India's cyber fraud losses crossed ₹11,000 crore in FY2024 according to the Ministry of Home Affairs, with bank account fraud and UPI scams dominating the numbers. The targets are not only people unfamiliar with technology — educated, urban, digitally active users fall victim to social engineering attacks every day. Most of these frauds follow predictable patterns. Understanding how each scam works, what the red flags are, and what to do the moment you suspect something has gone wrong is the most practical defence available.

Key Takeaways

  • Phishing, vishing, UPI collect scams, and SIM swap are the four most prevalent fraud vectors in India.
  • No bank, RBI, or government body will ever ask for your OTP, PIN, or full card number on a call or message.
  • UPI collect requests require your PIN to send money out — approving one to "receive" money is the fraud mechanism.
  • Report fraud immediately to your bank, the cyber helpline 1930, and cybercrime.gov.in.
  • RBI's Zero Liability policy protects customers who report fraud promptly — delay costs you the protection.

Phishing: Fake Websites and Emails That Steal Credentials

Phishing involves fraudsters creating near-identical copies of bank websites or sending emails that appear to come from your bank, asking you to log in or update your details. The cloned site captures your username, password, and OTP in real time.

Red flags:

  • The URL contains extra characters or a misspelled domain (e.g., hdfcbannk.com instead of hdfcbank.com).
  • The email comes from a Gmail or Yahoo address, not the bank's official domain.
  • Urgent language: "Your account will be suspended in 24 hours."
  • Requests for full card number, CVV, and OTP on the same page — legitimate bank sites never ask for all three together.

Safe habit: Always type your bank's URL directly into the browser or use a bookmark. Never click links in emails or SMS messages, even if they appear to come from your bank.

Vishing: The Fake Bank Call

Vishing (voice phishing) involves someone calling you, impersonating a bank representative, NPCI officer, RBI employee, insurance company, or even a "KYC officer." Common scripts:

  • "Your account will be deactivated unless you complete KYC on this call — please share your OTP."
  • "A fraudulent transaction was flagged. To reverse it, confirm your PIN."
  • "You have won a prize — to credit ₹50,000, share your account details."

The truth: Your bank already has your KYC details. No bank or RBI official will call to ask for your PIN, OTP, CVV, or net banking password. These are never needed on a call for any legitimate bank operation. Hang up immediately; call your bank's official number to verify.

Fraudsters spoof caller IDs to make calls appear to come from official bank numbers. Do not trust caller ID alone.

UPI Collect Scams and Fake Payment Links

The UPI collect scam exploits a feature designed for merchant payments. A fraudster sends you a "collect money" request — which requires you to enter your UPI PIN to authorise it. Victims who believe they are "accepting a payment" instead send money to the fraudster.

Variations:

  • OLX/Quikr fraud: A "buyer" sends a collect request claiming it is for "payment verification." You approve it and the money leaves your account.
  • Fake cashback/refund links: A QR code or link asks you to "scan to receive ₹500 cashback." Scanning and authorising with your PIN sends money out.

The golden rule: receiving money on UPI requires zero PIN entry. If any step asks for your PIN while you expect to receive funds, stop immediately — you are about to send money.

Understanding how UPI actually works makes it easy to spot this manipulation.

SIM Swap Fraud: The Most Technically Sophisticated Attack

In a SIM swap attack, the fraudster has already gathered enough of your personal information (from phishing, data breaches, or social media) to impersonate you at a mobile operator's store or via a fake SIM swap request. They port your mobile number to a SIM they control.

Once they have your number:

  1. All OTPs for net banking, UPI, and credit card transactions now arrive on their SIM.
  2. They log into your net banking using previously obtained credentials and use the OTP to authorise fund transfers.
  3. You notice only when your phone loses network (often at night) — by which time the funds are gone.

Warning signs: Your phone shows "No Service" or "Emergency Calls Only" unexpectedly, especially at unusual hours. Call your operator immediately; do not wait until morning.

Prevention: Set a SIM lock at your carrier. Enable email-based OTP as a secondary factor where available. Avoid sharing your full date of birth, mother's maiden name, and address on public social profiles.

Safe Net Banking Habits: A Practical Checklist

Habits that meaningfully reduce your exposure:

  • Use the official app, not a browser, for banking — apps have certificate pinning that prevents man-in-the-middle attacks. If you use a browser, always verify the HTTPS padlock and the exact URL.
  • Never do banking on public Wi-Fi. Cafes, airports, and hotels run networks that can be intercepted. Use mobile data or a trusted VPN.
  • Enable transaction alerts for every debit via SMS and email — set the threshold to ₹1 so nothing slips through.
  • Set daily transfer limits lower than the maximum in your net banking settings. A ₹50,000 daily limit means even a successful login by a fraudster caps the damage.
  • Do not save net banking passwords in browsers on shared or work computers.
  • Fake banking apps appear in unofficial app stores and even occasionally on Play Store. Download apps only from the link on your bank's official website.

What to Do Immediately After a Fraud

Speed is the most important factor in limiting losses and triggering RBI's zero-liability protection.

  1. Call your bank's 24×7 helpline immediately and report the fraud. Ask them to freeze your account and block all pending transactions. Get a written reference number.
  2. Call the National Cyber Crime Helpline: 1930. This connects to a live operator who can flag the fraudulent account and potentially freeze the funds before the fraudster withdraws.
  3. File a complaint at cybercrime.gov.in (National Cyber Crime Reporting Portal) — this creates an official record and triggers law enforcement.
  4. File a police FIR at your local station or online (many states accept cyber FIRs online). The bank will require this for insurance and liability proceedings.
  5. Under RBI's circular on customer liability: if you report fraud within 3 working days of the fraudulent transaction and the loss was due to bank negligence or a third-party breach (not your own sharing of credentials), your liability is zero. Delay erodes this protection.

Keep records of every communication — call recordings if possible, screenshots of fraudulent messages, and bank statements showing the debit. These are essential for the dispute process.

Frequently Asked Questions

Will the bank refund money lost to online fraud?

It depends on how and when you report. RBI's circular on limiting customer liability (2017) requires zero liability if the fraud resulted from bank negligence and you reported within 3 working days. If it resulted from your own sharing of credentials, liability is yours. Banks investigate each case; a police FIR and prompt reporting significantly improve recovery chances.

Is it safe to save card details on shopping websites?

RBI's card-on-file tokenisation mandate (effective 2022) means major merchants no longer store actual card numbers — only encrypted tokens issued by card networks. Tokenised cards are reasonably safe on large, compliant merchants. Avoid saving card details on unknown or small websites that may not comply with the mandate.

What is the cyber helpline number in India?

1930 is the National Cyber Crime Helpline, operational 24×7. For written complaints, use cybercrime.gov.in. Both are run by the Ministry of Home Affairs. Report as soon as possible — the helpline can freeze beneficiary accounts in real time during business hours.

Can two-factor authentication (2FA) be bypassed?

OTP-based 2FA can be bypassed through SIM swap or real-time phishing (where the fraudster enters your OTP on the genuine site before it expires). Authenticator app-based 2FA (like Google Authenticator) is significantly more resistant because it does not transit through the phone network. Banks currently use SMS OTPs; app-based TOTP is not yet standard in India for banking.

My friend received a suspicious UPI collect request — what should they do?

Decline the request immediately and do not enter the UPI PIN. Report the fraudulent UPI ID to the bank's app (most have a "report fraud" option on the collect request notification) and to NPCI via the BHIM app's fraud reporting section. This flags the ID and can lead to its suspension.

Related Reading

Explore more in Finance →