Online safety & scamsBeginner · 9 min read

How to spot phishing and account-takeover scams

Most hacked accounts start with a single trick: phishing. Learn how to recognise fake login pages, OTP scams, and 'your account is suspended' messages so you never hand over your password or code in the first place.

Strong passwords and two-factor authentication are powerful, but they can all be defeated by one mistake: voluntarily handing your login or one-time code to a scammer who tricked you. This is called phishing, and it is how the majority of account takeovers begin.

Phishing works by creating fear or excitement and rushing you to act — 'your account will be deleted', 'you won a prize', 'confirm your eSewa now'. In that panic, people type their password into a fake page or read out an OTP they should never share.

This guide teaches you to slow down and spot the signs, so attackers never get the chance — protecting your Facebook, Gmail, bank and wallet accounts at the source.

What phishing is and why it works

Phishing is when a scammer pretends to be a trusted organisation — Facebook, Google, your bank, eSewa, Khalti, a courier, the police — to trick you into giving up your password, OTP, card details or money.

It works because it exploits emotion, not technology. A message that makes you scared (an account will be closed), greedy (you won money), or curious ('see who viewed your profile') pushes you to click and act before you think. Recognising that emotional pressure is your first line of defence.

Common phishing tactics in Nepal

Phishing reaches you by SMS, email, Messenger, Viber, WhatsApp, phone calls and even fake ads. Watch for these patterns:

Fake login pages: a link that opens a page looking exactly like Facebook or Gmail and asks you to 'log in again'.
OTP theft calls: someone claiming to be from your bank, eSewa or Khalti asks you to read out the OTP or code you just received.
'Account suspended / verify now' messages with an urgent link and a deadline.
Prize, lottery, lucky-draw, or 'cash reward' messages asking for details or a small 'fee'.
Fake job, loan or remittance offers asking for an advance payment or your login.
Messenger messages from a hacked friend's account asking you to 'vote', click a link, or send money.

How to check a link or message before you act

Before clicking or typing anything, pause and verify. A few seconds of checking prevents most attacks:

Check the web address carefully — scammers use look-alikes such as 'faceb00k-login.com' or 'esewa-verify.net'. The real domains are facebook.com, google.com, esewa.com.np, khalti.com.
Never log in via a link from a message — open the app or type the address yourself.
Look for poor grammar, odd Nepali/English mixing, generic greetings ('Dear user'), and urgent threats.
Hover over (or long-press) a link to preview where it really goes before tapping.
If a 'friend' messages something unusual, contact them another way — their account may be hacked.

If you think you fell for it: act fast

Mistakes happen. If you entered your password or OTP somewhere suspicious, move quickly to limit the damage:

Change the password on that account immediately, and anywhere you reused it.
Turn on two-factor authentication if it was not already on.
Sign out all other devices/sessions from the account's security settings.
If money or a wallet/bank account is involved, contact your bank, eSewa or Khalti at once to freeze or report the transaction.
If a card was exposed, block the card through your bank's app or helpline.
Warn anyone who might be targeted next (friends, family) and report the scam.

Where to report scams and fraud in Nepal

Reporting helps protect others and may help your case. For online fraud and cybercrime, you can contact the Nepal Police Cyber Bureau, which handles cybercrime complaints. For financial fraud, report immediately to your bank's official helpline and to the wallet provider (eSewa, Khalti) through their official app or support channels.

Always find official contact details from the organisation's genuine website or the back of your bank card — never from the suspicious message itself, which may list a fake helpline number designed to keep you talking to the scammer.

Key takeaways

✓Phishing causes most account takeovers — it tricks you into giving your login or OTP, defeating even strong security.
✓Scams create fear or excitement to rush you; slowing down is your best defence.
✓Never log in through a link in a message — open the official app or type the address yourself.
✓Never share your password, OTP, MPIN, CVV or PIN with anyone, for any reason — no real organisation asks.
✓Check the exact web address: real sites are facebook.com, google.com, esewa.com.np, khalti.com.
✓If you slip up, change passwords, enable 2FA, sign out other devices, and contact your bank/wallet immediately.

Questions

How to Spot Phishing and Account-Takeover Scams Before You Get Hacked — FAQ

How can I tell a fake login page from the real one?+

Check the web address bar carefully for look-alike spellings (extra letters, numbers replacing letters, wrong endings like .net instead of .com.np). When in doubt, do not log in via the link — close it and open the official app or type the address yourself.

A caller says they're from my bank and need the OTP to 'verify' me. Is that real?+

No. Banks, eSewa and Khalti never ask you to share an OTP, PIN or password by phone, SMS or chat. Anyone who asks is a scammer trying to get into your account. Hang up and call the bank using the number on your card or its official website.

I clicked a phishing link but did not enter anything. Am I hacked?+

Usually clicking alone is low-risk if you did not type your login or download anything, but stay cautious. To be safe, do not enter any details on the page, close it, and run a security scan if you downloaded a file. If unsure, change the relevant password anyway.

Where do I report cybercrime or online fraud in Nepal?+

Report online fraud and cybercrime to the Nepal Police Cyber Bureau, and report financial fraud immediately to your bank's official helpline and your wallet provider (eSewa or Khalti) via their official app. Get contact details from genuine official sources, not from the scam message.

Why do scam messages often come from my friends?+

Because their account was hacked, and the scammer uses it to message everyone on their friend list — trusted names get more clicks. If a friend sends an unusual link or money request, verify with them through another channel before acting.

Sources & data note

These guides explain widely-accepted SEO, AEO and GEO practice as documented by Google Search Central, schema.org and current industry research. Search and AI systems evolve continually — treat specific thresholds (e.g. Core Web Vitals targets) as current guidance and verify against the latest official documentation. Examples are tailored to Nepal's market.