Vishing (Phone Scams for OTP/PIN) — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

Vishing Phone Scams for OTP/PIN in India 2026: Protect Your Money from Voice Phishing Attacks

Vishing phone scams remain one of the most critical threats to Indian internet users in 2026, where fraudsters try to steal your OTP and PIN by impersonating banks or government officials.

What Is the Vishing (Phone Scams for OTP/PIN)?

Vishing, or voice phishing, is a type of fraud where scammers call victims pretending to be trusted authorities such as bank officials, government representatives, or customer support agents. In India, these callers often claim there is an urgent problem affecting the victim’s bank account, Aadhaar linking, UPI transactions, or mobile wallet. They convince victims to share sensitive personal data like OTP (One-Time Password), debit/credit card PIN, CVV, or bank account details under urgent pretexts.

This scam targets all kinds of users but especially those who actively use mobile banking, UPI, or Aadhaar-linked services — a vast segment given India’s rapid digital adoption. According to complaints received by the Indian Cyber Crime Coordination Centre (I4C), vishing is one of the most frequently reported fraud methods, causing severe financial losses. The Reserve Bank of India (RBI) and CERT-In have repeatedly issued advisories warning users not to share OTPs or PINs over phone calls, emphasizing that official entities never seek such information over voice calls.

How This Scam Works — Step by Step

1. Initial Call or Message: You receive a call, often with a fake caller ID masked to display your bank’s official number or a government helpline.
2. Fake Urgency: The caller claims there is a critical issue with your bank account, UPI transactions, Aadhaar linking, or mobile banking app. They may claim your account is at risk of being blocked or frozen.
3. Request for OTP/PIN: The caller tells you they need to confirm your identity or resolve the problem by verifying a One-Time Password sent via SMS, or they may ask directly for your ATM PIN or CVV.
4. Pressure Tactics: Fraudsters use fear—threatening legal actions or immediate account suspension—to rush you into compliance before you can think clearly or check with your bank.
5. Misuse of Information: Using the details you share, scammers initiate fraudulent UPI transactions, drain bank accounts, or misuse Aadhaar-linked services. Often, victims only notice after money has been transferred or their accounts compromised.

Real Warning Signs to Watch For

• Unexpected calls asking for your OTP, PIN, or CVV.
• Caller ID shows your bank or government helpline but the caller pressures you for urgent action.
• Threats of legal consequences, account blocking, or loss to force quick compliance.
• Requests for your Aadhaar number or OTP related to Aadhaar without your prior action.
• Calls that continue even when you refuse to share details or ask legitimate questions.
• Offers to “help” by guiding you to a website or app link.
• Demands for remote access to your phone or requests to install unknown apps.

What Happens to Victims

Victims of vishing scams frequently suffer not only the loss of money but also emotional stress and anxiety. Money stolen via UPI or online banking is often transferred instantly, making reversal challenging despite RBI’s framework for dispute resolution. Fraudsters may also misuse Aadhaar data to open fraudulent accounts or loans in the victim’s name, leading to further financial and legal troubles. If a SIM swap is involved, attackers gain full control of incoming SMS OTPs, deepening the breach. Many victims feel violated and helpless as these scams exploit their trust in India's digital payment ecosystem.

What RBI and CERT-In Say

The Reserve Bank of India has issued multiple circulars warning customers to never share OTPs, PINs, or CVV numbers over phone calls or SMS, and clarifies that genuine banks or officials never request this information via phone. CERT-In also highlights vishing as a critical vector for cyber fraud, urging citizens to report suspicious calls immediately.

For support, individuals can contact the national cybercrime helpline at 1930, which offers assistance with fraud complaints, and check RBI’s consumer helpline for banking-related queries. These agencies collaborate under the Ministry of Home Affairs’ I4C program to combat fraud and provide user education.

How to Protect Yourself

1. Never share OTP, PIN, or CVV over the phone, even if the caller claims to be from your bank or government.
2. Verify the caller by hanging up and contacting your bank’s official helpline number found on your bank’s website or passbook.
3. Avoid clicking on links or installing apps sent during such calls, especially if unsolicited.
4. Register your mobile number on DND (Do Not Disturb) list to reduce marketing calls but be alert to sophisticated vishing calls.
5. Use app-based notifications from banks or UPI apps for transaction alerts rather than relying on phone calls.
6. Regularly update your mobile OS and banking apps to benefit from security patches.
7. Inform your bank immediately to block your cards or freeze UPI if you suspect any compromise.

What to Do If You've Been Targeted

• Call your bank immediately to block your card, freeze your account, and stop transactions.
• Report the incident to the national cybercrime portal at cybercrime.gov.in providing details of the call and fraud.
• Dial the 1930 cybercrime helpline to get guidance on next steps and how to protect your identity.
• File a First Information Report (FIR) at your local police station or through online cyber complaint portals.
• Request a fraud claim with your bank under RBI’s grievance redressal mechanism.
• Change all related passwords and PINs after securing your financial accounts.

Frequently Asked Questions

Q: Can official banks or government agencies ever ask for OTP or PIN on a call?
No. RBI and government guidelines explicitly state that official bodies never request OTP, ATM PIN, or CVV over phone calls. Any such request is a red flag.

Q: What should I do if I accidentally shared my OTP?
Immediately contact your bank to block transactions, report the fraud, and change your PIN/password. Also, report the incident to the cybercrime helpline.

Q: How can I identify if a call is from a fake number or spoofed caller ID?
Caller ID can be faked. Always be cautious with unsolicited calls, avoid sharing sensitive data, and cross-check by calling the official number from a trusted source.

For every suspicious call or message, verify details at BharatSecure.app and report fraud immediately to the 1930 helpline to protect yourself and others.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.