Aadhaar-Enabled Payment System (AePS) Biometric Withdrawal Fraud — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: CRITICAL | View Full Scam Details

Beware of Aadhaar-Enabled Payment System (AePS) Biometric Withdrawal Fraud in India 2026

This rising scam involves fraudsters stealing money by tricking people into sharing OTPs and biometric details to withdraw cash through AePS.

What Is the Aadhaar-Enabled Payment System (AePS) Biometric Withdrawal Fraud?

The Aadhaar-Enabled Payment System (AePS) is a government-backed service allowing individuals to carry out banking transactions through their Aadhaar number and fingerprint authentication, even in rural areas without smartphones or internet access. While AePS has boosted financial inclusion in India, fraudsters are exploiting its biometric withdrawal feature to illegally siphon off money from victims' bank accounts.

This scam primarily targets Aadhaar-linked bank account holders, especially elderly or less tech-savvy users who receive suspicious WhatsApp messages or calls impersonating bank officials or government agents. According to public complaints forwarded to cybercrime units and advisories from CERT-In and I4C, this fraud has become increasingly widespread across Indian states such as Maharashtra, Uttar Pradesh, and Tamil Nadu in 2026, with victims reporting losses of thousands to lakhs of rupees.

The Reserve Bank of India (RBI) has warned about growing cases where fraudsters use phishing tactics combined with biometric information theft to bypass two-factor authentication in AePS transactions. CERT-In has also issued alerts encouraging users to treat unsolicited messages or calls seeking OTPs or biometric data as suspicious.

How This Scam Works — Step by Step

Here is a typical sequence in which this AePS biometric withdrawal scam unfolds:

1. Initial Contact via WhatsApp or Call: The victim receives a WhatsApp message or phone call claiming to be from their bank, UIDAI, or government agency, saying that their Aadhaar-linked account has some problem or they are eligible for a government scheme.

2. Phishing for Details: The caller asks the victim to share their Aadhaar number and sends a link to a fake website mimicking official portals to "verify identity." Sometimes they request a selfie or printout of Aadhaar details.

3. Request for OTP and Biometric Authentication: The fraudster says that for security, they need to authenticate the victim by making a small withdrawal using AePS and asks for the one-time password (OTP) sent to the victim’s phone and to place their finger on a biometric device (or simulate it via video).

4. Biometric Data Capture: In some variants, scammers trick victims into installing fake apps or directing them to fraudulent biometric collection portals (usually disguised as bank apps).

5. Unauthorized AePS Withdrawal: Using the captured Aadhaar number, biometric data, and OTP, the scammers initiate an AePS withdrawal from the victim’s bank account at a cooperative bank or micro ATM, transferring money to their own accounts.

6. Victim Realises Late: Usually, the victim notices their bank balance has dropped only after the transaction, with no legitimate withdrawal made by them.

Real Warning Signs to Watch For

• Unexpected WhatsApp messages or calls asking for Aadhaar, OTP, or fingerprint authentication.
• URLs sent via message that look official but start with suspicious domains (e.g., not uidai.gov.in or your bank’s official site).
• Requests to install unknown apps for "biometric verification" or to scan your fingerprint remotely.
• Pressure to share OTPs immediately or claiming the OTP is a "security code" to confirm identity.
• Claims of government benefits or urgent issues requiring Aadhaar authentication.
• Callers refusing to give a valid employee ID or bank branch details when asked.

What Happens to Victims

Victims often suffer heavy financial losses, with amounts ranging from a few thousand rupees to lakhs. In many cases, the nature of AePS transactions via biometric verification complicates recovery. Unlike UPI transactions, where complaints can trigger reversals, AePS withdrawals once processed are harder to reverse due to biometric authentication, as reported by RBI grievance cells.

Beyond money loss, victims endure emotional distress and mistrust in digital banking, impacting rural and elderly users disproportionately. Since Aadhaar is linked with multiple services, misuse also risks exposing personal identity data beyond just financial theft. Victims can face delays in filing complaints due to a lack of awareness about cybercrime processes in their area.

What RBI and CERT-In Say

The RBI regularly reminds customers that OTPs and biometric data should never be shared with anyone, even if the caller claims to be from the bank. In their FAQs, RBI clarifies that bank officials will never ask for your OTP, Aadhaar PIN, or biometric data over the phone or WhatsApp.

CERT-In has issued advisories advising users to report suspicious messages promptly via the national cybercrime portal (cybercrime.gov.in) or call the 1930 cybercrime helpline. The Indian government’s I4C initiative continues raising awareness about phishing and AePS fraud risks, emphasizing that biometric authentication should only happen at trusted devices physically operated by the user.

RBI helpline and CERT-In recommend immediately blocking compromised Aadhaar-linked bank accounts once fraud is suspected and alerting the bank branch for timely remedial action.

How to Protect Yourself

1. Never share OTPs or biometric data over the phone, WhatsApp, or email.
2. Access Aadhaar or bank services only through official apps or government websites.
3. Do not install apps sent via unsolicited WhatsApp messages; verify app sources on Google Play Store or official portals.
4. Always verify the caller’s identity by independently contacting your bank branch using official numbers.
5. Avoid clicking on links from unknown sources claiming to fix Aadhaar or bank account problems.
6. Register for SMS alerts through your bank for every transaction and monitor your bank account frequently.
7. If asked for biometric verification, only provide it at authorized bank outlets or verified micro ATMs in your presence.

What to Do If You've Been Targeted

• Immediately block your bank account through your branch or bank’s official app.
• Report the incident to your bank’s fraud department and request a transaction reversal.
• File a cybercrime complaint at cybercrime.gov.in or call the national 1930 cybercrime helpline.
• Inform UIDAI through their official helpline or website if Aadhaar data misuse is involved.
• Change passwords and PINs linked to your bank account, UPI, and Aadhaar services.
• Inform your mobile network provider about possible SIM swap risk and request enhanced security measures.
• Keep a record of all communications and transaction IDs for police or cybercrime investigators.

Frequently Asked Questions

Q: Can AePS biometric withdrawal transactions be reversed if fraud occurs?
A: Unlike UPI, AePS transactions authenticated biometrically are generally final and tougher to reverse due to their design. However, victims should immediately report to their bank and file cybercrime complaints to seek assistance.

Q: How can fraudsters get my biometric data for AePS withdrawal?
A: Fraudsters try to trick people into scanning fingerprints through fake apps or phishing pages posed as bank portals, or ask victims to simulate fingerprint verification on calls.

Q: What official number can I call to report AePS biometric withdrawal scams?
A: You can report such fraud to the National Cyber Crime Helpline at 1930 and also register complaints at cybercrime.gov.in for faster investigation.

Stay alert and verify any suspicious message or call by visiting BharatSecure.app. If you suspect fraud, immediately report it to the 1930 helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.