Punjab Police bust cyber phishing racket, 132 arrested — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 18, 2026

Severity: HIGH | View Full Scam Details

Punjab Police Bust Cyber Phishing Racket in 2026: High-Risk Scam Hits India Hard

Cyber phishing scams continue to evolve in India, with a recent bust by Punjab Police exposing a major phishing racket that led to the arrest of 132 accused individuals.

What Is the Punjab Police Bust Cyber Phishing Racket, 132 Arrested?

In early 2026, Punjab Police uncovered a large-scale cyber phishing operation targeting thousands of unsuspecting victims across India. This racket involved coordinated efforts to steal sensitive personal and financial information by impersonating banks, government officials, and popular payment platforms such as UPI and mobile wallets.

Phishing, a cybercrime where fraudsters trick users into sharing confidential data like OTPs, Aadhaar details, or banking credentials, has been a growing threat in India. This particular case was notable for its scale and sophistication, where criminals used fake websites, WhatsApp messages, and phone calls to dupe victims, primarily targeting middle-class and senior citizens who frequently transact online. The case garnered attention from national agencies like CERT-In and the Indian Cybercrime Coordination Centre (I4C), which have been issuing regular advisories on phishing threats in India.

How This Scam Works — Step by Step

Understanding exactly how these fraudsters operate can help you avoid becoming a victim:

1. Initial Contact: Victims receive a WhatsApp message, SMS, or call claiming to be from their bank, the Reserve Bank of India (RBI), or a government agency such as UIDAI (Aadhaar authority). The message often warns of suspicious transactions, lockouts, or new government policies requiring immediate action.
2. Fake Website or Link: The message directs the victim to a fraudulent website resembling the official bank or UPI platform. These sites are designed to capture login details such as user IDs, passwords, and PINs.
3. Request for OTP and Personal Info: Victims are asked to enter OTPs sent via SMS, share Aadhaar numbers, or provide UPI PINs "for verification."
4. SIM Swap or Account Takeover: In some cases, attackers execute a SIM swap by using the stolen identity to get a new SIM from mobile operators, enabling them to intercept OTPs and calls.
5. Funds Transfer: Using the stolen UPI PIN or internet banking credentials, fraudsters initiate unauthorized transactions, emptying bank accounts or wallets instantly.
6. Cover Tracks: Victims often realize the fraud only after noticing missing funds or receiving alerts from their bank.

Real Warning Signs to Watch For

• Unsolicited messages or calls pressuring you to act quickly.
• URLs and links that look suspicious or slightly different from official banking websites.
• Requests for OTPs, UPI PINs, Aadhaar, or bank passwords in any form.
• Messages claiming to be from RBI or government agencies but sent from private mobile numbers.
• Spelling errors or awkward phrasing in official-looking texts.
• Calls threatening to block your bank account if immediate action isn’t taken.
• Receiving SMS or WhatsApp messages asking to download apps from unofficial sources.

What Happens to Victims

Victims of phishing scams face both financial loss and emotional distress. Many lose money instantly through UPI transactions or net banking frauds, draining savings meant for daily expenses or emergencies. Recovery is often difficult; while UPI transactions are immediate, reversing fraudulent transfers is complicated unless reported quickly. Victims with SIM swap attacks can also lose control over their mobile numbers, affecting all Aadhaar-linked services including salary accounts, credit cards, and government benefits.

The emotional toll includes fear of identity theft, stress due to loss of hard-earned money, and mistrust in digital payments — this particularly affects vulnerable groups like senior citizens unfamiliar with cybersecurity risks.

What RBI and CERT-In Say

The Reserve Bank of India has repeatedly warned users against sharing OTPs, PINs, or passwords over calls or messages. RBI’s customer helpline and grievance redressal channels emphasize that banks never ask for sensitive details over phone calls. CERT-In, the national cybersecurity agency, issues frequent alerts on phishing campaigns and urges users to verify links and use official apps or websites exclusively. The Indian Cybercrime Coordination Centre (I4C) also facilitates reporting of such cybercrime and shares regular updates to keep the public aware.

For any cyber fraud, individuals can contact the RBI helpline or call the national cybercrime helpline 1930. CERT-In and I4C recommend immediate reporting to the cybercrime portal at cybercrime.gov.in for government intervention.

How to Protect Yourself

1. Never share OTPs, UPI PINs, or passwords with anyone, even if they claim to be bank officials.
2. Verify all messages and calls by contacting your bank or official agencies via known customer service numbers.
3. Access banking or payment apps only through official app stores and avoid clicking on suspicious links.
4. Regularly update your mobile operating system and bank app to patch security vulnerabilities.
5. Enable two-factor authentication (2FA) on all your financial and email accounts.
6. Do not download apps or attachments from unknown sources or via WhatsApp messages.
7. Monitor your bank and UPI transactions frequently and immediately report any unauthorized transaction to your bank.

What to Do If You've Been Targeted

If you suspect phishing fraud or financial loss:

1. Immediately block your UPI and bank accounts by contacting your bank’s customer care.
2. Inform your mobile operator to block your SIM if you suspect a SIM swap attack.
3. Lodge a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in.
4. Call the cybercrime helpline at 1930 for guidance and assistance.
5. Change all your passwords and PINs on banking and email accounts.
6. Keep a record of all communications and transaction details to assist investigation.

Swift action is crucial to minimize financial damage and prevent further misuse of your identity.

Frequently Asked Questions

Q: How quickly do phishing frauds drain money from my account?
A: Typically, these scams act instantly once the fraudster obtains OTPs or UPI PINs, often transferring money within minutes. Immediate reporting increases chances of recovery.

Q: Can I get my money back after falling victim to a phishing scam?
A: Banks may refund fraud amounts if you report quickly and cooperate with investigations. However, due to instant UPI transfers, success depends on how fast you notify your bank and cybersecurity agencies.

Q: How can I verify if a message or call from ‘bank’ or ‘RBI’ is genuine?
A: Never trust caller ID or message sender alone; instead, independently call your bank’s official helpline using numbers from the bank’s website or bank statement. RBI never asks for OTPs or passwords over the phone.

Stay alert and don’t fall prey to phishing scams. Always verify suspicious messages at BharatSecure.app — your trusted partner to keep digital fraud at bay.