Spoofed SMS Sender ID Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 27, 2026

Severity: HIGH | View Full Scam Details

Spoofed SMS Sender ID Scam in India 2026: How Crooks Imitate Your Bank to Steal Your Money

The Spoofed SMS Sender ID Scam is a rising threat in India, where fraudsters mimic official bank SMS sender IDs to trick you into giving away sensitive details or clicking dangerous links.

What Is the Spoofed SMS Sender ID Scam?

This scam involves cybercriminals sending fake SMS messages that appear to come directly from your bank or a trusted financial institution. In India, banks and RBI-regulated entities often use short codes or alphanumeric sender IDs—like "HDFCBK," "SBIINB," or "PAYTM"—to send transaction alerts, OTPs (One Time Passwords), or Aadhaar linking confirmations. Fraudsters exploit special software or online services to "spoof" or imitate these sender IDs, fooling victims into believing the messages are genuine.

The scam mainly targets everyday Indian internet users who rely on SMS alerts for their UPI payments, bank transactions, or Aadhaar-related updates. With the growing popularity of digital payments, especially through UPI apps like Google Pay, PhonePe, and BHIM, scammers have found lucrative opportunities to deceive users. According to CERT-In reports, such SMS spoofing incidents have seen a significant rise in 2025 and continue into 2026, prompting warnings from RBI and the government’s Indian Cyber Crime Coordination Centre (I4C).

How This Scam Works — Step by Step

1. Spoofed SMS Sent: You receive an SMS that looks like it’s from your bank’s official sender ID—e.g., “SBIINB” or “ICICIBK”. The message might say your UPI payment failed, your Aadhaar linking is pending, or that suspicious activity has been detected in your bank account.

2. Creating Urgency and Fear: The message includes urgent language like “Action Required Immediately” or “Your account will be blocked,” prompting you to act quickly without verifying.

3. Link or Phone Number Included: The SMS contains a clickable link or a phone number, often disguised as something official like “https://sbi.in/verify” or “Customer Care 1800XXX1234,” but it leads to phishing websites or connects to scam callers.

4. Victim Enters Details or Shares OTP: On clicking the link or responding to the message, you may be asked to enter sensitive information like your full bank details, UPI PIN, Aadhaar number, or One-Time Password (OTP).

5. Money Gets Stolen: Using these details, scammers either initiate fraudulent UPI transactions or siphon money directly from your linked bank account. In some cases, they use your details for identity theft or SIM swap scams.

Real Warning Signs to Watch For

• Sender ID looks exactly like your bank’s but the message tone or grammar seems off or unusual.
• Unexpected messages asking for sensitive data like UPI PIN, OTP, Aadhaar number, or passwords.
• Links that don’t match official bank URLs or contain strange spellings or excess characters.
• Urgent or threatening language pressuring you to act quickly (e.g., “account will be blocked,” “payment failed”).
• Requests to download apps or software through SMS links.
• The SMS arrives at odd times — late at night or very early morning.
• Mismatched details in the message versus official bank communication style.

What Happens to Victims

Victims often suffer financial loss as money gets transferred out of their bank accounts through fraudulent UPI payments—often untraceable and irreversible. The scam can lead to misuse of Aadhaar information, allowing identity theft or illegal SIM swaps that give scammers full control over phone-based transactions. Emotionally, victims experience stress, anxiety, and frustration dealing with frozen accounts or slow reversals.

Recovery is complicated in India due to limited recourse options for remote digital banking frauds, despite RBI guidelines mandating timely resolution. While some UPI transaction disputes get partially reimbursed, many victims still face delays and losses.

What RBI and CERT-In Say

The Reserve Bank of India has repeatedly warned users to never share OTPs or PINs and to verify SMS sender details carefully. In its cybersecurity directives, RBI emphasizes that authentic messages will never ask for confidential information via SMS or calls.

CERT-In, the Indian government's Computer Emergency Response Team, advises the public to report suspicious SMS immediately and never click on unknown links. The Indian Cyber Crime Coordination Centre (I4C) also promotes awareness campaigns targeting UPI and banking-related frauds.

For assistance, the Indian government has a dedicated cybercrime complaint portal at cybercrime.gov.in and a 24x7 helpline: 1930, which helps victims report such scams urgently. RBI also operates a helpline number 1800-112-565 to assist with banking-related frauds.

How to Protect Yourself

1. Verify Sender IDs: Always double-check if the sender ID matches the official one your bank uses. If unsure, call your bank’s official customer care.
2. Never Share OTP or PIN: Banks and official agencies will never ask for your OTP or PIN via SMS or phone call.
3. Avoid Clicking SMS Links: Instead, open your bank or payment app directly rather than using message links.
4. Install Security Updates: Keep your phone and payment apps updated to protect against hacking attempts.
5. Use App-based Notifications: Switch to app notifications where possible, as they are more secure than SMS.
6. Register for DND (Do Not Disturb): This reduces the chance of receiving marketing or spoofed SMS.
7. Report Suspicious SMS: Forward suspicious messages to your bank or report them to 1930 or cybercrime.gov.in immediately.

What to Do If You've Been Targeted

1. Immediately Block Your Bank Cards and Accounts: Contact your bank’s helpline or visit the nearest branch.
2. Change UPI PIN and Online Banking Passwords: Do this before scammers can misuse your credentials further.
3. Report the Scam to Cyber Crime Cell: File a complaint at cybercrime.gov.in or call 1930 to register your case.
4. Inform Your Mobile Operator: Prevent SIM swap by informing your telecom provider; request additional security locks.
5. Notify RBI and CERT-In Helplines: Inform the RBI helpline (1800-112-565) and CERT-In about the incident to aid wider preventive actions.
6. Monitor Bank Statements: Keep a close eye on your bank account and UPI transaction history for unusual activities.

Frequently Asked Questions

Q1: Can I trust SMS sender IDs like 'HDFCBK' or 'SBIINB'?
No. While these can be legitimate, scammers can easily spoof these IDs using technology. Always verify unexpected messages by contacting your bank directly.

Q2: What should I do if I accidentally clicked on a spoofed SMS link?
Immediately disconnect your phone from the internet, do not enter any information, and contact your bank to block transactions. Also, report the incident to cybercrime authorities via 1930 or cybercrime.gov.in.

Q3: Are UPI transactions reversible if done through a spoofed SMS scam?
Reversals depend on the nature of the transaction and the bank’s investigation. RBI mandates timely resolution for genuine fraud complaints, but quick reporting improves your chances of recovery.

Always stay alert to the subtle tricks of spoofed SMS scams. When in doubt, do not engage—confirm every message before you act. To keep yourself safe from digital fraud targeting your bank and UPI, verify suspicious messages at BharatSecure.app today. Your safety is our priority!