When you use ReddyBook for your betting activities during matches, you are used to the fast pace of the information that you act on, like the odds, chats, payments, logins, etc. Scammers take advantage of that quick pace to get to your access.
ReddyBook frauds are usually not created by hacking the app but rather are started by a routine looking text message or an ‘official sounding’ call, or by a link that you are familiar with at first glance.
This document has information about the common pitfalls that Indian users of the ReddyBook app fall into, how those pitfalls work, and what you can do to prevent losing any money or sharing an OTP with an unintended person.
Someone Just Stole Your OTP
OTP theft is by far the longest running scheme and continues to victimize the most amount of people. Usually, the text arrives just after you have attempted to login to, withdraw from, or reset your password on the ReddyBook app, so it appears related to what you are doing.
The scammer triggers the login attempt or the password reset, then quickly gets you in a panicked state via the phone or WhatsApp with messages such as “please send your OTP, so that I can complete the verification process.” The second you send the OTP, the door is wide open.
Here is a simple rule to follow to stay safe – ‘keep your OTP private every time’. If someone requests your OTP, treat it as if they asked for your ATM PIN.The signs that indicate it could be a scam
The signs that indicate it could be a scam
- They will create a sense of urgency for you: “Two minutes left or your account will be blocked.”
- They will say they are from “support” or “verification.”
- They may ask you to give them your OTP “to confirm your identity” even though as the OTP is the way of verifying your identity.
The “KYC Update” Scam
“KYC pending” is the bait on the hook of many betting app scams in India, with the scammers using screenshots, banner warnings, and an agent offering help to “update KYC” for Reddy Book Com.
Instead of going through a real process to KYC, they will instead take you to a payment request, a QR code to scan, or a session of screen sharing. Once you are taking part in screen sharing, they can see what you type, read your SMS notifications and pressure you to give consent for things that you shouldn’t be giving consent for.
Legitimate verification processes will not require you to send money or make a random UPI payment to someone else’s account.
What the scammers are after
Scammers will ask you for a photo of your Aadhaar or PAN, a live selfie, your UPI PIN, your bank’s SMS notification and SIM based OTPs. With this information, they will be able to attempt to take over your accounts across all apps, not just with Reddy Book Club.
Support Call
The script for the Support Call is Perfectly Authentic
Today’s fraud calls sound more like a competent customer service representative than an idiot. Scammers will identify and tell you about the exact problem you’re having with your account: “Your withdrawal is not complete”, “Your betting cricket ID has been locked”, “Your online cricket ID is waiting to be confirmed and won’t be processed until it is confirmed and approved.” Scammers use social media, chat messages that have been leaked, and general guessing based on game day activity to acquire this information about your account.
Once they have your credentials, the scammer will pivot to provide you access to their ‘Help Desk’ or ‘Help Line’ Telegram channels or apps that provide you with a one-time password (OTP) to connect to your account. Their goal is to continue to mislead you into accessing your account while you are distracted.
Break the cycle
- Don’t argue with the scammer. Don’t engage in any negotiations with them. Just hang up.
- Always access your accounts through the app you originally downloaded to your phone; do not use any of the links provided by the scammer to access your accounts.
Fake Links
Fake Links: One Little Letter Means Big Trouble for You
This is where the majority of ReddyBook users are trapped. The spam sites and shortened links will look very similar to the real sites and most of the time you’ll miss the spelling change at first glance.
Scammers will promote these links in Telegram groups, Instagram comments, and even through paid advertisements on cricket-related sites and memes. If you use one of these links, the scammers will promise fast login processing, new sign-up bonuses, and expedited cricket ID verification.
Once you enter your username and password information on these fake pages, either the page takes your information or it will prompt you to download an APK file, which will give the scammer access to and steal your notifications and messages.
A Safer Habit to Protect Your Account from Scammers
Create a bookmark to save the page you originally signed up for. Never trust the links someone you do not know (no matter who they claim to be) sends you as a new link for the Reddy Book Club.
Fake APKs
Fake APKs: How to Steal Your Phone
When someone approaches you asking for an APK download “to make your login easier,” consider this a red flag. Android’s Permissions can be leveraged by an attacker to gain access to an individual’s SMS messages, use the accessibility service and read notifications. Thus, they will be able to intercept One-Time Passwords (OTPs) and alerts about transactions made in your banking account without you ever being aware of it.
Many fake apps imitate a companies logo, colour scheme and/or the login screen exactly. The difference between them and the real thing is the programming behind the scenes which allows the application to forward messages and provide fake payment screens.
If you see a message asking for Accessibility Permissions for a sports betting application, think carefully. Accessibility Permissions are generally used for overlaying screens and to allow the application to approve actions.
There Are No “Admins”
There Are No “Admins” in Your Group Chat
In the cricket community, we are a family; we follow the same people during each IPL season and while the Indian national team tours overseas. This builds a fraternity that scammers take advantage of.
Scammers will create polished profiles and join your group chat. They will give the impression that they are being helpful by saying “I can provide you with your ID for your cricket betting app” or “I can help you recover your account” or “DM me your registered phone number” and then get small wins from you. Ultimately, they will have gained your trust by providing you with a few small wins before they ask you for something sensitive.
Desi style social engineering is a blend of familiarity, urgency and of course enough cricket talk to establish trust.
The two questions that will expose scammers:
- Can the scammer verify your identity without asking for One-Time Passwords (OTPs), UPI PINs, or a screen share?
- Can they verify your identity using the official flows of the application?
If the answer to either of these questions is no, it’s likely that the individual is not legitimate Technical Support.
Cricket Match Night Equals Scam Night
When you are distracted during a cricket match, scammers seize the opportunity to take advantage of you.A last-minute chase, batting collapses, a Super Over, and a nail-biting finish in the IPL will get users in a hurry for logins, deposits, withdrawals, and decisions.
Why do scams spike when there is a last-minute chase in an IPL match?
Because of distraction: While you track cricket bets or check cricket betting online, the perpetrator wants you to try to do two things at once.
SIM Swap Fraud and Number Recycling
The Quiet Risk: SIM Swap Fraud and Number Recycling
Takeovers are not all conducted via links. SIM swaps go after the phone number to capture OTPs at the provider level.
When a SIM suddenly doesn’t work, when calls to your cell phone don’t connect, when you receive a “SIM Not Provisioned” error message on your phone, treat it as an emergency — this can be instantaneously; it has taken just moments for individuals in India to hijack OTP-based logins and reset passwords using this method.
Number recycling is slower, but it’s real. Once the phone number is released to the new user, any old accounts associated with that phone number become vulnerable if those accounts have open sessions or if the account holder uses low-level password-recovery options.
The fraud doesn’t stop with hijacking; a hijacked ReddyBook can be used as a back door into your savings accounts and payment methods, contact lists, and even screenshots saved in your phone’s gallery.
They may use your account to send messages to your friends like, “Bro, can you send me 2k ASAP?” The secondary fraud spreads very fast among cricket followers because of the high level of trust between friends.The goal is not to just “steal balance,” but to “steal identity” and do it again.
A 90-Second Pre-Login Routine
A 90-Second Pre-Login Routine to Reduce Risk
You do not need to have any technical expertise; all you need is a simple routine to repeat every time you log into an account.
| Step 1: | Check the external link or the app source. Use the link from the home screen of your device instead of an external message. When using an external link, use a bookmark that you created to ensure it is safe. |
| Step 2: | Tighten up your phone by adjusting the settings to block notification previews on the lock screen—OTP’s should not flash in public view. Set a screen lock that you will actually use instead of “none.” |
| Step 3: | Keep your passwords unique; this means not reusing passwords on different cricket betting accounts and social networking apps. If your password becomes compromised in one application, it poses an immediate risk in a different application. |
| Step 4: | Establish a hard boundary; there will never be screen sharing, remote support tools, or verification calls. If you have legitimate support, there will never be a need for someone to view your screen. |
What Happens If You Have Already Shared Something
Panic serves no purpose; Action will provide you with the safety you need.
Change your password immediately; use the official app or site—log out of other sessions if that feature is offered on that platform.
If you have made a payment or shared your UPI details, call your bank and check transactions regularly for the next 24-48 hours. If you think you may have been the victim of a SIM swap attack, contact your telecom provider and secure your SIM first.In case a scammer gains access to our account or online cricket id, we recommend documenting every interaction with the scammer or any account they may have created in our name, like screenshots, UPI (Unified Payment Interface) ID, transaction numbers, chat logs, and timestamps. It would also be helpful to file a complaint with either the National Cyber Crime Reporting Portal or your local police station, as having a paper trail will help when you possibly have to dispute your transaction(s).
Safer online betting habits for Online cricket_id and Online betting_id.
If you have an online betting account or an online cricket id, you should treat your online cricket id just like you would your bank account and not a casual login. You should not use your online cricket id on any devices that you share with anyone else. You should also avoid using a cyber cafe to log in or create an online cricket id. Also, avoid using any public wi-fi network when making either a deposit or a withdrawal from the site.
Keep your social media accounts free from anything that shows either transaction numbers, registered numbers, or even parts of your email address. By posting just these small bits of information, you can easily become a targeted victim for scam artists.
If you belong to a ReddyBook club group, make sure that everyone pushes the information to keep your ReddyBook group safe, i.e. pinning the official link to the group, banning any random support agents that may pop up in the group, and warning new members about how OTPs are used as a method for scammers to gain access to your account.
Remember what to do before you log in to ReddyBook again.
When attempting to log into ReddyBook you should not ever send your OTP by phone, whatsapp or any other verification method.
When doing KYC, KYC does not require a personal UPI transfer, as scammers tend to ask for personal transfers or qr codes, as both of these are common scams.
Never take a link that you were sent, instead you should always click on the bookmark of ReddyBook or use the app icon, and that way you will always be able to verify that it is the correct site.
If someone asks you to screen share during a conversation, that is an immediate end to that conversation.
In the moments leading up to, and during the match, you should take 10 seconds more than you normally would when in a rush, as the longer you take to think about your actions, the less likely you are to be scammed.
Final Whistle.
Users of ReddyBook and all other cricket betting apps do not get their accounts stolen only by a highly skilled hacker, most users lose their accounts due to pressure that pushes them to act without thinking.
If you keep your OTPs to yourself, refuse requests to screen share and only log into your betting account through official link, you are reducing the likelihood of being scammed. The next time there is a big match and you take the time to do these three simple steps, you may have a great night watching the game instead of worrying about how to get your money back.