Phishing with Deepfake Verification Calls — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Phishing with Deepfake Verification Calls Targeting UPI and WhatsApp Users in India

Phishing scams using deepfake technology via verification calls pose a serious threat to Indian users’ UPI transactions, WhatsApp communications, and KYC data security.

What Is the Phishing with Deepfake Verification Calls?

Phishing with deepfake verification calls is a new and alarming scam tactic emerging across India in 2026. Fraudsters use advanced artificial intelligence tools to create highly realistic fake voices—deepfakes—that imitate bank officials or trusted authority figures. Unlike traditional phishing where scammers send fake messages or emails, this scam involves actual phone calls, making it harder for victims to distinguish real calls from fake ones.

The scam mainly targets UPI users, WhatsApp groups discussing banking topics, and those who have shared KYC or personal data online, whether knowingly or unknowingly. Scammers often gather details from social media posts, WhatsApp discussions, and compromised data bought from the dark web. According to cases reported to cybercrime cells and CERT-In (Computer Emergency Response Team - India), this technique is gaining traction in major metro cities as well as smaller towns with increasing internet penetration.

Official advisories from the Reserve Bank of India (RBI) and CERT-In have repeatedly warned customers to be cautious about unsolicited verification calls asking for OTPs, UPI PINs, or Aadhaar details. However, the use of synthetic voice mimicking recognized officials is a more recent development that makes this scam particularly dangerous and difficult to detect.

How This Scam Works — Step by Step

1. Data Collection: Scammers collect information about potential victims by monitoring public discussions on WhatsApp groups, financial forums, or social media posts where users talk about bank issues, UPI transactions, or personal KYC experiences.

2. Deepfake Call Initiation: The victim receives a call from a number that appears as their bank or government authority on caller ID, with a highly realistic synthetic voice posing as an official representative.

3. Urgent Verification Request: The scammer tells the victim there has been suspicious activity on their account, or their Aadhaar-linked services/UPI payments are at risk. They urge the victim to verify their identity immediately to “secure” the account.

4. Tricking into Sharing OTP/UPI PIN: Under the pretense of verification, the scammer asks the victim to read out or enter a One-Time Password (OTP) or UPI PIN received on their phone. In some cases, victims are asked to approve a fake UPI payment in their banking app.

5. Unauthorized Transactions: With the collected OTPs, UPI PINs, or other verification data, the fraudsters promptly initiate unauthorized fund transfers or SIM swaps, leading to immediate loss of money from victims’ accounts.

6. Covering Tracks: The scammer may disguise follow-up calls or messages as official communications to mislead victims further, sometimes requesting additional personal information or multi-factor authentication codes to bypass security.

Real Warning Signs to Watch For

• Calls claiming urgent account verification but asking for OTPs or UPI PINs over the phone
• A voice that sounds very official but asks for personal financial details not usually requested during legitimate calls
• Caller ID showing your bank or government helpline, which can be spoofed or faked
• High-pressure tactics with threats of immediate account suspension or legal action
• Requests to approve transactions remotely or share SMS OTPs even though you have not initiated any activity
• Receiving unsolicited calls timed shortly after suspicious messages or emails
• The caller tries to keep you on the line for an unnaturally long time, pressing you to act quickly without checking details

What Happens to Victims

Victims of these deepfake phishing calls often face severe financial losses as scammers drain money using the victim's UPI ID or linked bank account. Given that UPI transaction reversals are difficult once funds are transferred, many victims find it impossible to recover lost INR amounts quickly. Furthermore, misuse of Aadhaar-linked data can lead to further identity fraud, making it harder to restore trust with financial and government institutions.

Emotionally, victims report anxiety and trauma from losing money and privacy breaches, especially since the scam involves direct voice contact and false trust. In some cases, SIM swapping leads to loss of access to mobile banking apps and OTPs, amplifying the damage. Reports indicate the distress can affect vulnerable sections such as senior citizens and small business owners relying extensively on WhatsApp for transactions.

What RBI and CERT-In Say

The Reserve Bank of India has issued guidance advising customers never to share passwords, PINs, OTPs, or any banking credentials, even if the caller claims to be an official. RBI’s general framework for digital payment safety emphasizes verifying the source before responding to calls.

CERT-In recommends that citizens be alert to impersonation calls and immediately report suspicious calls to local cybercrime cells or the 1930 cybercrime helpline. The Indian government’s I4C (Indian Cyber Crime Coordination Centre) promotes the use of cybercrime.gov.in portal for lodging complaints about phishing and related frauds.

These bodies emphasize that legitimate bank officials or government departments never ask for sensitive credentials over calls and that users should be wary of calls demanding urgent actions.

How to Protect Yourself

1. Never share OTPs, UPI PINs, or passwords during any phone call, no matter how official the voice sounds.
2. Always verify the caller by calling your bank’s official number or through your banking app before acting.
3. Avoid discussing financial data or bank-related issues on public WhatsApp groups or forums if possible.
4. Enable two-factor authentication (2FA) on all banking and communication apps.
5. Regularly check your UPI transaction history and bank statements for unauthorized activity.
6. Keep your mobile number linked to Aadhaar safe and report immediate blocking if you lose your phone or suspect SIM swap.
7. Update your mobile phone and app security patches to protect against malware that may be used for spying.

What to Do If You've Been Targeted

1. Immediately block your UPI app or banking app access using official channels. Contact your bank through their verified helpline.
2. Inform your mobile service provider urgently if you suspect SIM swap or compromise to freeze your phone number.
3. File a complaint on the cybercrime portal at cybercrime.gov.in, providing all call and transaction details.
4. Call the national cybercrime helpline 1930 for immediate support and advice.
5. Report the incident to your bank and request a fraud investigation and possible transaction reversal under RBI guidelines.
6. Change all relevant passwords, Aadhaar-linked mobile number OTPs, and related credentials immediately after the incident.

Frequently Asked Questions

Q: Can deepfake calls be traced by authorities?
A: Tracing deepfake caller sources can be difficult as scammers often use spoofed numbers or VOIP services hosted outside India. However, law enforcement agencies equipped with CERT-In and I4C support work to identify call origins using call records and digital forensics.

Q: Is it safe to share personal details with bank officials during calls?
A: Legitimate bank officials never ask for your OTP, UPI PIN, ATM PIN, password, or Aadhaar OTP over phone calls. Sharing such information is unsafe and usually a sign of scam attempts.

Q: How quickly should I act if I receive a suspicious verification call?
A: Instead of rushing, immediately hang up the call and verify independently by contacting your bank’s official customer care number. Quick but calm responses help avoid falling into the scam trap.

If you receive any suspicious calls or messages asking for personal verification, always verify first at BharatSecure.app or report fraud at the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.