Hybrid AI-Aided Onboarding Fraud — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: CRITICAL | View Full Scam Details

Hybrid AI-Aided Onboarding Fraud in India 2026: A New Digital Threat via WhatsApp and KYC Phishing

Hybrid AI-Aided Onboarding Fraud is emerging as a critical cyber threat in India, targeting users with fake WhatsApp messages and phishing schemes during digital account creation.

What Is the Hybrid AI-Aided Onboarding Fraud?

Hybrid AI-Aided Onboarding Fraud is a sophisticated scam combining artificial intelligence tools with social engineering techniques to deceive victims during their online account setup process. This fraud primarily impacts individuals in India who are onboarding new accounts with banks, fintech companies, or digital payment platforms, often leveraging Aadhaar and UPI-based services.

Scammers posing as genuine bank or fintech representatives first contact potential victims through WhatsApp, India's most widely used messaging app. Using AI-generated scripts and images, these fraudulent messages mimic official company communication styles and logos, increasing their credibility. The goal is to trick users into sharing sensitive personal information or completing KYC (Know Your Customer) formalities on fake portals controlled by fraudsters. According to complaints reported to cybercrime authorities like I4C (Indian Cyber Crime Coordination Centre), this scam is rapidly gaining traction, with many victims across urban and semi-urban India.

Both CERT-In and RBI have highlighted the risks associated with phishing and digital fraud during newer onboarding processes. RBI’s cybersecurity guidelines emphasize vigilance for suspicious onboarding requests, while CERT-In recommends verifying communications through official channels only.

How This Scam Works — Step by Step

1. Initial WhatsApp Contact: The victim receives a WhatsApp message or voice call from a number claiming to represent their bank or a popular fintech app. The message may contain familiar logos, official language, and urgent prompts such as "Complete your account activation in 24 hours" or "Exclusive offer for new users."

2. Phishing Link or Document: The fraudster shares a link to a seemingly legitimate KYC or onboarding portal, often using AI-generated websites that look strikingly real. Sometimes, they send fake PDF forms or documents that ask for personal details.

3. Information Capture: Once the victim fills in details like Aadhaar number, PAN, or bank account info, the scammer captures this data. AI tools help dynamically craft convincing follow-up messages that prompt users to share OTPs (One-Time Passwords) sent by their bank or UPI apps.

4. OTP and UPI Request: The victim is asked to enter OTPs or approve UPI transactions under false pretences such as "for verification" or "to activate offers." These OTPs effectively give the fraudster access to bank accounts or payment apps.

5. Account Takeover and Money Transfer: With the captured OTP and KYC details, fraudsters initiate unauthorized money transfers via UPI or apply for loans and credit using the victim’s identity. Victims discover the fraud only after transactions have been completed, often losing significant INR amounts.

Real Warning Signs to Watch For

• Unexpected WhatsApp messages claiming to be from your bank or fintech app requesting urgent onboarding.
• Messages that create pressure with deadlines or fear of missing out on special offers.
• Requests to share OTPs or verification codes over WhatsApp or phone calls.
• Links directing you to websites that look legitimate but have unusual URLs or ask for sensitive documents.
• Poorly worded messages with grammatical errors or unusual sentence structures.
• Requests for confidential data like Aadhaar number, PAN, or bank account details beyond normal KYC channels.
• Promises of fast loans, cashback, or freebies tied to completing onboarding steps immediately.

What Happens to Victims

Victims of Hybrid AI-Aided Onboarding Fraud face severe financial losses as their bank accounts get drained via UPI payments or fraudulent loan disbursals. Since UPI transactions are largely irreversible, getting money back can be challenging unless quickly reported. Misuse of Aadhaar details can lead to further identity theft, impacting credit history and future loan eligibility. Victims often feel helpless and anxious, facing complicated processes to recover lost funds or block stolen identities. The emotional toll is significant, with many afraid to report the crime due to stigma or lack of awareness about cybercrime reporting mechanisms.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has issued several warnings against phishing and unauthorized digital onboarding, urging users to verify all communications through official bank channels only. RBI advises never to share OTPs or banking passwords with anyone and stresses vigilance against suspicious calls or messages.

CERT-In emphasizes the role of secure digital onboarding and encourages users to avoid clicking on unknown links or sharing personal details over messaging apps like WhatsApp. The Indian Cyber Crime Coordination Centre’s (I4C) 1930 helpline is the official government platform to report cyber fraud or seek assistance.

How to Protect Yourself

1. Always verify messages purportedly from banks or fintech companies by calling official customer care numbers.
2. Never share OTPs, passwords, or UPI PINs with anyone, even if they claim to be bank representatives.
3. Avoid clicking on links received via WhatsApp or SMS related to onboarding or account verification.
4. Use official bank apps and websites to complete KYC and onboarding; never trust third-party links.
5. Regularly check your UPI transaction history and bank statements for any unauthorized transactions.
6. Enable two-factor authentication (2FA) on your bank and UPI apps for an extra layer of security.
7. Keep your Aadhaar and other sensitive documents confidential and share them only on trusted, secure platforms.

What to Do If You’ve Been Targeted

• Immediately block and report the suspicious WhatsApp number or contact to WhatsApp.
• Contact your bank’s customer service and inform them about the suspected fraud; request to block or freeze your bank account or UPI ID.
• File a complaint with the cybercrime portal at cybercrime.gov.in and call the 1930 helpline for government assistance.
• File an FIR at your local police station, providing all details of the fraudulent messages and transactions.
• Change all related passwords and PINs immediately, especially for your bank and UPI apps.
• Monitor your credit reports and bank statements vigilantly for any unusual activity.

Frequently Asked Questions

Q1: Can scammers take money from my bank only using my Aadhaar number?
Scammers need additional details like OTPs, UPI PINs, or bank account credentials along with Aadhaar to complete transactions. Aadhaar identity information alone isn’t enough to transfer money.

Q2: How can I be sure if a WhatsApp message about KYC is genuine?
Banks and fintech firms do not usually share KYC links or requests via WhatsApp messages unsolicited. Always verify by contacting your bank’s official helpline or visiting their website directly.

Q3: What should I do if I mistakenly shared an OTP with a fraudster?
Immediately inform your bank to block your account and report the incident to cybercrime authorities via the 1930 helpline and cybercrime.gov.in. Quick action might prevent further unauthorized transactions.

Protect yourself by verifying any suspicious digital communication at BharatSecure.app and report suspected fraud to the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.