PayPal UK Scam Call Attempting to Steal 2FA Code — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Jun 10, 2026

Severity: High | View Full Scam Details

Beware in 2026: PayPal UK Scam Call Attempting to Steal Your 2FA Code Hits India

A new wave of phishing calls claiming to be from PayPal UK is targeting Indians, attempting to steal two-factor authentication (2FA) codes and drain digital wallets.

What Is the PayPal UK Scam Call Attempting to Steal 2FA Code?

This scam involves fraudsters pretending to be representatives from PayPal UK who contact victims—often Indian users active on social media or online marketplaces—claiming there is a problem with their PayPal account. Their goal is to trick victims into sharing 2FA codes sent via SMS or authenticator apps, which then enables the scammer to bypass security and access the victim’s PayPal or linked bank accounts.

While PayPal India has strict security protocols, scammers exploit the trust associated with the PayPal brand and the common use of 2FA, which many users believe makes their account fully secure. This scam is increasingly reported in India, especially across cities with high digital payment adoption. According to public complaints received by CERT-In and the Indian Cyber Crime Coordination Centre (I4C), victims have lost amounts running into tens of thousands of INR within minutes of such calls.

The Reserve Bank of India (RBI) and CERT-In have issued repeated advisories urging users to never share OTPs or 2FA codes with anyone and to verify all digital payment-related alerts through official channels only.

How This Scam Works — Step by Step

1. Targeting the Victim: Scammers monitor social media platforms such as Facebook, WhatsApp groups, and online financial forums where users discuss payment or account issues. They identify potential targets who mention PayPal or other online payment problems.

2. The Initial Contact: Using private or masked numbers, the scammer calls the victim, often posing as a PayPal UK customer service agent. The caller may use a voice-changing app or pre-recorded messages to sound official.

3. Creating Urgency: The caller informs the victim of suspicious transactions, account suspension, or a security breach, urging immediate action to avoid losing funds.

4. Requesting 2FA Code: The caller asks the victim to share a one-time password (OTP) or 2FA code supposedly sent by PayPal to verify their identity.

5. Exploiting the Code: Once the scammer obtains the 2FA code, they quickly access the victim’s PayPal account or linked accounts, transferring money to fraudulent accounts or using stored payment methods.

6. Financial Loss: Victims only realize the fraud after unauthorized transactions appear. The scammer often disappears, making the money difficult to retrieve.

Real Warning Signs to Watch For

• Unexpected Calls from Private or Unknown Numbers claiming to be PayPal or other financial institutions.
• Requests to Share OTP or 2FA Codes, especially codes sent via SMS or authenticator apps.
• High-Pressure Tactics Urging Immediate Action, like threats of account suspension or fund loss.
• Caller Refusing to Let You Hang Up or Asking You to Download Apps or Share Screen Access.
• Official PayPal Emails or SMS Are Not Verified Independently through official websites or apps.
• Demanding Confidential Information Beyond Standard KYC, such as passwords or Aadhaar numbers.
• Calls that Do Not Come from PayPal’s Recognized Customer Care Numbers (verify via PayPal’s official site).

What Happens to Victims

Victims in India can suffer both financial and psychological impacts. The scam often leads to unauthorized withdrawals from Indian bank accounts linked via UPI or PayPal wallets, impacting savings. Recovery is difficult because digital payment systems like UPI transactions are usually instant and irreversible.

Additionally, victims may face stress and anxiety, fearing identity theft or misuse of Aadhaar and other sensitive data. In some cases, SIM swap attacks facilitated by such fraud enable scammers to intercept OTPs for multiple accounts, compounding the damage.

The loss of trust in online payments can also discourage affected individuals from using digital services, setting back digital inclusion goals in India.

What RBI and CERT-In Say

RBI’s guidelines explicitly warn users never to share OTPs, passwords, or 2FA codes with anyone. The central bank stresses that no genuine agent or official will ever ask for such confidential details over calls or messages. RBI’s Financial Fraud Monitoring cell provides help via helpline numbers for reporting suspicious calls.

CERT-In regularly alerts Indian internet users about phishing techniques, including fraudulent calls related to financial platforms. The Ministry of Home Affairs’ I4C initiative encourages victims to report cybercrime incidents at cybercrime.gov.in or by calling the dedicated 1930 helpline.

Both regulatory bodies emphasize verifying all transactions independently and using official apps or websites for account management, rather than disclosing confidential details on calls.

How to Protect Yourself

1. Never Share OTPs or 2FA Codes Over Calls or Messages, even if the caller claims to be from PayPal or your bank.
2. Verify Caller Identity Independently by contacting PayPal or your bank through official customer care numbers or websites.
3. Don't Engage with Private or Unknown Numbers Asking for Sensitive Data.
4. Use Official PayPal Apps and Websites Only to check alerts or resolve account issues.
5. Enable Transaction Alerts for UPI and Bank Accounts to detect unauthorized transfers quickly.
6. Register Your Mobile Number with Do Not Disturb (DND) Services to reduce scam calls.
7. Report Suspicious Calls Immediately to the 1930 Cybercrime Helpline and file complaints on cybercrime.gov.in.

What to Do If You've Been Targeted

• Block the Caller and Avoid Further Communication.
• Change Your Account Passwords and Enable Strong 2FA Methods.
• Immediately Inform Your Bank and PayPal Support Teams about unauthorized access.
• File a Cybercrime Complaint at cybercrime.gov.in with details of the incident.
• Call the 1930 Cybercrime Helpline to lodge a formal report and seek guidance.
• Monitor Your Bank and Payment Accounts closely for any suspicious transactions.
• Consider a SIM Swap Check with Your Telecom Provider to ensure your mobile number is secure.

Being prompt in these steps can limit financial loss and help authorities track scam patterns.

Frequently Asked Questions

Q: Can scammers really steal money just by getting my 2FA code?
A: Yes, 2FA codes are often the last security barrier for digital accounts. If fraudsters get your 2FA code, they can bypass verification and access your PayPal or bank accounts to transfer money.

Q: I got a call from a number that looked like PayPal UK, but no money was taken. Should I still worry?
A: Absolutely. Such calls are attempts to steal information. Even if you didn't lose money this time, your details may still be at risk. Always report the call and stay vigilant.

Q: How can I tell if a call claiming to be from PayPal is real?
A: Genuine PayPal representatives never ask for your passwords, OTPs, or 2FA codes on calls. Always hang up and independently verify by contacting PayPal through official channels.

Check any suspicious messages, calls, or emails at BharatSecure.app to confirm legitimacy and protect your digital payments. Report any fraud attempts immediately to the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.