Remote Access Scam (RBI/NPCI Impersonation) — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: HIGH | View Full Scam Details

Beware the Remote Access Scam (RBI/NPCI Impersonation) in India 2026: Protect Your UPI and Mobile Banking

Scammers impersonating RBI or NPCI officials are duping thousands of Indians by taking remote control of their phones to steal money—here’s how to stay safe.

What Is the Remote Access Scam (RBI/NPCI Impersonation)?

The Remote Access Scam, also known as RBI/NPCI impersonation fraud, has emerged as a serious cybercrime threat across India in 2026. Fraudsters pose as representatives from the Reserve Bank of India (RBI) or the National Payments Corporation of India (NPCI)—the organization behind UPI payments—to trick you into giving them control of your smartphone. Their targets are everyday Indians using mobile banking apps and UPI platforms, which have become a primary way to transact in both urban and rural areas.

This scam has spread rapidly because it exploits two powerful factors: the trust Indians place in RBI and NPCI, and the urgent language fraudsters use to create panic. The Indian Computer Emergency Response Team (CERT-In) and India’s Integrated Fraud Management System (I4C) have issued alerts reminding users to remain vigilant. RBI has repeatedly warned users never to share One-Time Passwords (OTPs) or install unknown apps on demand from callers. However, despite advisories, the scam continues to cause severe financial damage, especially to those not familiar with digital banking risks.

How This Scam Works — Step by Step

1. The Phone Call or Message: You receive a call or SMS claiming to be from RBI/NPCI, stating that suspicious activity has been detected on your bank account, UPI, or Aadhaar-linked services. The caller insists there’s a problem needing immediate action to “protect” your funds or process a “refund.”

2. Creating Urgency: The fraudster pressures you, often mentioning a fake transaction or government refund, to keep you from thinking or verifying independently.

3. Request to Install an App: To “verify” your identity or transactions, the caller asks you to download a remote access app like TeamViewer, AnyDesk, or similar on your phone.

4. Granting Remote Control: Once installed, you are asked to give the scammer access permissions. This allows them to see your screen, operate your device, read messages, and initiate transactions.

5. Stealing Money: With control over your banking or UPI app, the fraudsters initiate money transfers using your saved beneficiaries or even request UPI PINs under false pretenses.

6. Covering Their Tracks: After siphoning funds—sometimes thousands or lakhs of INR—the fraudsters disconnect. You may notice unauthorized debits or find apps you don’t recognize on your phone.

Real Warning Signs to Watch For

• Caller claims to be from RBI or NPCI but refuses to provide an official ID or direct callback number.
• Urgent demand to install remote access apps or share OTPs.
• Use of fear tactics like “your account will be blocked” or “you’ll lose government benefits.”
• Asking you to share personal data, bank details, or UPI PIN.
• Caller insisting the issue is only resolved by acting immediately.
• Calls coming from mobile numbers, not official toll-free or landline numbers.
• Poor language or scripted, unnatural conversation that presses for quick action.

What Happens to Victims

Victims often lose significant sums via fraudulent UPI or bank transactions. Because UPI payments are instant and irreversible once confirmed, recovering stolen money is difficult. Many victims also suffer Aadhaar-related fraud if their device gives scammers access to linked services, causing identity theft or social engineering attacks on family members. Emotional distress is high—feelings of betrayal, fear of further loss, and mistrust of digital payments creep in.

In some cases, scammers use victims’ SIM cards (via SIM swaps enabled by accessing their phones) to intercept OTPs for more fraud. The financial losses combined with the complexity of India’s cybercrime reporting channels leave victims feeling helpless.

What RBI and CERT-In Say

RBI advises users:

• Never share OTPs, CVV, or PIN on calls or messages.
• Don’t install remote access apps based on unsolicited calls.
• Always verify caller identities using official helpline numbers.

CERT-In urges vigilance against any unsolicited calls asking for passwords or app installs. They recommend timely reporting on cybercrime.gov.in and using the 1930 national cybercrime helpline. The I4C platform coordinates with banks and law enforcement to crack down on such scams.

For official help, RBI’s customer grievance helpline is 1800-22-1911 and the Cyber Crime Helpline is 1930.

How to Protect Yourself

1. Never trust calls claiming to be from RBI or NPCI asking for sensitive info or app downloads.
2. Do not install any app or permit screen sharing without verifying independently.
3. Always cross-check by calling your bank’s official helpline.
4. Avoid sharing OTP, PIN, or passwords with anyone—not even self-proclaimed officials.
5. Regularly review bank and UPI transaction alerts for unauthorized payments.
6. Set UPI transaction limits in your app where possible for extra safety.
7. Keep your phone’s operating system and apps updated for security patches.

What to Do If You’ve Been Targeted

• Immediately call your bank and inform them about the unauthorized transactions to try to block further withdrawals.
• Freeze your UPI payments through your banking app or UPI provider.
• Contact the 1930 Cyber Crime Helpline to report, providing all details of the scam.
• File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in.
• Change passwords, PINs, and UPI credentials immediately.
• Consider blocking your SIM temporarily with your telecom provider if SIM cloning is suspected.
• Inform family or close contacts to be cautious if your phone or Aadhaar-linked accounts are compromised.

Frequently Asked Questions

Q: Can RBI or NPCI officials ever call me to ask for my bank details or OTP?
A: No. Neither RBI nor NPCI asks for your OTP, PIN, passwords, or requests you to install apps over the phone. Official communication is usually via SMS alerts or emails—not unsolicited calls demanding urgent action.

Q: What if I already installed the remote access app?
A: Disconnect internet immediately and uninstall the app. Contact your bank to freeze your accounts, report the incident on cybercrime.gov.in, and consider factory resetting your phone after backing up vital data.

Q: How can I recover money lost through UPI scams?
A: While UPI transactions are mostly irreversible, reporting to your bank quickly may help freeze suspicious payments. File police and cybercrime complaints to initiate investigations. RBI’s grievance cell can provide assistance but prevention is best.

Scammers are getting smarter every day trying to steal your hard-earned money under the guise of RBI or NPCI. Always verify calls, never share OTPs or PINs, and never allow remote access to your phone. If you receive a suspicious message or call, immediately verify on BharatSecure.app—India’s trusted digital fraud awareness platform—before acting. Stay alert, stay secure!