OTP fraud is when a scammer already has some of your card, bank, or account details and calls, texts, or messages you with a made-up reason — a delivery to verify, a refund to confirm, a KYC update, a "security check" — to talk you into reading out the one-time password (OTP) that just landed on your phone. The single most important thing to know: an OTP you did not ask for means someone is trying to move money out of your account right now. Do not read it to anyone. Do not type it anywhere. Hang up, and call your bank on the number printed on your card.
How the OTP fraud script actually works
OTP fraud is not a hacking attack. Banks and NPCI, which runs UPI, both say the same thing: fraudsters almost never break into the banking system itself. They get you to hand over the last key yourself. The pattern is always the same shape, only the pretext changes.
Step 1 — the attacker already has a piece of your information. This could be your card number and expiry, from a data leak or a phishing message you clicked earlier, your mobile number, or your name and bank from a previous "wrong number" call. They only need enough to start a transaction, a login, or a card purchase that your bank will then ask you to authorise.
Step 2 — they trigger something on your account. This could be an online purchase using leaked card details, a password reset attempt, registering your bank account on a UPI app on a new device, or a "linking" request on a lending app. This is what makes your phone buzz with a genuine OTP from your genuine bank or payment app.
Step 3 — they call, timed to the OTP. A typical version goes like this: the phone rings seconds after the OTP arrives. The caller claims to be from your bank's fraud team, a courier, or an electricity board processing a refund. They say a payment failed, a delivery needs confirming, or KYC must be updated today or the account will be blocked. They ask you to "just read out the code you just received so I can verify it's really you."
Step 4 — you read the OTP, and the transaction completes. The OTP was never proof of your identity to them. It was the authorisation code for the transaction they triggered in Step 2. The moment you say it or type it, the debit goes through.
Step 5 — the money is gone, usually within seconds, often routed through several accounts before you have even hung up the phone.
card or account details] --> B[Triggers a transaction
or login attempt] B --> C[Calls with a pretext
refund, KYC, bank check] C --> D{Do you read out
the OTP} D -->|Yes| E[Transaction is
authorised by you] E --> F[Money is gone] D -->|No, hang up| G[Never read an OTP
aloud to anyone] G --> I[Call your bank on the
number on your card] style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style G fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
The pretext on the phone changes constantly, but it is always built to create urgency and to sound like routine paperwork. Common ones reported by victims include a courier saying a parcel is stuck and needs an OTP to "release" it, a bank caller saying a suspicious transaction needs to be "cancelled" by reading a code, a lending app saying KYC will lapse today, and a refund for an overcharge that needs an OTP to be "credited." None of these are real. No delivery, refund, or KYC process anywhere in India requires you to read out an OTP over a phone call.
The red flags that should make you stop
| What is happening | What it usually means |
|---|---|
| A call arrives within seconds of an OTP SMS | The caller triggered the transaction and is waiting for the code |
| You are told to read the OTP "to verify" or "to cancel" something | Real verification never needs your OTP — the OTP itself already went to the account holder |
| You are asked to enter your UPI PIN to "receive" a refund or payment | UPI PINs authorise money going out, never coming in — this is always fraud |
| The caller creates urgency — "account will be blocked today," "parcel will be returned" | Pressure is designed to stop you from thinking or calling the bank to check |
| The caller already knows your name, partial card number, or address | Confidence built from a data leak, not proof they are your bank |
| You are asked to install a remote-access app like AnyDesk or TeamViewer to "fix" something | No bank or payment app needs to see or control your screen |
If it is happening right now
If you are reading this because your phone just buzzed with an OTP you did not ask for, or someone is on the call with you right now:
- Hang up. Do not stay on the line "to be polite" or to hear them out. A real bank representative will never be upset that you called back on your own.
- Do not read the OTP, PIN, CVV, or expiry date to anyone, no matter what badge, employee ID, or urgency they claim.
- Do not enter your UPI PIN for any reason a caller, message, or QR code gives you for "receiving" money.
- Do not install any remote-access or screen-sharing app they ask for, even if they say it's to "protect" your account.
- Verify independently. Call your bank only on the number printed on the back of your card or on the bank's official website — never a number the caller gives you, and never by calling back the number that just called you.
- If you already typed or spoke the OTP before realising, move straight to the recovery steps below. Every minute matters.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanIf you have already shared the OTP or already paid
This is the part where speed decides whether the money can be saved. Do not spend time feeling embarrassed first — do these in order, immediately.
- Call 1930 — the National Cyber Crime Helpline — right now. This is the fastest route to getting the receiving account frozen before the money moves further. It is free and works across India.
- File a complaint at cybercrime.gov.in, the National Cyber Crime Reporting Portal run by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs. This creates the official record banks and police act on.
- Call your own bank's official helpline (from the number on your card, not from any message) and ask them to freeze the account, block the card, and raise a dispute or chargeback on the transaction.
- Preserve every piece of evidence: screenshots of the messages, the caller's number, the transaction ID or UTR (Unique Transaction Reference) from your bank SMS or app, and the exact time it happened. You will need these for both the police complaint and the bank dispute.
- Change your net banking and UPI app passwords and PINs from a device you trust, in case more than one credential was exposed.
How to protect elderly parents and family
Elderly parents and less tech-familiar family members are disproportionately targeted because OTP scams rely on unfamiliarity with how banking apps actually work, and on respect for anyone who sounds official. A few things genuinely help:
- Tell them plainly, more than once: no bank, courier, or government office will ever call and ask you to read an OTP or enter a UPI PIN to receive money. Repetition matters more than a single conversation.
- Save your own number and the bank's official helpline number in their phone under clear names, so they have somewhere real to call before acting on any "urgent" request.
- Encourage them to hang up on any unexpected call involving money and call you or the bank back — a five-minute delay costs nothing; an immediate OTP costs everything.
- If they use UPI, remind them specifically that entering the UPI PIN is always for sending money, never for receiving it — this single fact defuses most refund and cashback pretexts aimed at older users.
The chart above is illustrative of the categories victims commonly describe when they report OTP fraud, not a precise measured statistic — the exact wording of the pretext changes constantly, but it almost always falls into one of these buckets.
Frequently asked questions
Frequently Asked Questions
Why did I get an OTP if I did not do anything?
Can someone steal my money just by knowing my phone number?
I already read out my OTP. Is my money definitely gone?
Is entering my UPI PIN ever needed to receive money?
What number should I call if my bank contacts me about a "suspicious transaction"?
How do I report OTP fraud in India?
This research is published by Bachao.AI, built by Dhisattva AI Pvt Ltd, to help ordinary users recognise and stop OTP fraud before it costs them money. For broader protection guidance, official complaint channels remain the fastest route to recovery: cybercrime.gov.in, the Reserve Bank of India, and NPCI for anything UPI-specific. If your SIM card is lost, swapped, or you suspect it has been misused, you can also report it at Sanchar Saathi, the Department of Telecommunications' citizen portal. Read more scam-awareness guides on the blog.