DPDP-era scams: Grievance-Officer phishing, fake consent emails, and what real DPDP communication looks like

Every new privacy law creates a new genre of scam — fraudsters who exploit users' fresh uncertainty about their rights. GDPR did this in Europe in 2018; CCPA did it in California in 2020. India is now entering the same window with the DPDP Act 2023 and the DPDP Rules 2025. Scammers know that most Indian users have heard 'DPDP' but don't yet know what a real DPDP communication looks like. That gap is the attack surface.

**Scam 1 — Grievance Officer phishing.** Under Section 8(10) of the DPDP Act every Data Fiduciary must publish a Grievance Officer's name and email. Scammers harvest these names from real privacy policies and then send fake escalation emails: 'I am the Grievance Officer for [Big Brand]. We received your complaint and need to verify your identity. Please click here to confirm your PAN, address and bank details.' The names are real; the emails are not. **How to spot it:** legitimate Grievance Officers do not ask for PAN, Aadhaar, bank or card details over email. Section 8(7) of the DPDP Act requires data minimisation — they already have what they need from your account. Any request that demands fresh KYC is a phishing attempt.

**Scam 2 — fake 'review your consent' SMS.** 'As per DPDP Act 2023, please re-confirm your consent for [Bank Name]. Reply YES or click here.' Banks do not work this way. The DPDP Act does not require existing customers to 're-consent' over SMS. **How to spot it:** real consent renewal happens inside the bank's app or net-banking portal, not via SMS link. Any DPDP-themed SMS with a shortlink is almost certainly a SIM-swap precursor or a credential-harvest page.

**Scam 3 — 'claim your DPDP refund / compensation'.** A new variant: emails or WhatsApp messages telling users they're entitled to a 'DPDP compensation payout' for past data misuse, with a form to claim it. There is no such scheme. The DPDP Act creates penalties payable to the state, not compensation payable to individuals. The Data Protection Board collects penalties from non-compliant Data Fiduciaries; it does not disburse cash to citizens.

**Scam 4 — fake withdraw-consent landing pages.** Search 'withdraw consent [Brand Name]' on Google and you'll find — alongside the real brand pages — a growing number of lookalike pages that demand a one-time payment 'to process your DPDP withdrawal request'. The DPDP Act prohibits charging for the exercise of rights. Section 6(4) and the Rules make withdrawal free and as easy as the original consent. **How to spot it:** if a 'withdrawal' page asks for any payment, it is fraudulent.

**Scam 5 — impersonation of the Data Protection Board.** Voice calls, SMS, or emails claiming to be from 'DPB' or 'Ministry of Electronics and IT' telling you that you've violated the DPDP Act and must pay a fine. The Board does not collect fines from Data Principals (other than the ₹10,000 frivolous-complaint penalty, which is adjudicated, never demanded over phone). Real Board communication is by Gazette notification and formal letter, not by phone calls demanding UPI transfers.

**What real DPDP communication looks like.** A legitimate Section 5 notice on a site arrives in-product or by email tied to your existing account, names a real Grievance Officer at a brand domain (not gmail / outlook), references specific purposes and categories, and gives you a working unsubscribe / withdrawal link without payment. A legitimate breach notification names the breach, the data categories affected, the date of detection, the steps taken, and contact details — and is sent within 72 hours of the brand becoming aware. A legitimate rights-request response arrives within the SLA the brand has published.

**Three rules that defeat almost every DPDP-era scam.** (1) Real DPDP communication never demands a payment to exercise a right. (2) Real DPDP communication never asks for fresh Aadhaar, PAN, OTP or bank credentials. (3) Real DPDP communication arrives from a brand-controlled email domain — not gmail, not an SMS shortlink, not a WhatsApp forward. Internalise those three and the entire genre collapses.

**If you've been targeted.** Report it to the brand (most have a security@ or grievance officer email), to CERT-In via the National Cyber Crime Reporting Portal at cybercrime.gov.in, and — once the Data Protection Board's complaint portal is live — file a complaint there as well. The pattern matters more than any one case: enforcement priorities follow complaint volume. The faster Indian users recognise and report these scams, the faster they get shut down.