Fraudsters are increasingly using fake online loan repayment offers, bogus stock market training programmes, software alerts and deceptive banking alerts to lure victims, the Cyber Bureau said on Thursday.

The methods vary, but the goal is the same—to hijack devices, steal banking credentials, and drain funds, according to the Nepal Police bureau.

Superintendent of Police Deepak Raj Awasthi, the bureau spokesperson, said cases have been rising since March. Several complaints were filed officially. Others came through messages and comments on the Cyber Bureau’s social media pages.

One major form of attack involves messages prompting users to install malicious software. These phishing links are disguised as helpful tools, such as apps for loan management or trading, but come attached with files like ‘.exe’ for desktops or ‘.apk’ for mobile phones.

These files, when installed, give hackers complete access to the device. The Cyber Bureau has traced many of these phishing links to platforms like OneDrive, Microsoft’s cloud service.

“The links are mostly coming through OneDrive and WhatsApp. Even OneDrive seems unable to identify and block these threats,” said Awasthi.

Once the software is installed, cybercriminals use remote control tools like ‘AnyDesk’ to take over devices. This allows them to monitor screens, extract passwords saved in browser cookies, and even track user activity in real time.

According to Awasthi, these hackers have backend servers where stolen data like passwords and particularly banking information is stored. Later, the information is used to either directly access bank accounts or send further phishing messages to other users.

Another scam targets users of mobile banking wallets such as eSewa. Victims receive alarming SMS alerts sent through official-looking shortcodes like ‘The Alert’ or ‘AT Alert.’ These messages typically say, “Suspicious activities have been detected in your account, and you must click the link below to verify your account, otherwise it will be temporarily suspended.”

This creates a false sense of urgency, prompting users to follow the link and enter their OTP (one-time password). Once the OTP is submitted, the scammers immediately gain access to the victim’s digital wallet and clean out the funds.

What makes this tactic alarming is the misuse of alert codes typically reserved for law enforcement, ambulance, or emergency health services. “So the question of how scammers are using these emergency alert facilities is now part of our investigation,” Awasthi said. These messages appear credible, making it harder for users to identify them as fraud.

A third category of phishing scam preys on economically vulnerable individuals or those interested in the stock market. Fraudsters send offers claiming to provide online stock training or help with loan repayment. These messages usually come from unfamiliar numbers or social media accounts that appear legitimate at first glance.

“People in financial difficulty or with a genuine interest in trading tend to fall for these. Please be cautious, always check the credibility of the source,” Awasthi said.

The Cyber Bureau is dealing with a growing volume of such cases. In the current fiscal year, the bureau has already received 13,426 cybercrime complaints, including 217 related to scams involving eSewa, Khalti, and bank accounts. Last fiscal year, 19,730 cases were filed under various types of cybercrime.

Each software installation or malware case requires a detailed reverse-engineering process to trace where the stolen data is being sent. “We try to decipher what is written under the malware and track the destination server,” said Awasthi. “This process is time-consuming and has to be done manually because of limited advanced technical tools and expertise, making the investigation difficult.”

Despite the challenges, the Cyber Bureau is coordinating with digital wallet services and telecom providers to investigate and contain the spread of phishing links. However, the bureau emphasises that prevention starts with the public.

There are clear warning signs users should not ignore. Any message asking to install software, especially with file types like ‘.exe’ or ‘.apk’, should be treated as suspicious.

SMS alerts claiming suspicious activity and urging immediate account verification, those from shortcodes like ‘The Alert’ or ‘AT Alert,’ are red flags.

Clicking those links or sharing OTPs knocks everything down, Awasthi said. “Original Windows or software companies do not send such messages. Banking wallets never ask for OTPs this way.”

The Cyber Bureau advises users to think before clicking, verify before trusting, and never share OTP or install unknown software.

“Being cautious online is no longer optional,” added Awasthi. “Please reach out to the official website of the cyber bureau for complaints or further assistance.”