Aadhaar-PAN Update Phishing Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 25, 2026

Severity: HIGH | View Full Scam Details

Beware the Aadhaar-PAN Update Phishing Scam in India 2026: Protect Your Identity and Money

In 2026, the Aadhaar-PAN Update Phishing Scam poses a high-risk cyber threat in India, duping taxpayers into sharing sensitive OTPs and personal data via WhatsApp and SMS.

What Is the Aadhaar-PAN Update Phishing Scam?

This scam targets millions of Indian citizens holding both Aadhaar and PAN cards, especially taxpayers and those who have linked these documents for banking, taxation, or government services. With government initiatives making Aadhaar-PAN linking mandatory for financial transactions and tax filings, scammers exploit this process to trick people into handing over confidential information.

Fraudsters pose as officials from government bodies like the Income Tax Department or financial institutions, sending messages or WhatsApp texts that appear authentic. These messages claim there is an urgent issue with your Aadhaar-PAN linkage that needs immediate attention to avoid penalties or legal consequences. Because the messages mimic official government language, many unsuspecting recipients fall victim to them.

The scam has grown in prevalence, especially during the tax season each year. CERT-In (the Indian Computer Emergency Response Team) and the Indian Government’s Integrated Cyber Crime Coordination Centre (I4C) have issued warnings about these phishing campaigns. RBI guidelines also emphasize safeguarding OTPs and personal banking data, given the rise in such fraud attempts.

How This Scam Works — Step by Step

1. Initial Contact: You receive a WhatsApp message, SMS, or email allegedly from the Income Tax Department, UIDAI, or your bank. The message states that your Aadhaar-PAN linkage is either incomplete or at risk, demanding urgent action.

2. Fake Link or Contact: The message includes a link or contact number to resolve the “issue.” The link may resemble a genuine government portal but is actually a phishing website designed to steal your data.

3. Information Request: Once you click the link or chat with the scammer, you are asked to enter confidential data such as your Aadhaar number, PAN number, date of birth, and mobile number.

4. OTP Verification: Next, you receive a One-Time Password (OTP) on your registered mobile number, claiming it is needed to verify your identity or complete the Aadhaar-PAN update.

5. Sharing OTP: The scammer instructs you to share this OTP. If you comply, they can use it to authenticate fraudulent financial transactions, link your Aadhaar or PAN to unauthorized bank accounts, or access UPI payments.

6. Financial Loss: Using the stolen data and OTP, scammers withdraw money directly via UPI, make unauthorized tax refund claims, or commit identity theft — leaving victims with financial and legal complications.

Real Warning Signs to Watch For

• The message demands immediate action or threatens penalties if you don’t respond quickly.
• Messages come from unknown or unofficial phone numbers rather than verified government handles.
• Links provided have misspellings, strange URLs, or non-government domain names.
• Legitimate bodies never ask for OTPs or passwords over WhatsApp, SMS, or email.
• The communication is unusually informal or uses incorrect Hindi/English grammar.
• You receive multiple repeat messages pressuring urgent updates during tax season.
• The message directs you to a website that asks for details you’ve never been asked to provide offline.

What Happens to Victims

Victims of this scam suffer not only direct monetary loss but also long-term consequences. Once scammers have your Aadhaar and PAN details with OTPs, they can misuse your identity for fraudulent UPI transactions, causing immediate debits from linked bank accounts. Reversals via UPI can take days to process — by which time the damage is done.

Additionally, scammers may perform SIM swaps by tricking mobile carriers, allowing complete control over your phone number. This leads to interception of bank OTPs and two-factor authentication messages, increasing financial exposure. Victims often face a stressful ordeal trying to freeze accounts, restore credit, and clear their name with tax authorities.

The emotional impact is severe, especially for senior citizens and those unfamiliar with cyber threats. Anxiety around losing hard-earned money, fear of legal penalties, and the hassle of reporting the crime take a huge toll.

What RBI and CERT-In Say

The Reserve Bank of India warns taxpayers never to share OTPs or personal identification details with anyone, even if they claim to be government officials. RBI’s 24x7 helpline for banking frauds can be contacted at 1800-11-6655 for immediate assistance.

CERT-In regularly issues advisories to beware of phishing campaigns especially during tax filing seasons. The Indian Cyber Crime Coordination Centre (I4C) recommends not clicking on unsolicited links and using official government portals only.

Victims can report cybercrime 24/7 via the National Cybercrime Reporting Portal at cybercrime.gov.in or by calling the 1930 cybercrime helpline established by the Ministry of Home Affairs.

How to Protect Yourself

1. Never share OTPs or passwords with anyone, no matter how official they sound.
2. Always verify messages by visiting official government websites directly (UIDAI, Income Tax India) rather than clicking on links.
3. Look out for the “.gov.in” domain and avoid clicking on suspicious or unknown URLs.
4. Use WhatsApp’s official business verification badges as a cue to authenticate government contacts.
5. Regularly check your Aadhaar-PAN linkage status directly on government portals.
6. Inform your bank immediately if you receive any suspicious request related to Aadhaar-PAN updates.
7. Enable multi-factor authentication on your banking apps and UPI to prevent fraud.

What to Do If You’ve Been Targeted

• Do not share any further details or OTPs.
• Immediately block and delete the suspicious contact or message on WhatsApp or SMS.
• Contact your bank’s helpline and request to freeze or monitor your accounts for unusual transactions.
• Report the incident to the RBI helpline at 1800-11-6655 and to CERT-In via cybercrime.gov.in.
• File a police complaint with your local cybercrime unit.
• If money has been lost, ask your bank about UPI transaction reversals under RBI guidelines.
• Keep records of all communication and messages for the investigation.

Frequently Asked Questions

Q: Is the government really sending messages about Aadhaar-PAN linkage via WhatsApp?
A: No, government agencies do not send official Aadhaar or PAN update notices through WhatsApp or SMS asking for OTPs. Official communication happens primarily via registered emails or government portals.

Q: Can sharing an OTP really lead to money loss?
A: Yes, OTPs authenticate transactions or changes in your bank or tax records. Fraudsters use them to authorize payments, link accounts, or steal identities.

Q: How can I check if my Aadhaar and PAN are correctly linked?
A: You can verify your Aadhaar-PAN linking status by logging into the Income Tax India e-filing website or UIDAI official portal using your credentials.

Protect yourself and loved ones from this high-risk scam by staying alert and skeptical of unsolicited Aadhaar or PAN update requests. Always verify suspicious messages before acting. When in doubt, visit BharatSecure.app to verify suspicious links and messages — your trusted partner in online fraud awareness and protection.