Wedding season is almost here and while the printed invitation cards are still a thing, most people use WhatsApp and other social media platforms to invite their friends and family to their wedding and this is exactly what scammers are looking forward to in order to target their victims and steal sensitive information and money from their bank accounts.
Just imagine: What if that invitation you just got on WhatsApp isn’t from your cousin or old college friend, but from a scammer trying to rob you? That’s exactly what’s happening with the latest “Wedding Invite Scam” — a clever cyber trick designed to steal your personal and financial information.
So next time you see a “Hi, please join us in our wedding celebration! Here’s the invite.” message on your WhatsApp, you should know that it could very well be one from scammers.
But, the question is how one should know if a wedding invite is genuinely from a friend or family member and what to do and not to do if any such message appears on WhatsApp or any other social media platform for that matter.
Let’s start with how the scam works:
The setup: delivery and social engineering
The scam usually starts with a message from an unknown number or a spoofed familiar contact. The tone is friendly and urgent: a personal invite, a PDF to download, or a link to “view details.” On WhatsApp the attachment may look like an invite image; in reality the filename often ends with .apk or hides a malicious payload. In the email variant the link points to a convincing fake RSVP page that asks for details. Social engineering is crucial — the content is emotionally persuasive, time-bound, and asks for a simple action (download, open, RSVP).
The malware and installation mechanics
On Android, the most common trap is an APK — an app installer. When you try to open it, the phone may request permission to “install apps from unknown sources.” If you grant that, the malicious app installs. Some frauds use a second stage: the app requests accessibility or notification access. Those permissions are powerful: they let an app read notifications (including OTPs), capture screen content, simulate taps, or perform overlay attacks that trick you into entering credentials into fake windows.
On iPhone the process is harder but not impossible: attackers use phishing links that prompt for Apple ID credentials or trick users into installing configuration profiles that open backdoors.
Important: There’s also a slightly different version of this scam. Instead of a WhatsApp message, you might get an email claiming to be from a popular wedding website or an event planner. It includes a link asking you to “RSVP” or “view details.” Clicking on that link leads you to a fake webpage that asks for personal details — like your name, phone number, and address — which the scammers then harvest for identity theft.
What attackers do once inside
Once installed, malware can:
• Read your SMS and notifications to capture one-time passwords;
• Record keystrokes or take screenshots to harvest passwords and bank details;
• Open banking or UPI apps and initiate transfers using intercepted OTPs or session tokens;
• Export contacts and send the same malicious invite to everyone you know;
• Exfiltrate photos, documents and identity data for later fraud or blackmail;
• Lock the device and demand ransom.How to protect yourself
If you ever receive a wedding invitation from an unknown number, pause before you tap. Check the file type — real invitations are usually images or PDFs, never APKs. Avoid installing anything that asks for special permissions, and never disable your phone’s built-in protection settings for unknown apps.
If you’re unsure, verify with the sender directly through a separate channel. And most importantly, keep your phone protected with reliable security software that can detect and block malicious activity.
Should you fall victim to this scam, immediately disconnect your phone from the internet, uninstall the suspicious app, and inform your bank. In India, you can also report the case at cybercrime.gov.in or call the helpline number 1930 for assistance.
Prevention
• Never install APKs from messages or unknown sites; real invites are images or PDFs.
• Refuse requests to enable “install from unknown sources” or grant accessibility access without verification.
• Verify invites through a separate channel (call or SMS the sender).
• Use an authenticator app instead of SMS for 2FA where possible.
• Keep OS and apps updated and install reputable mobile security software.
• Regularly review app permissions and remove apps you don’t recognize.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
