OTP Phishing with Fake KYC on OLX — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: HIGH | View Full Scam Details

OTP Phishing with Fake KYC on OLX Scam in India 2026: How Fraudsters Steal Your UPI Money via WhatsApp

Cybercriminals are increasingly targeting OLX users with a sophisticated scam that tricks sellers and buyers into sharing OTPs and personal KYC details over WhatsApp, leading to theft from UPI accounts and bank fraud.

What Is the OTP Phishing with Fake KYC on OLX?

This scam exploits the trust many Indians place in OLX, a popular online marketplace, where people buy and sell used goods. Fraudsters posing as buyers or sellers on OLX initiate contact via WhatsApp and request users to complete a fake "KYC" process, supposedly required to finalize the transaction. The scam hinges on stealing one-time passwords (OTPs) sent by banks or payment apps, especially those linked with UPI (Unified Payments Interface), India’s widely used instant payment system.

Victims are often unaware that sharing an OTP or personal details like Aadhaar numbers, PAN cards, or scanned ID proofs through WhatsApp exposes them to account takeover or unauthorized transactions. This method is becoming more prevalent across India, as reported in several public complaints to cybercrime cells and warnings issued by CERT-In (Indian Computer Emergency Response Team).

In 2026, this scam maintains a high risk score of 7/10 due to the scale of financial losses involved and the increasing sophistication of callers impersonating OLX users. RBI and I4C have continuously urged the public to never share OTPs or confidential KYC info on any messaging platform, citing rising cases of fraud linked with UPI and fake KYC verifications.

How This Scam Works — Step by Step

1. Initial Contact on OLX or WhatsApp
   Fraudsters contact a genuine OLX user via the app or send a WhatsApp message claiming to be interested buyers or sellers. They may also send a link or image claiming it is for "transaction verification" or a "payment confirmation document."

2. Request for Fake KYC Verification
   The scammer falsely claims that OLX now requires mandatory KYC to complete the deal, often citing RBI or government guidelines to appear credible. They ask the victim to share Aadhaar numbers, PAN cards, or bank-related documents through WhatsApp.

3. Triggering OTP Requests
   Next, the fraudster requests the victim to do "verification" by entering an OTP sent via SMS or UPI payment app. They may persuade the victim that this OTP confirms their identity and is safe to share.

4. Victim Shares OTP
   Once the victim shares the OTP, the caller uses it immediately to authorize fraudulent UPI transactions or SIM swap requests linked to the victim’s mobile number.

5. Unauthorized Transactions Happen Instantly
   Using the OTP, scammers initiate fund transfers via UPI apps like Google Pay or PhonePe, draining the victim’s linked bank account. Victims usually learn about the theft only after noticing unauthorized bank debits or SMS alerts.

6. Fake Transaction Confirmation
   Sometimes, fraudsters send fake transaction receipts or confirmation messages to reassure the victim, delaying suspicion.

Real Warning Signs to Watch For

• Unexpected requests on WhatsApp asking for confidential KYC documents or bank details
• Messages pressuring you to share OTP immediately or claim your OLX transaction will be canceled otherwise
• Claims that "new RBI rules" or "government mandates" require extra verification via WhatsApp
• Links or documents sent over WhatsApp asking for sensitive data or OTPs
• Offers to handle all payment or verification steps remotely without physical meetings
• Poor grammar or suspicious WhatsApp numbers that don’t match official OLX customer service
• Requests to install unknown apps or scan QR codes to complete KYC

What Happens to Victims

Once the fraudster obtains your OTP and KYC details, your bank account linked to UPI becomes vulnerable to immediate unauthorized transactions. Victims in India often lose sums ranging from a few thousand to lakhs of rupees, with limited chances for reversal if the OTP was willingly shared.

Besides financial loss, victims face emotional stress and time-consuming bank and police procedures. Aadhaar misuse can lead to further identity theft risks, while SIM swapping often results in losing control over mobile numbers, affecting access to other services like email, social media, and e-wallets.

Due to UPI’s instant settlement feature, victim recovery is challenging, despite RBI’s and banks’ efforts to build secure dispute resolution systems. This adds urgency to preventing such scams from occurring in the first place.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has explicitly warned users never to share OTPs or CVV numbers with anyone, including those claiming to be from banks or e-commerce platforms. The RBI’s cybersecurity guidelines emphasize secure use of UPI apps and discourage sharing sensitive data over WhatsApp or SMS.

CERT-In regularly issues advisories about phishing attacks via social media and messaging platforms, urging Indians to verify any suspicious requests and report incidents promptly. The Ministry of Home Affairs’ I4C (Indian Cyber Crime Coordination Centre) coordinates nationwide efforts to curb digital fraud and operates the 1930 cybercrime helpline number for immediate assistance.

Users can also call the RBI helpline at 14567 for bank fraud complaints and visit cybercrime.gov.in to file online complaints related to phishing or payment fraud.

How to Protect Yourself

1. Never share OTPs or passwords on WhatsApp, email, or calls, even if the request seems urgent.
2. Verify any “KYC verification” request directly with official OLX support channels — never through WhatsApp or unknown contacts.
3. Avoid clicking on suspicious links or downloading documents from unknown senders claiming to represent OLX or banks.
4. Install UPI apps only from official app stores and use biometric or PIN lock for payment authentication.
5. Register your mobile number with the telecom operator’s Do Not Disturb (DND) service to reduce spam calls and messages.
6. Keep your Aadhaar and PAN card details private, and only share them on verified platforms through secure channels.
7. Regularly check your bank account and UPI transaction history for any unauthorized activity and report immediately.

What to Do If You've Been Targeted

• Immediately block the scammer’s number on WhatsApp and other messaging apps.
• Contact your bank’s customer care to block your UPI ID and debit/credit cards linked with the account.
• Lodge a complaint with your local cybercrime police station and file a report at cybercrime.gov.in.
• Call the 1930 cybercrime helpline for assistance in reporting and guidance.
• Inform your telecom provider if you suspect SIM swap or unauthorized usage.
• Change passwords for your email and banking apps immediately.
• Keep all chat transcripts and transaction details as evidence for authorities.

Frequently Asked Questions

Q: Can I get my money back if I shared an OTP by mistake on WhatsApp?
A: Recovery depends on your bank’s policy and how quickly you report the fraud. RBI guidelines encourage banks to assist victims, but early reporting and evidence help improve chances of reversal.

Q: Why do scammers ask for fake KYC documents instead of just stealing OTPs?
A: Fake KYC helps fraudsters bypass additional security checks, gain access to Aadhaar or PAN-based fraud, and even apply for loans or credit cards in your name.

Q: Is OLX responsible for frauds happening through fake WhatsApp messages?
A: OLX provides a platform but does not contact users via WhatsApp for KYC or payments. Users should only trust official communication channels. OLX advises reporting suspicious messages to their helpdesk immediately.

If you receive suspicious messages or calls, always verify first on BharatSecure.app and report fraud quickly at the 1930 helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.