Your bank account will not be blocked today because of KYC. That SMS or call saying "your account will be blocked in 2 hours, update KYC immediately" is a scam designed to rush you into clicking a link or installing a screen-sharing app. If you got this message: do not click the link, do not call the number in the SMS, and do not install any app. Close the message. If you are worried, open your bank's own app or call the number printed on the back of your debit card. That is the only safe way to check your KYC status.
What is the KYC update scam
KYC means "Know Your Customer" — the paperwork and ID checks banks are legally required to keep current on every account. Real KYC updates happen occasionally, are never urgent within hours, and never require you to install a screen-sharing app. Scammers impersonate this real process because it sounds official and scary at the same time — the two ingredients that make people act before they think.
How the scam actually works
The scam nearly always follows the same script, whether it arrives as an SMS, a WhatsApp message, or a phone call.
Step 1 — The trigger message. You get an SMS or WhatsApp text that looks something like: "Dear customer, your KYC is expired. Your account will be suspended today. Update immediately: [link]" or "Your PAN is not linked, wallet will be blocked in 24 hours." Sometimes it comes as a phone call instead, from someone claiming to be a "bank KYC officer," speaking in a mix of Hindi and English, sounding polite but firm about the deadline.
Step 2 — The fake link or the "helpful" app. The link opens a page that looks like your bank's website or a UPI app's login page. It asks for your account number, debit card number, CVV, expiry date, and the OTP that arrives next. In the phone-call version, the caller instead asks you to install a screen-sharing app — commonly one used for remote tech support — so they can "verify your KYC from their end" or "guide you through the update." Once that app is running, they can see everything on your screen, including your banking app, your balance, and any OTP that appears.
Step 3 — The capture. Whether through the fake page or the screen-sharing app, the scammer now has what they need: your card details, your net banking credentials, or a live view of your phone while you unknowingly approve a transaction. Some versions ask you to enter a "refundable KYC verification fee" of a small amount — this is also just a way to capture your card and OTP.
Step 4 — The drain. Money moves out, often in multiple small transactions to avoid triggering fraud alerts, or one large transaction while you are still on the call being told to "please wait, the process is running."
The red flags
| What the message or caller does | What a real bank does |
|---|---|
| Threatens account block within hours | Sends written notice with weeks of lead time, through registered channels |
| Sends a link to "update KYC" via SMS/WhatsApp | Directs you to log in to the official app or visit a branch — never a random SMS link |
| Asks you to install a screen-sharing app | Never asks for remote access to your phone or laptop |
| Asks for OTP, CVV, or full card number over a call | Never asks for OTP, CVV, PIN, or full card number over any call |
| Uses a shortened or unusual-looking link | Uses the bank's own verified domain |
| Creates panic and rushes you off the phone | Gives you time and offers a callback via the number on your card |
| Asks for a small "verification fee" to complete KYC | KYC updates carried out by the bank are free |
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanWhat real RBI-regulated KYC actually looks like
The Reserve Bank of India's Master Direction on KYC requires periodic re-verification, but it is a routine, low-pressure process — not a same-day threat. Banks are expected to give customers reasonable notice, usually through statements, emails from the bank's own registered domain, in-branch notices, or their official app — never a single urgent SMS with a countdown. RBI has repeatedly cautioned the public, including through its "Be(a)ware" awareness campaign, that banks do not ask for confidential details like PIN, OTP, or CVV over phone, SMS, or email, and that customers should never share these with anyone claiming to represent the bank (source: RBI public awareness communications, rbi.org.in). If your KYC genuinely needs updating, you can always find out by opening your bank's app directly or walking into a branch — never by clicking a link that arrived unannounced.
or call"] --> B{"What you
do next"} B -->|"Click link or
install screen-share app"| C["Credentials and
OTP captured"] C --> D["Account drained"] B -->|"Open official
bank app only"| E["No details entered
anywhere unverified"] B -->|"Call number on
back of card"| F["Bank confirms
real KYC status"] style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
If it is happening right now
Stop. Do these things in order.
- Do not click the link. Do not open it "just to see." Close the message.
- Do not install any app the caller asks you to install, no matter how helpful it sounds.
- Do not share any OTP with anyone, even if they claim to be from your bank, RBI, or "cyber cell."
- Hang up if you are on a call and feel rushed. A real bank will not mind if you call back.
- Verify independently. Open your bank's app yourself, or call the number printed on the back of your debit/credit card — never the number the SMS or caller gave you.
- If you already clicked the link but have not entered anything, close the browser tab and do not proceed further. Consider changing your net banking password from a device you trust.
If you have already paid or shared details
Speed is everything here. The first hour after money leaves your account is when recovery is most likely, because banks and NPCI can sometimes freeze funds still sitting in the receiving account before they are withdrawn or moved further.
- Call 1930 — the National Cyber Crime Helpline — right away. This is the fastest route to getting a hold request placed on the receiving account.
- File a complaint at cybercrime.gov.in, the government's National Cyber Crime Reporting Portal, even if you have already called 1930. The online complaint creates a formal record.
- Call your bank immediately — use the number on your card, not any number from the scam message — and ask them to freeze the affected account or card, block further transactions, and open a dispute or chargeback process.
- Preserve every piece of evidence: screenshots of the SMS or chat, the phone number that called you, the transaction ID or UTR number, the exact time of the transaction, and the amount. You will need these for both the police complaint and the bank dispute.
- Change your net banking and UPI PINs from a different, trusted device once you are safe.
How to protect family, especially elderly parents
Elderly parents and less tech-familiar family members are frequent targets because scammers count on politeness and a reluctance to question anyone who sounds official.
- Tell them plainly: no bank will ever ask for an OTP, CVV, or PIN over a phone call, SMS, or email — not once, not ever.
- Save the real bank helpline number in their phone under a clear name like "Bank — Real Number."
- Agree on a family rule: if any message about KYC, blocked accounts, or urgent payments arrives, they call you or another family member before doing anything else.
- Remind them that a real bank never needs remote access to their phone or laptop to fix anything.
This kind of fraud pattern has been documented and warned against by Bachao.AI, a consumer scam-awareness initiative from Dhisattva AI Pvt Ltd, based on RBI's public guidance and I4C's national fraud reporting data.