The call comes at 11 in the morning. The voice is calm, professional, almost bored, the way a real bank officer sounds. They use your full name. They mention your bank. They say your KYC has expired and your account will be blocked by end of day if you do not ‘verify’ immediately.
They send you a link. Or an APK file on WhatsApp. Or they ask you to share the OTP you just received ‘to complete verification on our side’.
The next hour decides whether you lose ₹50,000, ₹5 lakh, or your entire savings.
This is the KYC and account-block scam, the single largest impersonation fraud category in India through 2024 and 2025. RBI, the Indian Cyber Crime Coordination Centre, and the Press Information Bureau have all issued repeated public warnings. The script keeps working because the threat (losing access to your bank account today) is more frightening than the small effort of clicking a link.
Here is how it works, how to spot it, and what to do if you already clicked.
How big is this scam in India
The 1930 national cybercrime helpline operated by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs receives tens of thousands of complaints every month. KYC, account block, and bank customer service impersonations together form the largest bucket.
In Parliament responses in 2024 and 2025, MHA has highlighted the Citizen Financial Cyber Fraud Reporting and Management System as having saved over ₹3,400 crore across nearly 10 lakh complaints (PIB release).
The Department of Telecom’s Sanchar Saathi portal disabled 16.97 lakh WhatsApp accounts and terminated over 3 crore fraud mobile connections in 2025 alone (Business Standard), a significant share used in KYC and account-block frauds.
Every bank’s customers have been targeted. SBI, HDFC, ICICI, Axis, Kotak, PNB, Canara, regional rural banks, and small finance banks have all been impersonated.
A real Indian case
In August 2024, a 47 year old IT employee in Bengaluru received an SMS: her HDFC Bank net banking would be blocked the next day if KYC was not updated. She clicked, landed on a page that looked almost identical to HDFC’s real login page, and entered her customer ID and password.
A few minutes later, a person claiming to be from HDFC’s KYC team called and said the system needed one OTP to ‘complete verification’. She shared the OTP. Within 20 minutes, ₹2.78 lakh was debited across three transactions to UPI mule accounts and one international card. She froze the account after the fourth alert.
She filed at cybercrime.gov.in, called 1930, and the I4C lien process froze about ₹1.1 lakh in the mule chain. The remaining ₹1.6 lakh has not been recovered.
Similar cases have been reported across Mumbai, Delhi NCR, Hyderabad, Chennai, Kolkata, Pune, Ahmedabad, and dozens of tier 2 cities, covered by The Hindu, Business Today, Times of India, Hindustan Times, and Indian Express. The brand changes (the bank name, sometimes RBI or UIDAI or Income Tax) but the playbook does not.
How the KYC and account block scam works, step by step
Step 1. A call, SMS, or WhatsApp message arrives. Urgent: ‘Your bank account will be blocked today unless KYC is updated.’ Or: ‘Your PAN will be deactivated by midnight.’ Or: ‘Aadhaar suspended due to mismatch.’
Step 2. The sender is a personal 10 digit mobile number or a random WhatsApp business profile, not your bank’s registered branded sender ID (VM-HDFCBK, VK-SBIINB, AD-ICICIB, etc) on TRAI’s DLT registry.
Step 3. The link goes to a near perfect replica of your bank’s login or KYC page. The URL has one or two characters changed (hdfcbank-kyc.live instead of hdfcbank.com, sbi-verify.in.com instead of sbi.co.in). The page looks identical because the attacker cloned the public HTML.
Step 4. You enter customer ID, password, debit card number, CVV, ATM PIN, or net banking password. The page submits the data to the attacker.
Step 5. The attacker initiates a transaction from their side. Your phone gets an OTP. Either you enter it on the fake page, or a ‘customer care executive’ calls and asks you to read it out ‘to confirm verification’.
Step 6. Money leaves your account through UPI to mule accounts in mid tier banks, payment gateway abuses, or international card transactions, engineered to be hard to reverse.
There is a parallel APK variant. The scammer sends an Android app file on WhatsApp, claims it is the bank’s ‘KYC update tool’, and asks you to install it. The APK requests SMS, accessibility, and overlay permissions. Once installed, every OTP is intercepted, fake banking screens are drawn on top of your real apps, and the attacker drains the account silently. This variant is harder to detect because there is no OTP for you to share consciously.
Real bank KYC vs the scam
| What it is | Real bank KYC | KYC scam |
|---|---|---|
| Sender | Registered branded sender ID (VM-HDFCBK, VK-SBIINB) on TRAI DLT | Personal 10 digit mobile or random WhatsApp profile |
| Timing | Advance notice, weeks ahead, repeated reminders | Same day, ‘today only’ threat |
| Channel | Bank app notifications, registered email, branch, branded SMS | Random SMS, WhatsApp link, unsolicited call |
| OTP ask | Real banks NEVER ask you to share an OTP | Scammer asks you to read out the OTP ‘to complete verification’ |
| Payment ask | Real KYC is free | ’Small verification charge’, or account drain after OTP shared |
| App distribution | Only on Play Store and App Store, linked from bank’s official site | APK file sent through WhatsApp or downloaded from SMS link |
| Verification path | Bank app, branch, number on the back of your card | Scammer wants you to verify only via their call or link |
If the message fails any one check, treat it as fraud.
7 red flags to spot the KYC and account block scam
1. The deadline is today
Real KYC, real PAN updates, real Aadhaar updates do not happen on a same day deadline. Banks give weeks of notice. UIDAI runs through Aadhaar Seva Kendras with appointments. Income Tax uses the e-filing portal. ‘Today only’ is a scam tell.
2. The sender is a personal mobile number
A 10 digit personal number is never a real bank. Banks use registered branded short IDs on TRAI’s DLT registry: VM-, AD-, JD-, JX-, VK-, etc. If the From field looks like a normal phone, it is fraud.
3. The caller asks for an OTP
This is the universal hard tell. No real bank ever asks you to share an OTP. Not for verification. Not to fix a problem. The OTP is for you alone. If anyone asks for it, hang up.
4. The link domain is a lookalike, not the bank’s official domain
HDFC Bank is hdfcbank.com. SBI is sbi.co.in. ICICI is icicibank.com. Axis is axisbank.com. Anything else (hdfcbank-kyc.live, sbi-verify.online, icici-customercare.in.com) is fake. Tap and hold to preview the URL before clicking.
5. You are asked to install an app from a link
Bank apps live only on the Play Store and App Store. No bank sends an APK file through SMS or WhatsApp. If the link downloads a .apk file, it is malware.
6. The call mentions RBI, UIDAI, or Income Tax demanding urgent action
None of these institutions call individual citizens directly to demand same day account blocks. RBI works through banks. UIDAI runs Aadhaar updates through Aadhaar Seva Kendras and the myAadhaar portal. Income Tax uses the e-filing portal and registered email.
7. There is a small ‘verification fee’ or ‘reactivation charge’
No real KYC update charges you a fee. Banks bear KYC costs. UIDAI’s basic Aadhaar download is free. Income Tax has no PAN reactivation fee paid through a phone call.
RBI’s actual KYC policy in plain language
RBI’s Master Direction on KYC (last updated through 2025) lays out the rules. Three things matter.
One: KYC is a periodic, scheduled process, not an urgent same-day demand. RBI’s risk-based approach requires re-KYC every 2, 8, or 10 years depending on risk category. Banks notify you in advance through registered channels.
Two: KYC can be done through multiple safe channels. Branch visit. Video based KYC (V-CIP) inside your bank’s official app. Aadhaar OTP based e-KYC. Central KYC Records Registry (CKYCR) updates. None involve clicking SMS links or sharing OTPs.
Three: RBI’s 2024 simplification means fresh KYC is often not required. If the bank already has your full KYC and no material change, periodic updation can be a simple declaration.
For real KYC status, log in to your bank’s app or visit a branch. For escalation, RBI’s Sachet portal at sachet.rbi.org.in is the official complaint channel.
What to do if you got the call or SMS but did not click
Do nothing about the message. Do not call the number. Do not click the link. Do not share any information.
Verify your actual KYC status through an official channel.
- Open your bank’s official app (only from Play Store or App Store). Most show KYC status in the profile section.
- Call the bank’s customer care number on the back of your debit card, not the number in the SMS or call.
- Visit your branch with Aadhaar and PAN.
Once confirmed, report the fraud message to Chakshu at sancharsaathi.gov.in/sfc. TRAI’s 2025 amendment lowers the action threshold to 5 complaints in 10 days for sender takedown.
What to do if you already shared OTP, clicked the link, or installed the app
Move fast. The first 60 minutes decide how much you can save.
Step 1, within 5 minutes
If you installed an APK, switch the phone to airplane mode immediately. This cuts the malware off from sending OTPs out. If you clicked a link and entered data, close the browser. If you shared an OTP, hang up.
Step 2, within 10 minutes
Call your bank’s 24x7 fraud helpline (printed on the back of your debit card). Block your debit and credit cards. Freeze net banking. Freeze UPI. Ask the bank to flag pending and recent transactions for reversal under RBI’s limited liability framework.
Step 3, within 30 minutes
Call 1930. State that you shared an OTP or clicked a KYC verification link. Note the complaint number.
Step 4, within 60 minutes
File the complaint online at cybercrime.gov.in. Upload screenshots of the SMS or call log, link clicked, transaction reference numbers, and bank confirmation of card or UPI block. The first hour gives I4C its best window to place a lien on mule accounts.
Step 5, same day
Report the sender to Chakshu at sancharsaathi.gov.in/sfc.
Step 6, within 24 hours
If you installed an APK, with the SIM removed and phone in airplane mode, back up essential files through a trusted laptop, then factory reset. Reinstall only from the official store. Change every banking password and UPI PIN from a clean device first.
Step 7, within 3 working days
File a written complaint at your bank branch with the cybercrime.gov.in acknowledgement number. Under RBI’s Limited Liability circular (July 2017), reporting within 3 working days significantly limits your liability. The earlier, the better.
Step 8
WhatsApp +91 99644 43350 for help walking through the steps. Free.
What we do at Cybersecify on this scam
Cybersecify is a Bengaluru based cybersecurity company. When you send us a KYC scam screenshot, we decode the URL or APK, cross check the sender against TRAI’s DLT registry, walk you through cybercrime.gov.in, 1930, and Chakshu reporting, and tell you whether to block, ignore, or escalate. Free.
We do not ask for bank details, card numbers, OTPs, or UPI PIN. We verify.
Frequently asked questions
Will my bank really block my account today if I do not click this link?
No. No bank in India blocks a working account on the same day through a call, SMS, or WhatsApp link demanding immediate KYC. RBI’s Master Direction on KYC makes re-verification scheduled. Banks contact you through registered channels in advance. Same day panic demands are scams.
Will RBI, UIDAI, or Income Tax ever call me to block my account, PAN, or Aadhaar?
No. RBI does not deal with individual customers directly. UIDAI does not call citizens. Income Tax does not call to block PAN. All three communicate through official websites, registered post, official email domains, and in-app notifications. A caller claiming otherwise is impersonating the institution.
I shared my OTP with the caller. What do I do in the next hour?
Hang up. Call your bank’s 24x7 fraud helpline. Block cards, freeze UPI, freeze net banking. Change passwords and UPI PIN from a clean device. Call 1930. File at cybercrime.gov.in. Report to Chakshu. WhatsApp +91 99644 43350 if you want help.
I installed an app the caller sent me. Is my phone compromised?
Yes. Switch to airplane mode, remove SIM, back up essential files through a trusted laptop, factory reset, reinstall only from the official store. Change every banking password and UPI PIN from a different, clean device first. Then file at cybercrime.gov.in and call 1930.
How do I do a real KYC update safely?
Walk into your bank branch with Aadhaar, PAN, and address proof. Use your bank’s official app for Video based KYC. Or use the bank’s official website’s in-app re-KYC. Never share KYC, OTP, card numbers, PIN, or biometrics through a call, SMS link, or WhatsApp-shared app.
Save these numbers now
Save them before you need them. During a panic call from ‘your bank’, you will not have time to search.
- Cybersecify free verification WhatsApp: +91 99644 43350
- 1930 national cybercrime helpline (24x7)
- cybercrime.gov.in to file the complaint
- sancharsaathi.gov.in/sfc to report the fraud sender
- sachet.rbi.org.in to report unauthorised entities to RBI
- Your bank’s fraud helpline (printed on the back of your debit card)
A note from us
The KYC scam is engineered for the way most of us bank. Quick logins. OTP based authentication. Trust in branded SMS senders we have stopped reading carefully. Scammers drop urgency and authority into the exact mental gap where you stop questioning.
You are not careless if this catches you. Two habits protect you across every variant. First, no OTP ever leaves your phone for any human, ever. Second, every ‘urgent same day’ bank message gets verified by calling the number on the back of your card.
Save the numbers above. Forward this article to your parents and any relative who banks digitally.
Foundational reads. The anchors behind every guide on this site.
- The First Hour After Cyber Fraud in India. What to do in the first 60 minutes after you realise you have been scammed.
- Pause, Verify, Then Act. The universal three-rule defence against every scam type.
- Your Digital Footprint Is the Scam’s Raw Material. Why scammers already know your name, employer, and bank.
Disclaimer: This guide is for public awareness only. Cyber Secify is an independent cybersecurity consultancy and is not affiliated with or endorsed by RBI, UIDAI, the Income Tax department, any bank, or any government agency. Verification is best effort guidance, not legal or law enforcement advice. For emergencies or legal reporting, always contact official authorities at 1930 and cybercrime.gov.in.