PAN Phishing SMS & Email Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

Beware of PAN Phishing SMS & Email Scam in India 2026: Protect Your Financial Identity

Every day, thousands of Indians receive fake SMS and emails pretending to be official messages about their PAN details, aiming to steal sensitive personal and financial data.

What Is the PAN Phishing SMS & Email Scam?

The PAN Phishing scam is a critical cyber threat targeting Indian residents by exploiting the importance of the Permanent Account Number (PAN), a document vital for tax filing, bank transactions, and online KYC processes like UPI payments and mobile wallet verification. Scammers impersonate government agencies such as the Income Tax Department or banks and send fraudulent SMS or email messages warning recipients about problems with their PAN or financial accounts.

These fake messages claim urgent action is required to avoid penalties, account suspension, or tax notices, pushing users to click on malicious links. Such phishing links lead to counterfeit websites that closely mimic official portals but are designed to capture your PAN number, Aadhaar details, bank account info, and even OTPs. The scam has become increasingly common across India, with reports received by CERT-In and the Ministry of Home Affairs’ I4C (Indian Cyber Crime Coordination Centre) citing a sharp rise in complaints related to PAN-linked phishing attempts.

How This Scam Works — Step by Step

1. Initial Contact: You receive a SMS or email appearing to be from the Income Tax Department, a bank, or an official government link. The message says there is an urgent issue with your PAN—such as a mismatch in records or failed verification—and urges you to take immediate action.

2. Fake Link Provided: The message contains a hyperlinked URL that looks legitimate—often using domain names similar to official government or financial websites.

3. Phishing Website: Clicking the link opens a fraudulent site that asks you to enter sensitive information: your PAN number, Aadhaar number, date of birth, bank details, or even login credentials for your UPI app or netbanking.

4. Verification Steps: To seem authentic, the site may request OTPs sent to your mobile phone or ask for your debit/credit card details “for verification purposes.”

5. Data Capture and Exploitation: Once this information is submitted, scammers gain access to your identity and bank accounts. They may use this data to conduct unauthorized financial transactions, apply for loans, or commit further identity fraud.

6. Aftermath: Victims notice unusual transactions, money drained via UPI or netbanking, and may face difficulties in reversing payments as UPI transactions are often instant and final.

Real Warning Signs to Watch For

• Messages urging immediate action with threats of penalty or account suspension.
• URLs that look similar but are not official govt or bank domains (e.g., misspellings or unusual extensions).
• Requests for sensitive details like PAN, Aadhaar, bank info, or OTPs via links instead of official portals.
• Emails or SMS that come from generic or suspicious sender IDs, not verified government or bank contacts.
• Poor grammar, spelling mistakes, or unprofessional formatting in the message.
• Unsolicited messages about PAN issues when you have not recently updated or changed details.
• Requests to download apps or software linked to PAN updates without verifying authenticity.

What Happens to Victims

Victims can suffer significant financial losses as scammers use stolen PAN and Aadhaar data to access bank accounts or commit financial fraud. Unauthorized UPI transactions or loan applications with fake KYC hurt victims' credit scores and cause money damage. Additionally, victims often face emotional distress and a lengthy process recovering their stolen funds and clearing their financial reputation. The use of stolen Aadhaar or PAN for identity theft also exposes victims to further scams and long-term legal complications.

Delays in reporting and resolving such incidents due to lack of awareness or fear worsen the impact. The final result can be blocked bank accounts, disrupted access to credit services, and ongoing harassment from scammers or debt collectors.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly warned users to remain vigilant against phishing attempts that seek sensitive financial data through SMS, emails, or phone calls. RBI advisories urge users never to share OTPs, debit/credit card details, or PINs with anyone.

CERT-In (Indian Computer Emergency Response Team) stresses not clicking on suspicious links, verifying sender details carefully, and reporting cyber incidents immediately. The Indian Cyber Crime Coordination Centre (I4C) recommends registering complaints at cybercrime.gov.in and reminds citizens of the dedicated 1930 cybercrime helpline for reporting fraud.

These agencies consistently advise users to use official portals or phone numbers and avoid responding to unsolicited requests for personal or financial information.

How to Protect Yourself

1. Never click on URLs in SMS or emails asking to confirm or update PAN or Aadhaar details—always visit official government or bank websites manually.
2. Verify the sender’s contact by contacting your bank or the Income Tax Department directly.
3. Do not share OTPs or passwords with anyone, even if they claim to be bank officials or government agents.
4. Use two-factor authentication (2FA) everywhere, especially for UPI apps and netbanking.
5. Regularly check your bank and UPI transaction history for unauthorized payments.
6. Register your mobile number with DND (Do Not Disturb) services to reduce spam SMS.
7. Update your mobile’s antivirus and security software regularly to block phishing attempts.

What to Do If You've Been Targeted

• Immediately block your bank cards and UPI apps if you suspect compromised data.
• Change login passwords for internet banking, UPI, and related financial services.
• File a police complaint at the nearest cybercrime cell or use online complaint portals like cybercrime.gov.in.
• Call the 1930 cybercrime helpline to report the incident and get assistance.
• Inform your bank or financial institution to watch for suspicious activity and freeze transactions if possible.
• Monitor your PAN and Aadhaar details for unauthorized updates or misuse.
• Keep records of all communication and transactions related to the fraud for investigation.

Frequently Asked Questions

Q: How can I check if an SMS about my PAN is genuine?
A: Genuine government or bank messages come from official sender IDs and will never ask for OTPs or passwords. Always verify the sender and avoid clicking links—visit official websites manually.

Q: Can I recover money lost due to PAN phishing scams?
A: Recovery depends on how quickly you report the fraud to your bank and police. RBI guidelines allow for complaint-based reversals, but prevention and early reporting are key.

Q: What if I unknowingly shared my PAN and Aadhaar details?
A: Immediately inform your bank and file a police complaint. You can also request Aadhaar lock/unlock via UIDAI and closely monitor your accounts for suspicious activity.

For any suspicious SMS or email, verify the message on BharatSecure.app and report fraud promptly at the 1930 helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.