Amazon/Flipkart KYC Update Phishing — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: HIGH | View Full Scam Details

Beware the 2026 Amazon/Flipkart KYC Update Phishing Scam in India

A new phishing scam targeting Indian online shoppers on WhatsApp is tricking users into sharing sensitive KYC details by pretending to be from Amazon or Flipkart.

What Is the Amazon/Flipkart KYC Update Phishing?

This scam involves fraudsters sending fake WhatsApp messages claiming to be from popular e-commerce platforms Amazon or Flipkart. The messages falsely state that users must urgently update their KYC (Know Your Customer) information to avoid account suspension or to continue using exclusive services. The alleged updates often target users who shop frequently or have a history of orders, aiming to exploit their trust in the brand.

In India, where digital financial services are closely linked to Aadhaar and bank accounts, sharing KYC data over WhatsApp can lead to devastating misuse. The scam has become increasingly widespread in 2026, with the Indian government’s cybercrime agencies such as CERT-In and the Indian Cyber Crime Coordination Centre (I4C) reporting a rise in similar phishing cases. Though both RBI and CERT-In have not issued a scam-specific alert for this Amazon/Flipkart phishing, they reinforce that sharing sensitive data on unofficial channels compromises personal security.

This scam particularly exploits the popularity of WhatsApp as a communication medium and the growing e-commerce user base in India, which exceeds hundreds of millions. The fraudsters’ goal is to collect Aadhaar, PAN, bank details, and UPI PINs under the guise of authentication, potentially leading to identity theft and financial loss.

How This Scam Works — Step by Step

1. Initial WhatsApp Message: The victim receives a WhatsApp message from an unknown number or a slightly altered official-looking business profile. The message claims to be from Amazon or Flipkart, stating that the user’s account requires immediate KYC verification to continue shopping or access exclusive deals.

2. Urgent Call to Action: The message contains a link to a phishing website or asks the user to reply with personal information such as Aadhaar number, PAN, bank account details, or UPI ID for verification purposes.

3. Fake Verification Process: If the victim clicks the link, they are taken to a site designed to look exactly like the official Amazon or Flipkart KYC page. They are asked to enter sensitive details including OTP (One-Time Password) sent to their mobile device.

4. Stealing OTP and Data: When the victim shares the OTP thinking it confirms their identity on the platform, the fraudsters capture it immediately. This OTP can be misused for unauthorized UPI transactions or SIM swap-related frauds.

5. Money Transfer or Identity Theft: Using the collected data and OTP, scammers initiate unauthorized payments from the victim’s bank account through UPI or may misuse Aadhaar-linked services, draining their funds without immediate detection.

6. Victim Realizes Too Late: Many victims notice their bank accounts emptied or fraudulent orders placed days after the scam, creating distress and complicated recovery processes.

Real Warning Signs to Watch For

• Unsolicited WhatsApp messages claiming urgent KYC updates for Amazon or Flipkart. Legitimate companies rarely use WhatsApp for sensitive KYC requests.
• Messages demanding Aadhaar, PAN, or bank details directly over chat, instead of directing users to the official website or app.
• Suspicious links with URLs slightly different from the official domain (e.g., flipped characters or added words).
• Pressure to share OTP immediately or within seconds — legitimate platforms never ask you to share OTP outside their own app.
• Poor grammar, spelling mistakes, or awkward phrasing in messages allegedly from a big brand.
• Asking to download third-party apps or provide remote access to your phone.
• Requests to reply with sensitive details instead of using official portal methods.

What Happens to Victims

Victims of this scam can face severe financial losses, sometimes running into thousands or lakhs of rupees. Since many Indian users link UPI to their bank accounts, the misuse of OTP or SIM swap scams enables fraudsters to instantly transfer money. Recovering these funds is often difficult without quick reporting.

Beyond money, victims suffer emotional stress from identity theft — for instance, fraudulent loans or credit applications taken out in their name using stolen Aadhaar and PAN details. The aftermath involves tedious documentation, freezing bank accounts, and contacting multiple institutions including the UIDAI and banks.

Victims often have to rely on the 1930 national cybercrime helpline or state cyber cells to file complaints. The delay in reporting can lead to longer recovery times or irreversible damage.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) emphasizes safeguarding personal banking credentials and advises never to share OTPs or PINs with anyone, as noted in their customer protection guidelines. RBI regularly reminds users that UPI transactions must be done only through official apps and services.

CERT-In advises Internet users to be vigilant against phishing attempts on messaging apps, especially those requesting passwords, OTPs, or Aadhaar details outside secure portals. The government’s 1930 cybercrime helpline is available nationwide for reporting such frauds.

The Indian Cyber Crime Coordination Centre (I4C) encourages users to report cyber incidents immediately and be cautious of any unsolicited messages requesting sensitive information, reinforcing safe online shopping habits.

How to Protect Yourself

1. Never share Aadhaar, PAN, bank details, or OTPs over WhatsApp or any messaging app.
2. Use only official Amazon or Flipkart apps or websites for any KYC or account updates.
3. Verify messages by contacting customer care directly through official numbers or emails.
4. Check URLs carefully – avoid clicking on shortened or unfamiliar links sent via WhatsApp.
5. Enable two-factor authentication (2FA) on your accounts where possible, especially UPI apps.
6. Be skeptical of any urgent requests demanding immediate action or personal details.
7. Regularly monitor your bank statements and UPI transaction history for unauthorized activity.

What to Do If You've Been Targeted

• Immediately block and report the suspicious WhatsApp number to prevent further contact.
• Inform your bank and request to block or freeze transactions from your accounts temporarily.
• Change all relevant passwords and PINs on your banking and shopping apps.
• File a complaint with the nearest cybercrime police station or report online at cybercrime.gov.in.
• Call the 1930 national cybercrime helpline to report the incident and seek guidance.
• Consider requesting a SIM block or replacement from your telecom operator if you suspect SIM swap.
• Report Aadhaar misuse to UIDAI’s grievance redressal if personal ID details were shared.

Frequently Asked Questions

Q: Can Amazon or Flipkart ask for my Aadhaar or bank details on WhatsApp?
A: Officially, neither Amazon nor Flipkart requests sensitive KYC details via WhatsApp. Such requests usually indicate phishing attempts, and you should verify such messages directly on their apps or websites.

Q: What should I do if I accidentally shared my OTP or Aadhaar details in such a scam?
A: Immediately contact your bank to block transactions, change your UPI PIN, and file a complaint with cybercrime authorities. Quick action is crucial to limiting financial loss.

Q: How can I verify if a message about KYC update is genuine?
A: Avoid clicking on links in unsolicited messages and verify through the official app or customer service. Genuine companies usually provide KYC updates through their authenticated systems, not chat apps.

Stay safe by always double-checking suspicious messages or calls about your personal or banking details. When in doubt, visit BharatSecure.app to verify and understand scam alerts, and report fraud by calling the 1930 cybercrime helpline without delay.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.