RBI's New Digital Payment Rules — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: MEDIUM | View Full Scam Details

Beware in 2026: RBI’s New Digital Payment Rules Scam Targeting OTPs Across India

Scammers are exploiting RBI’s updated digital payment regulations to steal your OTPs and drain your bank accounts via WhatsApp and social media.

What Is the RBI's New Digital Payment Rules Scam?

In 2026, the Reserve Bank of India (RBI) introduced stricter authentication rules to make digital payments — through UPI, debit/credit cards, and other platforms — safer and more secure. While these measures are meant to protect users, cybercriminals have started using fake messages claiming to represent RBI, banks, or payment apps, warning users about urgent “verification” steps required to comply with these new rules.

This scam primarily targets everyday Indian users who rely heavily on digital payments for groceries, bill payments, mobile recharges, and more. Scammers use platforms like WhatsApp, Facebook, and Instagram to spread misinformation, often impersonating financial institutions. The scam is widespread, with reported incidents rising across metropolitan cities and smaller towns alike, highlighting the need for greater awareness.

Indian security agencies such as CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have issued advisories cautioning users not to share OTPs, Aadhaar numbers, or banking passwords. RBI has also reiterated that it never asks for OTPs or passwords over calls or messages. Despite this, the confusion around the new rules has made users vulnerable, contributing to medium-risk level fraud incidents now steady at about 5 out of 10 on the risk severity scale.

How This Scam Works — Step by Step

1. The Initial Message: The victim receives a WhatsApp or SMS message supposedly from RBI, their bank, or a popular payment app such as Google Pay or PhonePe. The message mentions new RBI digital payment rules requiring urgent account verification.

2. Creating Urgency: The message warns that if the victim does not “update” or “verify” their details immediately, their digital payments or cards will be blocked or limited, causing panic.

3. Request for Sensitive Info: The scammer asks the victim to share One-Time Passwords (OTPs), Aadhaar numbers, or other confidential details, often via a reply message or a fraudulent app link.

4. Fake Call Back: Sometimes, the victim receives a follow-up phone call from someone claiming to be from the bank’s fraud department, increasing pressure to cooperate.

5. OTP Capture: When the victim shares the OTP (often sent by their bank during a legitimate transaction), the scammer uses it to authorise fraudulent UPI transfers or card payments immediately.

6. Fund Transfer: The transferred money quickly moves to mule accounts or is cashed out. Victims realize only later that their bank accounts have been drained.

7. Aftermath: Scammers may also misuse Aadhaar data for other types of identity fraud, worsening the victim’s situation.

Real Warning Signs to Watch For

• Messages or calls claiming to be from RBI but sent via WhatsApp or unofficial SMS numbers.
• Requests to share OTPs, PINs, Aadhaar, or bank details urgently.
• Threats that your account or digital payments will be blocked or restricted if you don’t act immediately.
• Grammatical mistakes, typos, or poor formatting in supposed official messages.
• Links directing you to unofficial websites or apps asking for personal info.
• Calls pressuring you to share information or complete “verification” steps quickly.
• Lack of official contact details or vague sender information.

What Happens to Victims

Victims often suffer significant financial loss as scammers siphon money through UPI or card transactions using the stolen OTPs. Immediate reversal of UPI payments is usually not possible once authenticated by OTP, leaving victims out of pocket. The unauthorized use of Aadhaar details can cause long-term identity theft issues, making it difficult to access government services or posing risks of fraudulent loans and SIM swaps.

Besides financial damage, victims experience stress, helplessness, and anxiety trying to resolve their cases through banks, Cyber Crime Cells, and consumer forums. Many face challenges in blocking further damage promptly because these scams operate within minutes, exploiting delays in detection.

What RBI and CERT-In Say

The RBI has issued multiple advisories clarifying that it never requests OTPs, passwords, or Aadhaar details via phone calls, SMS, or WhatsApp. It urges users to contact their banks directly if they receive suspicious communication. RBI’s official helpline number — 1800 22 8800 — is available to verify any payment-related messages.

CERT-In, India’s national cybersecurity agency, recommends vigilance against OTP fraud and advises users to immediately report incidents to the 1930 cybercrime helpline. The Indian Cyber Crime Coordination Centre (I4C) also works closely with law enforcement to track such scams and has advised ongoing public awareness campaigns.

How to Protect Yourself

1. Never share your OTPs, PINs, Aadhaar, or bank details with anyone, even if they claim to be from RBI or your bank.
2. Ignore any unsolicited messages or calls pushing urgent verification for “RBI rules.”
3. Always verify official messages by visiting your bank’s official website or calling the customer care number directly.
4. Do not click on links in messages from unknown or suspicious sources.
5. Use UPI PIN and mobile banking apps only on your personal device with strong screen locks.
6. Enable two-factor authentication (2FA) on your banking and payment apps for extra security.
7. Register for mobile banking alerts from your bank to track transactions instantly, and report unauthorized ones immediately.

What to Do If You've Been Targeted

1. Block the sender and do not engage further.
2. Immediately call your bank’s customer care to freeze your digital payment accounts and block further transactions.
3. Change all relevant passwords and PINs associated with your bank accounts and payment apps.
4. Report the incident to the National Cyber Crime Reporting Portal (cybercrime.gov.in).
5. Call the 1930 cybercrime helpline for guidance on lodging an FIR and follow up with your local police.
6. Inform UIDAI if your Aadhaar data has been compromised.
7. Monitor your bank accounts and credit reports regularly for suspicious activities.

Frequently Asked Questions

Q: Can RBI really block my digital payments if I don’t share OTP or Aadhaar?
A: No. RBI does not block accounts or payments without due process and never asks for OTP or Aadhaar over calls or messages.

Q: What should I do if I accidentally shared my OTP?
A: Immediately contact your bank to block your account or card. Report the fraud to cybercrime.gov.in and call the 1930 helpline.

Q: How can I verify if a message about RBI’s new rules is genuine?
A: Check RBI’s official website or call their helpline (1800 22 8800). Do not trust unsolicited messages or links from unknown sources.

Stay alert and protect your money. If you receive suspicious messages or calls claiming to be from RBI about digital payment rules, verify them first at BharatSecure.app — your trusted partner against scams.