Malware-Infested Links for OTP Theft — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 22, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Malware-Infested Links for OTP Theft Targeting Indians

Cybercriminals in India are increasingly using malware-infested links sent via WhatsApp and SMS to steal your OTPs and hijack your bank accounts.

What Is the Malware-Infested Links for OTP Theft?

This scam involves cybercriminals sending you a message—often on WhatsApp or SMS—that contains a harmful link loaded with malware. The purpose? To secretly install malicious software on your smartphone or computer the moment you click. This malware is designed to intercept one-time passwords (OTPs), which banks and payment services like UPI rely on to authenticate transactions. Once the scammers capture your OTPs, they gain unauthorized access to your bank account, causing financial loss.

In India, this scam often exploits popular themes such as fake Aadhaar update notices from UIDAI or fabricated alerts supposedly from your bank or NPCI. According to CERT-In (Indian Computer Emergency Response Team), these tactics have surged with the growing digital payments ecosystem, making unsuspecting users prime targets. The 1930 Cybercrime Helpline has reported a spike in complaints linked to this method, reflecting its high severity and wide reach across both metropolitan and rural areas.

Experts at RBI and I4C (Indian Cyber Crime Coordination Centre) have issued warnings highlighting the urgent need for vigilance. Given the increasing reliance on mobile banking and digital wallets, this scam poses a significant threat to everyday Indians managing their finances online.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or SMS: You receive an unsolicited message that looks official—claiming to be from your bank, UIDAI, or a government service. It might warn you about a suspicious transaction, Aadhaar update, or a new offer.

2. Sense of Urgency: The message stresses urgency—“Your account will be blocked if you don’t act now” or “Verify your Aadhaar immediately to avoid penalties” to make you act quickly without thinking.

3. Clicking the Malicious Link: You click on the “benign” link that opens a website mimicking official portals or apps.

4. Malware Installation: The website prompts you to download a file or app “for verification” or asks for device permissions. Once you comply, malware stealthily installs in the background.

5. OTP Interception: When you next initiate a banking transaction or receive OTPs from UPI or your bank, the malware intercepts the message and forwards the OTP to the fraudsters.

6. Unauthorized Transactions: Using the stolen OTP, scammers complete fraudulent transactions—transferring money directly from your bank account or wallet, often irrevocably.

7. Victim Notices Loss Too Late: Victims usually realize after the money is gone, by which time scammers have already moved funds out, often using mule accounts.

Real Warning Signs to Watch For

• Messages with poor grammar or spelling errors claiming to be from official sources like UIDAI or banks.
• Unsolicited links asking you to “update your Aadhaar” or “verify account” immediately.
• Pressure to act quickly with threats (“Your account will be suspended!”).
• Link URLs that don’t match official websites (misspelled or strange domain names).
• Prompts to download apps or files from unknown sources.
• Requests for device permissions like access to SMS, contacts, or calls.
• OTP messages received even when you did not initiate any transaction.

What Happens to Victims

Victims often suffer immediate financial loss, with money siphoned off through UPI apps, net banking, or mobile wallets. Due to the speed of these scams, reversing the transactions is extremely difficult under RBI's current UPI guidelines. Many end up losing lakhs of rupees before they can freeze their accounts.

Emotionally, victims face stress, anxiety, and loss of trust in digital payments. The misuse of Aadhaar or SIM swap fraud can extend the damage, making identity theft risk a real concern. The victim may also have to go through lengthy disputes with banks and cyber cells, which can be frustrating and time-consuming.

What RBI and CERT-In Say

RBI has issued security guidelines reminding users never to share OTPs or PINs with anyone and to be wary of suspicious messages. CERT-In emphasizes avoiding clicking on unknown links and downloading apps only from trusted sources like Google Play Store or Apple App Store.

The Indian government’s 1930 Cybercrime Helpline is available for immediate assistance, providing victims with digital literacy and support. The I4C has launched awareness campaigns warning users about malware-laden links and the importance of two-factor authentication.

In official advisories, both RBI and CERT-In urge vigilance around messages claiming to be from UIDAI or banks and advise users to verify such communications directly through official portals instead of clicking on links.

How to Protect Yourself

1. Ignore Unsolicited Messages: Do not click on any links received via WhatsApp or SMS unless you are absolutely sure of their origin.
2. Verify Directly: Visit official bank or UIDAI websites independently to verify any alerts or offers.
3. Never Share OTPs or PINs: Remember, banks and government bodies will never ask for your OTP or PIN over messages or calls.
4. Avoid Downloading Apps from Unknown Sources: Only install apps from verified app stores and check app permissions carefully.
5. Enable Two-Factor Authentication (2FA): Use additional authentication methods wherever possible.
6. Regularly Update Your Phone: Software updates often patch security vulnerabilities that malware exploits.
7. Install and Maintain Antivirus Software: Use trusted security apps to detect suspicious activity.

What to Do If You've Been Targeted

1. Immediately Block Your Bank Accounts: Contact your bank’s customer care helpline and request a freeze on your accounts linked with losses.
2. Change Passwords and PINs: Update your internet banking and UPI passwords without delay.
3. Report to Cybercrime Authorities: Lodge a complaint online at cybercrime.gov.in or call the 1930 cybercrime helpline for personalized guidance.
4. Inform Your Mobile Provider: If you suspect SIM swap fraud, contact your telecom operator right away.
5. Alert RBI and CERT-In: Report the scam to RBI’s Banking Ombudsman and notify CERT-In to help prevent future incidents.
6. Monitor Your Financial Statements: Keep a close watch on bank and wallet transactions for suspicious activity.
7. Seek Legal Help if Necessary: If large sums are lost, consider consulting a lawyer familiar with cybercrime.

Frequently Asked Questions

Q: Can malware installed via these scam links steal data beyond OTPs?
A: Yes, malware can capture your contacts, messages, passwords, and more, potentially leading to broader identity theft and fraud beyond OTP theft.

Q: How quickly can I lose money if I click a malware-infested link?
A: Scammers act within minutes of stealing OTPs, so financial loss can happen almost instantly after you click and unknowingly approve transactions.

Q: Will my bank refund the lost money in these scams?
A: Refunds depend on circumstances—if you shared OTPs or passwords, banks may refuse. Prompt reporting improves chances of recovery, but many victims lose money permanently due to RBI’s zero-liability rules when negligence is suspected.

Malware-infested links for OTP theft are a growing menace for Indian internet users. Always be suspicious of urgent messages, never share OTPs, and carefully verify any communication claiming to be official. If you receive suspicious SMS or WhatsApp messages, don’t click any links—verify on BharatSecure.app to check if it’s a scam before taking any action. Stay safe, stay secure!