Expiring Reward Points Text Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: MEDIUM | View Full Scam Details

Beware the Expiring Reward Points Text Scam in India 2026: Protect Your UPI and Banking Rewards!

Scammers in India are exploiting your reward points with fake expiry text alerts to steal your money and data.

What Is the Expiring Reward Points Text Scam?

The Expiring Reward Points Text Scam is a rising phishing threat in India where fraudsters send SMS or WhatsApp messages that look like official alerts from popular banks, digital wallets, or retail loyalty programs. These messages warn you that your reward points or cashback offers are about to expire soon — creating a false sense of urgency to make you act quickly without verifying the message.

Targets are usually digitally active Indians who frequently use UPI apps, credit/debit cards with reward points, or loyalty schemes like Paytm’s cashback, Amazon Pay points, or retail store memberships. Since most Indians depend on mobile phones and digital payments, scammers find this scam highly effective and have been reported across multiple states.

India’s cyber security authorities like CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have issued general warnings about phishing attempts related to banking and payment frauds, emphasizing vigilance about unsolicited messages claiming urgent reward expiries. RBI has also cautioned against sharing personal credentials or clicking unknown links even if messages appear to be from reputed banks or wallets.

How This Scam Works — Step by Step

1. Initial Text Message: You receive an SMS or WhatsApp message appearing legit, telling you something like, “Your XYZ Bank reward points will expire in 24 hours. Click here to claim them now!”
2. Message Design: The text often includes official-looking logos, bank or wallet names, and uses personalized data such as your name or partial account info, gleaned from social media or data leaks.
3. Urgency and Fear: The message urges immediate action to avoid losing your valuable points—triggering panic or excitement.
4. Fake Link or Phone Number: You click a link or call a displayed number. The website may look identical to your bank’s or loyalty program’s official portal, asking you to “log in” using credentials, OTPs (one-time passwords), or Aadhaar-linked details.
5. Credential Theft: Once you enter the details, scammers capture your login info, OTP, or even UPI PIN.
6. Monetary Loss: Using stolen credentials, they transfer money via UPI apps, drain linked bank accounts, or misuse Aadhaar for identity theft.
7. Cover-up: After stealing, they may send fake transaction alerts to keep victims unaware for days.

Real Warning Signs to Watch For

• Message sender ID is a random number or suspicious name, not your bank’s official name.
• Messages arrive unexpectedly or when you have no active reward points.
• Link URLs that don’t match your bank’s official website—often misspelled or with strange domains like “.xyz” or “.online.”
• The message demands immediate action, threatening loss of rewards within hours.
• Requests for confidential info such as OTP, UPI PIN, Aadhaar number, or passwords.
• Poor grammar, spelling mistakes, or awkward phrasing in the message.
• No official communication from the bank or wallet app itself when you check the reward section directly.

What Happens to Victims

Victims of this scam can lose thousands of rupees as scammers make unauthorized UPI transactions that are hard to reverse once the money is transferred. Many users don’t realize they have been hacked until noticing their bank balance drop suddenly. Emotional stress follows, with victims feeling violated and helpless.

In India, SIM swap fraud is often linked to these scams. Once scammers get your phone number, they can perform SIM swaps to intercept OTPs, making it easier to bypass two-factor authentication during UPI or net banking transactions. Victims may also face misuse of Aadhaar details leading to identity theft or fraudulent loans.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) regularly advises customers never to share OTPs, UPI PINs, passwords, or Aadhaar details. RBI’s official website warns against clicking links from unknown SMS or WhatsApp numbers and urges verification through official apps.

CERT-In emphasizes that phishing attacks often use social engineering to trick users and recommends reporting suspicious messages to their cybercrime helpline.

In case of cyber fraud, you can call the national Indian Cyber Crime Reporting Portal or dial the 1930 cybercrime helpline for immediate assistance.

How to Protect Yourself

1. Never click on links in unsolicited messages: Always verify reward points via your official banking or wallet app.
2. Check the sender’s details: Legitimate bank messages come from official sender IDs, not random phone numbers.
3. Avoid sharing OTPs or UPI PINs: No bank or digital payments company will ever ask for these via SMS or WhatsApp.
4. Use app-based notifications: Enable in-app alerts for rewards and transactions.
5. Keep your phone’s software and security updated: This helps protect against malware that may intercept messages.
6. Regularly check your bank statements and UPI transaction history: Report unfamiliar transactions immediately.
7. Report suspicious messages: Forward scam texts to your bank’s fraud team and BharatSecure.app for verification.

What to Do If You’ve Been Targeted

• Immediately block your UPI and bank accounts: Use your banking app or call your bank’s customer care helpline.
• Report the scam to your bank and wallet provider: They can initiate fraud investigations and sometimes reverse transactions.
• File a complaint on cybercrime.gov.in: The Indian government’s portal tracks digital fraud complaints.
• Call the 1930 cybercrime helpline: Get assistance on next steps with your complaint.
• Inform your mobile operator to check for SIM swap fraud: Request temporary number blocking if needed.
• Change your passwords, UPI PIN, and Aadhaar-linked services: Secure your accounts from further misuse.

Frequently Asked Questions

Q: Can I really lose money just from clicking a reward points expiry link?
Yes. Clicking often leads to fake websites that steal your login or OTP. With that info, scammers can make unauthorized UPI payments draining your bank account.

Q: How can I verify if a reward expiry message is genuine?
Always check your official banking or wallet app directly. Do not trust SMS or WhatsApp messages urging urgent action, especially with links.

Q: What should I do if I accidentally shared my OTP or UPI PIN?
Immediately contact your bank to block your account or UPI. Also file a cybercrime complaint and change all related passwords right away.

Reward points scams like these keep evolving — so stay alert! Always verify suspicious reward expiry messages or offers before clicking anything. If you get a doubtful message, report it or verify it immediately at BharatSecure.app — India’s trusted platform to keep you safe from digital fraud.