Aadhaar-linked Mobile Hijack and OTP Fraud — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

Aadhaar-Linked Mobile Hijack and OTP Fraud in India 2026: How to Stay Safe

A new wave of Aadhaar-linked mobile hijack and OTP frauds is threatening millions of Indians by exploiting UPI and KYC processes, causing severe financial and identity risks.

What Is the Aadhaar-linked Mobile Hijack and OTP Fraud?

The Aadhaar-linked mobile hijack and OTP fraud is a critical cybercrime targeting Indian citizens whose mobile numbers are linked to their Aadhaar and bank accounts. These frauds primarily focus on stealing personal identification details and intercepting one-time passwords (OTPs) necessary for authorising UPI payments, bank transactions, and KYC updates.

Typically, fraudsters pretend to be bank officials or government agents, leveraging the trust people place in entities like the Reserve Bank of India (RBI) and UIDAI (Unique Identification Authority of India). This scam exploits the common practice of linking Aadhaar numbers to mobile phones for services such as digital KYC and UPI transactions, which are prevalent in India’s growing digital economy.

According to public complaints and advisories from Indian cybersecurity agencies like CERT-In and the Inter-Departmental Cybercrime Coordination Centre (I4C), such scams have become increasingly reported across urban and semi-urban India, especially via WhatsApp, Facebook, and other social media platforms. The RBI has cautioned users about verifying any KYC or account-related messages and avoiding unsolicited requests for Aadhaar, OTPs, or mobile verification.

How This Scam Works — Step by Step

1. Initial Contact: Scammers scan social media to identify potential victims. They then contact targets via phone calls or WhatsApp messages, posing as customer service representatives from banks or government agencies like UIDAI or RBI.

2. Social Engineering: Under the pretext of a mandatory "RBI-mandated KYC update" or “security verification”, the caller asks for personal details such as Aadhaar numbers, registered phone numbers, or bank account information. They may also say that failure to comply could lead to account suspension.

3. Mobile Hijack Attempt: Using the information gathered, fraudsters try a SIM swap or convince mobile operators (illegally or through phone forwarding manipulation) to link the victim’s phone number to a new SIM. This allows them to receive all OTPs sent to that number.

4. OTP Interception and UPI Transactions: Once the hijacked number receives OTPs, the scammer initiates fraudulent UPI transactions or bank transfers by confirming payments using intercepted OTPs.

5. Phishing Follow-up: To cover their tracks, they may send fake transaction notifications or request additional OTPs for “verification,” further draining the victim’s bank account.

6. Money Laundering: The stolen funds are quickly moved to other accounts, making reversal difficult. Victims usually realise only after multiple withdrawals or failed transaction attempts.

Real Warning Signs to Watch For

• Unsolicited calls or messages claiming to be from RBI, UIDAI, or your bank requesting Aadhaar or OTP details.
• Pressure to share OTPs immediately under the pretext of urgent KYC or account security.
• Asking for Aadhaar number or details through WhatsApp or SMS rather than official bank portals.
• Notifications of mobile SIM change or call forwarding that you did not initiate.
• Unexpected transaction alerts on UPI or banking apps without your consent.
• Caller insists on secrecy (“Don’t share this with anyone”) as part of their “security process.”
• Use of generic greetings like “Dear Customer” instead of your name during calls or messages.

What Happens to Victims

Victims of this fraud typically suffer direct financial loss through unauthorized UPI transactions or fund withdrawals. Because UPI payments are instant and generally irreversible, recovering money is challenging once the fraud occurs. Additionally, the misuse of Aadhaar linked with mobile numbers can lead to identity theft, making victims vulnerable to loan fraud or opening unauthorized accounts.

Emotionally, victims report stress, helplessness, and anxiety as persistent attempts to recover funds through banks or police often drag on without resolution. In some cases, victims have faced difficulties with mobile network providers due to repeated SIM swap requests triggered by fraudsters.

What RBI and CERT-In Say

The Reserve Bank of India has issued multiple advisories cautioning users against sharing OTPs over phone, WhatsApp or SMS and advises verification of caller identity by directly contacting banks' official helplines. RBI’s guidelines also stress that banks will never ask for OTPs or full Aadhaar details during calls.

CERT-In recommends users update mobile phone software regularly, enable mobile network security features like SIM lock, and immediately report suspicious calls or SMS. The 1930 cybercrime helpline, supported by various government agencies including I4C, offers a dedicated channel for victims to report digital fraud.

How to Protect Yourself

1. Never share OTPs or Aadhaar details over phone or WhatsApp even if the caller claims to be from RBI or your bank.
2. Verify caller identity independently by calling your bank’s official helpline before following any instructions.
3. Avoid clicking on suspicious links in SMS or WhatsApp messages asking for KYC or Aadhaar updates.
4. Set up mobile network PINs or SIM locks with your telecom provider to prevent SIM swaps.
5. Regularly check your bank and UPI accounts for unauthorized transactions.
6. Use the official UIDAI website or app for any Aadhaar update or verification—not links shared by unknown sources.
7. Register mobile number with the Do Not Disturb (DND) service to limit scam calls and messages.

What to Do If You’ve Been Targeted

1. Immediately call your bank’s customer service and request to block or freeze UPI and bank transactions.
2. Contact your mobile network provider to report and prevent SIM swap fraud.
3. File a complaint with your local police, specifying Aadhaar and mobile hijack details.
4. Report the scam to cybercrime.gov.in, the official portal for cybercrime complaints in India.
5. Call the 1930 cybercrime helpline for guidance and emergency assistance.
6. Keep all proof of communication (message screenshots, call logs) ready for investigation.
7. Change passwords and PINs associated with banking and UPI apps immediately.

Frequently Asked Questions

Q: Can my Aadhaar number be used to steal money from my bank account?
A: Aadhaar by itself is an identity proof. However, combined with your mobile number and intercepted OTPs through SIM hijack, fraudsters can authorise UPI or banking transactions. Always protect your Aadhaar-linked phone number and OTPs.

Q: Will my bank or UIDAI ever call me to ask for OTPs or passwords?
A: No. Banks and UIDAI never request OTPs, passwords, or full Aadhaar numbers over phone or WhatsApp. Any such request is likely a scam.

Q: How quickly can money stolen via UPI be recovered?
A: UPI transactions are mostly irreversible. Recovery depends on the bank’s fraud investigation and police action, which can take weeks or months. Report immediately to improve chances.

Stay alert and protect yourself. If you receive suspicious calls or messages about Aadhaar or bank details, verify them at BharatSecure.app and report fraud immediately by calling 1930.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.