Nepal Police’s Cyber Bureau has warned of a surge in SMS phishing scams designed to steal banking credentials and drain funds from digital wallets and bank accounts.

In a press release issued on Friday, the bureau confirmed that attackers are exploiting compromised bulk SMS service accounts to send fake alerts mimicking trusted platforms like Khalti and ConnectIPS.

Bulk SMS systems are commonly used by banks, service providers, and organisations to broadcast alerts, OTPs, and transaction notifications to large user bases.

However, unauthorised access to these platforms, typically via compromised vendor credentials, has allowed attackers to disseminate deceptive messages that appear official.

The fraudulent messages, often sent via shortcodes like ‘AT_Alert’ or ‘THE_Alert,’ mimic official alerts.

Some of the messages flagged by the bureau are, “Your account will be locked in 6 hours. Verify immediately,” or “Your connectIPS linked accounts have been suspended due to security reasons. Please complete the self-verify process https://rb.gy/jlrvw2 to regain access.”

These messages create panic and pressure users to click on links that lead to spoofed login pages. Once users input their credentials, cybercriminals gain access to linked bank or wallet accounts and siphon off the funds.

According to the bureau, phishing SMS attacks have been increasing since March. Victims, often caught off guard by the urgency of the messages, are tricked into entering OTPs or downloading malicious apps that give hackers complete control over their devices.

Superintendent of Police Deepak Raj Awasthi, spokesperson for the bureau, earlier said that attackers have been using cloud services like OneDrive to host malware disguised as loan calculators, trading apps, or security verification tools. These come in formats such as ‘.exe’ for desktops and ‘.apk’ for Android devices.

Once installed, the malware grants hackers remote access through tools like AnyDesk, allowing them to monitor screens, extract saved passwords, and operate accounts in real time. The stolen credentials are often stored on foreign servers and used in coordinated fraud campaigns.

The recurring tactic in all of these SMS phishing messages is that they falsely claim account suspension, pressuring users to click on links and input verification codes.

With electronic fraud on the rise, the Cyber Bureau has urged the public not to click on suspicious links. In cases of doubt or confusion, individuals are advised to contact their bank, digital wallet service provider, or the nearest police station.