the reverse(backword) PIN facility which sends the emergency signal for auto block/ freezing the account. Like in ATM.

  38. gokhale d k says:

    the hot line numbers should be kept on the zerodha screen always .

  39. Subha says:

    Having a personalised ( customer’s choice)login id which is not his client id should also help ?

  40. Sanjeev says:

    Dear Zerodha
    It’s not fair …It’s too late …Sending Security measures after the bomb blast doesn’t make any sense.
    The way the frauds was explained today in a business channel seems clearly the true incidents and it is true infect. Why the account was not deactivated immediately while your team was busy in proving the customers fault. There’s is so much to say but pl make your systems strong and don’t blame the customer only…Hope you understand.

  41. SK says:

    Hello,

    Since there is integration between zerodha and 3rd party app like quicko, is it possible that customer details fetched by quicko during tax filing are misused by someone for hacking? Has zerodha verified data security on such integrated apps?

    • Quicko says:

      Hi,

      Quicko uses industry-standard best practices to ensure your data is safe with us. We are a registered entity with respective tax authorities. We are also an ISO-certified business which means we have access control, well-defined policies around people & processes, and encrypt data in transit & at rest. Above all, you are the owner of your data and we do not share it with anyone without your consent.

      You can check out our security policy for more details https://help.quicko.com/support/solutions/articles/84000350356-privacy-and-security-

  42. Atul says:

    It’s just excuse after zee business report when fraud happened on 8th June and this advisery started today totally excuse even it’s irresponsible thing and know try to justify it’s not only OTP fraud also broking house failure fraud so that they not able to block account after confirming fraud is going on.

  43. Hitesh says:

    When someone will generate new password then 2 separate otp should be sent on sms and email, new password should be generated only after both otp are verified….

  44. Subodh says:

    Nitin,
    This write-up is not enough to rebuild the trust. You have to own the mistake on your part and explain zerodha community what exactly went wrong

  45. Vivek says:

    Just want to suggest
    1 power freeze button on login to freeze account for one day two days .
    2 email and phone otp both required for resetting of password not either . same type security used in hdfcbank.
    3 tollfree block by sms from registered mobile

  46. Akhil says:

    Hi team,
    You have mentioned that rediffmail was responsible for 80% of hacks, how about rest 20%?
    How were the reset passwords meant for other email providers leaked to frauds?

  47. sm says:

    got a recorded call from zerodha that rediffmail account users zerodha account will be blocked from tomorrow or change the account. is this true. what shoud be done, kindly guide?

  48. Ranjan says:

    My email is rediffmail.com,I haven’t experienced any such, but I got pre recorded call from zerodha saying change email.
    Dear sir my ITR etc linked to the same email what to do now.?

  49. Neelam Chhabra says:

    Sir,

    Can we open two Accounts with zerodha with 1 PAN.

    • Shubham says:

      Hey Neelam, you can only open one individual account per PAN. However, there’s no restriction on opening a non-individual account with the same PAN. We’ve explained this here.

  50. P K Mohanty says:

    My suggestion is to enable both 6 digit password and fingerprint to login

  51. Pankaj says:

    two quick suggestions to make it better:
    1. while reset of password, don’t force reset of PIN and disable TOTP if it was enabled earlier. User might had forgot password but TOTP is generated, so a hacking attempt could be avoided. but as current practice it is replaced with a new pin, that is mockery of two step, since both password and PIN are reset at once

    2. like you had given option in segments under console to deactivate my account and can’t be enabled for 12 hours. Give me an option to specify in hours, where my whole account is disabled for certain hours in case of password reset. So it is defined by me and basis my risk tolerance but protect my account obviously some inconvenience but duration is set by me

  52. Vasanth says:

    is it possible for Zerodha to send sms alert to it’s clients to let them know about transactions taking place in their account in real time to prevent such frauds?

  53. Bacchu . Kolkata says:

    I think one need secret pin xxy34 only for when buy illiquid penny stock or option. The secret pin dont show dasboard profile. Only account user will do use . Hacker don’t will know secret pin.

  54. Kkyogi says:

    There should be a hotline to report any ongoing Froud or suspicious activities in our accounts. Moreover, at time of reporting, there should be immediate action starting with temporarily blocking our account.

    • Shubham says:

      Hey, you can reach out to us at 080 4718 1888. We have a dedicated team to handle such queries. You can also use the Kill switch to prevent further trades if you suspect someone else is using your account. Here’s how.

  55. J Hanumanthu says:

    Thanks for the advice
    Please tell me what is your emergency contact number to seek urgent help

    • Shubham says:

      Hey Hanumanthu, you can reach out to us at 080 4718 1888. We have a dedicated team to handle such queries. You can also use the Kill switch to prevent further trades if you suspect someone else is using your account. Here’s how.

  56. Zorro says:

    I opened the zerodha account long time back nearly in 2015-2016, that time I had submitted the POA details physically, Now looking at online frauds i am Thinking to revoke that POA and enable TPIN from CDSL, Could you please give your advice on the same.

  57. Dindayal Agrawal says:

    I never share my account details to any one, even after that my account was login from other places many times, although no transaction has been done. So it is assumed that Zerodha account is not safe. Should I close it.

    • Shubham says:

      Hey Dindayal, we send an email and mobile notification on the Kite app if you log in from a new city or IP address. Since the location is determined using your IP address, it may be different from your physical location even for a genuine login. Explained here.

  58. Victim says:

    Your number 1 priority is to safeguard your customers and help them when they are in need. You have failed miserably in both of this. Compensate the affected customers immediately as you have failed to control the rediffmail related issue. You should have acted than just sending the ridiculous notifications. Kite is not everything and be more efficient in taking timely action by blocking such accounts immediately

  59. Victim says:

    Also explain on how you have supported the affected customers with rediffmail accounts? Instead of blaming ur own customers, you should support them and collaborate with Police to get to the root of it. So that the modus operandi is understood and you protect ur customers. Act on it than blaming ur customers who are ur bread and butter

  60. Krishna says:

    Hey there,
    I can’t what to say but whenever I login back to kite after restarting system, it says Important: Login from new location but my location remain the same. : ( confused about what will happen if I opt for totp it will ask for it everytime.

    • Shubham says:

      Hey Krishna, the location is determined using your IP address and may be different from your physical location even for a genuine login. Explained here. Regarding TOTP, yes, you will have to provide TOTP each time you login.

  61. Nitin says:

    Just watching show “Operation Demat Daka : Zee Business Special Investigation to protect your Demat Account From Fraud” on zee news and i’m SHOCKED. the customer who lost 36L and got 11L loss in his account was of zerodha.

    he said, he spend 40 minutes on zerodha customer care and after struggling with you cutsomer care for 40 mins, he got response from you that he should go to police station and get you email from police that his account is hacked.

    also he mentioned that he reset his password multiple times during the day and hacker was able to reset password again and again.

    and another folk on the show spent 15mins with your customer care and rather then acting prompt, you were chilling all the time.

    i’m SHOCKED to learn their experience with your customer care and how impulsive treatment you’ve given.

    and you come up with this article!!!!!!! to prove your genuinity??????

  62. Pradip Gupte says:

    Watch programme #dematdaka
    Of Zee business. Without sharing login credentials and password, clients of Zerodha lost lakhs of funds. Some clients are IT professional, they took every care
    Please explain

  63. Arun says:

    I am sure u too wud have seen both episodes of demat daka, i looked at twitter for ur replies, being a small investor i am concerned to safety of my hard earned money being ur client. Request u to please answer flg :

    1. Why is it that ur clients have to struggle to reach u in emergency??? People said they cudnt get thru for 15-20 mts…

    2. Why don’t u sensitize ur customer support team, that if a client fears hacking n insists block, PLS BLOCK RIGHT THERE N THEN FOR SAFETY??? Pls extend best help to ur clients in need , how can u wait till the poor guy is ruined???

    3. U guys r so media savy n technology savy n active on social media, can’t u sense panic in tweets??? U have got such negative publicity, and u guys r not even coming to address ur clients??? If u were at our position, what will u do? Have i done anything wrong by patronizing u over all others??? Then why not respond n answer….

    i repeat, i trusted to start with u guys, trusted u more than all others…
    i am a small investor n have my hard earned money in my holdings…
    What answers do u have to make me feel confident, reassured n to feel secure???

    • Victim says:

      Because these guys are running the cartel for impacting the rediffmail users. If not they should check their system and resolve this issue immediately and compensate the customers. This is happening from long back and ridiculous Zerodha is just busy protecting their ass.

      • Arun says:

        I don’t know if u read it in news or not, a CA from my society had his bank account compromised, he informed the bank n bank did not act immidiately, resulting in guy loosing all except few hundred & delhi HC ordered bank to pay all with applicable FD interest n all costs. Issue is litigation, who has time n energy besides money for our lazy judiciary…. When this CA’s lawyer addressed our RWA he mentioned courts expect you to be vigilant n u must inform in specified time n beyond that the defaulting institution wud have no escape n he referrred to n no. of cases with awards… cr cards, banks, cheque books…

  64. Arun says:

    For all my trades i get not a single sms, my friend trades with kotak n he showed me that he get sms right after the trade, for each n every trade buy as also sell, why can’t u do this? Otherwise, how will i come to know if something is traded without my will???

    • Victim says:

      This ridiculous Zerodha just believes on Kite notification which is a shit. Customers impacted by rediffmail issue are innocent and Zerodha want Cyber police to help their customers. This is a clear sign that Zerodha is on the verge of huge collapse. It s shame that instead of making their system secured , they are busy blaming their own customers. Just ridiculous

    • Shubham says:

      Hey Arun, you’ll get an SMS from the exchange at the end of the day with all your trades. If you’re not receiving the SMS, please create a ticket, we’ll have this checked.

      You can turn on the Kite order notifications for alerts on trade execution. Here’s how.

  65. Rai says:

    Hi,
    I would like to know if your bank password and account details will be asked in case of starting a new sip in Smallcase

Post a comment

* Investments in securities market are subject to market risks; Read all the related documents carefully before investing.