Phishing (Data Acquisition for Fraud) — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Phishing (Data Acquisition for Fraud) Targeting India’s Digital Users

Phishing scams trying to steal your personal data through fake messages and websites are rising sharply in India, putting your bank accounts and mobile identity at serious risk.

What Is the Phishing (Data Acquisition for Fraud)?

Phishing (Data Acquisition for Fraud) is a cybercrime method where fraudsters pose as trusted entities—like banks, government services, or payment apps—to trick you into sharing sensitive personal information. In India, this scam has become alarmingly common on platforms everyone uses daily—WhatsApp messages, UPI payment applications, mobile banking apps, and Aadhaar-related portals.

According to complaints reported to police and alerts from regulatory bodies like the Reserve Bank of India (RBI) and the Indian Computer Emergency Response Team (CERT-In), fraudsters increasingly target vulnerable users by sending false SMS, emails, or WhatsApp messages. These often contain links to fake websites that look identical to official pages, requesting data such as your UPI PIN, Aadhaar number, One-Time Passwords (OTP), and passwords.

The scam’s reach is pan-India, affecting urban and rural users alike, especially as digital payments and Aadhaar-based services are deeply integrated into everyday life. The Indian government’s I4C (Indian Cyber Crime Coordination Centre) continues to monitor these incidents, highlighting the growing sophistication of these phishing attempts.

How This Scam Works — Step by Step

1. The Initial Contact: The victim receives a message or email claiming to be from a bank, payment app, government agency, or mobile operator. It often warns of suspicious transactions, service suspension, or a prize reward. For example, a WhatsApp message might state: “Your Aadhaar has been temporarily blocked. Click here to verify.”

2. Clicking the Link: The message includes a link or attachment that takes the victim to a fake website resembling the official app or government portal.

3. Entering Sensitive Data: The fake website prompts the victim to enter personal details—Aadhaar number, UPI PIN, OTP received on their phone, bank passwords, or mobile SIM details.

4. Data Capture: As soon as the victim submits these details, the scammers get instant access to them.

5. Unauthorized Transactions: Using stolen credentials, the fraudsters may initiate bank transfers via UPI. They can also impersonate the victim by simulating a SIM swap, convincing telecom operators to transfer the victim’s mobile number to a new SIM under their control.

6. Money and Identity Theft: With control over the phone number and UPI apps, scammers drain bank accounts, open fraudulent loans, or misuse Aadhaar for other crimes.

Real Warning Signs to Watch For

• Messages claiming urgent action needed, often threatening account suspension or legal action.
• Unsolicited SMS or WhatsApp messages containing links or attachments from unknown numbers.
• URLs that look similar but have misspellings or unusual domains (e.g., ".in" replaced by ".co" or extra characters).
• Requests for OTP, UPI PIN, Aadhaar details, or passwords—officials never ask for these via messages or calls.
• Poor spelling and grammar in messages supposedly from banks or government bodies.
• Unexpected text asking to download apps or update KYC outside official app stores.
• Calls or messages pressuring you to act quickly without time to verify the source.

What Happens to Victims

Victims of this phishing scam can face severe financial losses, as UPI transactions are often instant and irreversible once completed. Unlike some bank transactions, UPI payments don’t have a straightforward reversal mechanism if done fraudulently, leaving victims to pursue lengthy complaints.

Emotionally, victims feel violated and vulnerable. With Aadhaar details stolen, the risk of identity theft increases, leading to issues like fraudulent loans or mobile connections opened in the victim’s name. SIM swap attacks cause disruption—victims suddenly lose access to their mobile number, blocking their ability to receive OTPs or make calls, complicating recovery efforts.

This cascading effect can severely disrupt the victim’s daily life and trust in digital services.

What RBI and CERT-In Say

The Reserve Bank of India has issued multiple warnings advising users never to share UPI PINs, passwords, or OTPs with anyone. RBI’s cybersecurity framework mandates banks to educate customers about phishing risks and urges reporting scams immediately on official helplines.

CERT-In emphasizes awareness to identify phishing messages and avoid clicking suspicious links. They recommend keeping operating systems and apps updated to guard against malicious attacks.

For reporting cybercrimes related to phishing and identity theft, the Government of India provides a dedicated cybercrime helpline: 1930. Complaints can also be lodged on the official portal cybercrime.gov.in, where victims can follow step-by-step support.

How to Protect Yourself

1. Never share OTPs, UPI PINs, or passwords with anyone—no bank or government agency will ask for these over phone or message.
2. Verify the sender’s phone number or email address carefully—official institutions usually communicate from verified channels.
3. Use official apps and websites only—avoid clicking unknown links that come via SMS or WhatsApp messages.
4. Install app updates promptly—they often contain security patches to protect against phishing exploits.
5. Enable two-factor authentication (2FA) on all digital payment and banking apps for an extra layer of security.
6. Be cautious of urgent or threatening messages—take time to call the official helpline numbers yourself before responding.
7. Monitor your bank and mobile account regularly for any unauthorized transactions or SIM changes.

What to Do If You've Been Targeted

• Immediately contact your bank’s customer support to freeze your account or UPI ID to prevent further unauthorized transactions.
• Report the incident to the cybercrime.gov.in portal and local police station.
• Dial the 1930 cybercrime helpline for assistance tailored to phishing and identity theft cases.
• Inform your mobile operator about any suspicious SIM swap or unauthorised SIM activity to block the number.
• Change passwords and PINs for your banking, Aadhaar-linked services, and email accounts immediately.
• Document all suspicious messages and communication for investigation purposes.
• Monitor your credit reports and Aadhaar usage for signs of further misuse.

Frequently Asked Questions

Q: Can phishing scams steal money only through UPI or also from bank accounts directly?
A: While UPI is a common target due to ease of instant transfers, phishing data can lead to unauthorized access across bank accounts, credit cards, and mobile wallets if the fraudsters obtain sufficient login details.

Q: How is SIM swap involved in this scam?
A: After stealing personal details, fraudsters may convince telecom operators to transfer your mobile number to a new SIM. This lets them intercept OTPs and calls, thus controlling your digital identity and enabling transactions.

Q: What official steps does RBI recommend against phishing attempts?
A: RBI urges users never to disclose OTP, passwords, or PINs, to use only official apps, and to report frauds immediately to bank helplines or via the cybercrime portal.

Always verify suspicious messages before sharing any details and report frauds promptly.

For any suspicious messages or calls asking for your personal information, visit BharatSecure.app to verify their legitimacy and report at the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.