Pause, Verify, Then Act: 3 Rules Against Indian Scams

Every cyber scam in India works the same way underneath the costume: urgency to bypass your thinking, a fake channel to deliver the lie, and an action to complete the loss before you can check. Three rules defend against all of it. Pause, because urgency is the scam. Verify, on a channel you already trust, not the one that contacted you. Then act. This post applies the rule to every scam category we have written about, and a few we have not yet. Save it. Send it to your parents.

Who this is for

Anyone in India with a phone. The 3-rule framework is intentionally simple so it works for your mother who got a call from “Mumbai Police,” your 22-year-old cousin who is being pressured by a fake recruiter, your CFO who just received a WhatsApp message from your “CEO,” and yourself, when you are tired and a notification flashes and you nearly tap “Approve.”

We wrote this as the entry point to our scam awareness library. Every other guide goes deeper into a specific category. This one is the pattern that ties them all together.

Why these three rules cover everything

Cyber fraud in India has hundreds of variants and one underlying script. The variants are the surface: digital arrest, courier parcel, fake KYC, electricity bill, sextortion, fake job offer, WhatsApp APK, UPI QR fraud, SIM swap, AI voice cloning. The script is the same:

1. Make the victim feel urgent (fear, greed, panic, love, authority pressure)
2. Make the channel look legitimate (spoofed caller ID, real-looking PDF, AI-cloned voice, government logo)
3. Get the victim to act before they think (transfer money, share OTP, install APK, open a link)

If you break step 1, you break the script. Step 2 cannot work without step 1, because a calm person checks the channel. Step 3 cannot happen without step 1 and 2, because verification kills the action.

The 3 rules map directly to the 3 stages of the script. Pause breaks urgency. Verify breaks the fake channel. Act on verified information removes the scammer from the loop.

India lost INR 22,495 crore to cyber fraud in 2025, per Parliament and MHA data. Most of those losses came down to the victim acting before they paused. Even when the scam was sophisticated, the failure point was almost always speed. The 3 rules are the slowest and most boring defence we have, which is exactly why they work.

Rule 1: Pause

Pause is the most underrated defence in cybersecurity. It is also the one your nervous system fights hardest against.

Why urgency is the scammer’s weapon

When you are urgent, you stop reasoning. The amygdala takes over from the prefrontal cortex. You react instead of think. Scammers know this. The entire script is designed to keep you in a state where you cannot pause.

The urgency pressures are deliberately varied so something lands on every personality type:

• Fear of consequences: “You are under arrest.” “Your account will be frozen.” “A case has been filed against you.” “Your daughter has been kidnapped.”
• Fear of loss: “Your money will be deducted in 5 minutes.” “Your account will be blocked at midnight.” “Your reward expires in 1 hour.”
• Greed: “You have won INR 10 lakh.” “Limited slots, claim now.” “Investment doubles in 30 days.”
• Pity: “I am stuck at the airport, please send money.” “My phone is broken, this is my new number.”
• Authority: “I am calling from RBI, ED, CBI, your bank, your CEO.”
• Embarrassment: “We have your photos.” “You watched something on a recorded site.” “Pay or we send to your family.”

The pressure is always wrapped in a deadline. Minutes, hours, “right now.” Real institutions almost never operate this way for individual cases. Real banks send you 14 days of reminder SMS before any action. Real police walk into your house. Real couriers leave a slip. Real friends do not change their phone number without a heads-up.

If the contact creates a sense of “I have to act in the next 10 minutes or something terrible happens,” that feeling itself is the red flag. Not the content. The feeling.

What pause actually looks like

Pause is not abstract. It is a physical action. Practice these:

• Put the phone down on the table, face up, sound on
• Stand up, walk to another room, get a glass of water
• Talk to one person who is not on the call. Spouse, parent, friend, colleague. Out loud, in their physical presence if possible
• Read the message out loud, slowly, twice. Watch for the urgency words
• Set a 10-minute timer. Do nothing related to the message until the timer ends
• If it is the middle of the night, sleep on it. Real emergencies still exist at 7 AM. Fake ones disappear

The scammer cannot survive a 10-minute pause. Their script needs you continuously activated. The moment you step away, you start to think. The moment you start to think, the script breaks.

What if it feels rude or risky to pause?

Real banks, real police, real couriers, real bosses, real family members all understand a 10-minute pause. If anyone gets angry that you want to verify, that anger itself is the scam tell. A real bank manager has been trained to handle “I want to verify, let me call you back on the official number.” A real police officer will tell you their station and let you call back on 100 or 112. A real boss who is asking for a wire transfer will not blow up because you want to confirm on a quick video call.

The only people who push back on a pause are the people who cannot survive one.

Rule 2: Verify, on a known channel

After the pause, the next move is to confirm the message through a channel that was never controlled by the suspect contact.

What “known channel” means

A known channel is one of these:

• The phone number on the back of your debit card (printed before any scam happened)
• The official app of the bank, installed from Play Store or App Store, opened directly by you
• The website of the institution, typed into the browser yourself, not clicked from a link
• The saved contact number of your family member, your boss, your friend (from before this incident)
• The physical branch of the bank or the local police station
• The official helpline numbers: 1930 for cybercrime, 100 or 112 for emergency, 1800-11-4000 for RBI Sachet

A known channel is not:

• The number that just called you
• A number sent in the suspicious SMS or WhatsApp message
• The link in the suspicious email
• The phone number that appears at the top of a Google search ad (sponsored results are routinely scam-controlled)
• The “official” support contact in a screenshot the scammer sent you
• A “new number” message from a family member, even if it sounds like them
• The QR code printed on the paper handed to you (verify the underlying URL first)

The verification path always goes through something you already trusted, not something the suspicious contact provided.

Worked examples

Bank called you. Hang up. Pick up your debit card. Read the customer service number off the back. Call that number. Ask whether the previous call was real. If they say no, file with 1930.

KYC update message. Open your bank’s official app directly. Check the notifications and messages section. If there is no KYC alert in the app, there is no KYC requirement. Do not click any link in the message. We cover this category in KYC and account block scams.

Police called you. Hang up. Dial 100 or 112 or the local police station number from the official police website. Ask whether the call was real. Real police do not arrest over video calls. Read the full digital arrest scam guide and got a call from police post.

Family member messages from a new number. Do not respond to the new number. Open your contacts. Video call them on their saved number. If unreachable, call a sibling or parent on their saved number. If the original number is unreachable for a long time, the family member may have lost their phone, which is a real situation, but verification still goes through someone you trust, not the new number itself. If voice is involved, read our AI voice cloning post.

Recruiter contacted you. Search for the company on LinkedIn. Visit the company website directly. Call the company’s HR via the official number. Check whether the recruiter is actually employed there. Look up the role on the company’s careers page. Cross-reference our fake recruiter Trifleck malware and fake job offer scam posts.

CEO or boss messages you on WhatsApp for an urgent transfer. Call them on their saved number. Walk to their cabin if they are in office. Confirm in person or on the known channel before any transfer. Cover this with the WhatsApp boss impersonation post.

Courier parcel notification. Open the courier company’s official app or website. Search for your tracking number. If the company is “FedEx” but no tracking number was given in the SMS, that is the red flag itself. Do not click the link.

Investment opportunity from a friend. Verify the platform on the SEBI website. Real Indian investment products are SEBI registered. WhatsApp groups offering 30% returns in 30 days are not real. We cover the long-form grooming pattern in pig butchering investment scams.

Loan recovery harassment. Real RBI-licensed lenders do not threaten family members or morph photos. Check the lender on the RBI Sachet portal. Read our fake loan apps deep dive.

SMS from an unknown sender with a link. Do not click. Verify the claimed institution through its real app or website. Read the SMS scam cluster post for the full taxonomy.

The pattern is the same in every case. Use a channel you already trusted before this contact happened. The verification step kills the scam regardless of how good the script is.

When verification takes time

Some verifications are slow. The bank fraud line has a queue. The police station does not answer the first ring. The family member is in a meeting.

The right move when verification is slow is to wait, not to act. The cost of waiting is at most an inconvenience. The cost of acting without verification is the entire loss.

If the matter is genuinely urgent in your judgment, escalate the verification: walk to the bank branch, dial 100 or 112, video call multiple family members, contact the institution’s social media account from a verified handle. Multiple slow paths in parallel beat one fast unverified path.

Rule 3: Then act

After pause and verify, the action is usually obvious. Either the contact was real (act on the verified channel, not on the suspicious one) or it was fake (report and protect).

If the contact was real

Continue through the verified channel only. Never go back to the original suspicious contact. If your bank really did call about a transaction, complete it through the bank’s app, not by transferring money to a number the caller gave you. If your boss really did need an urgent transfer, walk to their office or call them on the saved number and confirm the destination account in person.

The original contact, even if it turns out to be real, should be considered compromised. Treat the verified channel as the only valid one going forward.

If the contact was fake

The 4-step response is exactly what we lay out in the first hour after cyber fraud post. In order:

1. Call 1930 (national cybercrime helpline, 24/7)
2. Call your bank’s fraud line for any debit freeze or chargeback
3. File the formal complaint at cybercrime.gov.in within 24 hours
4. Preserve all evidence (do not delete, do not uninstall, do not factory reset)

Even if no money moved, still report. The complaint feeds the I4C database that gets used to trace mule accounts in other people’s cases.

Apply the rule to specific scam patterns

Here are 8 patterns where Pause, Verify, Then Act stops the scam cold. Each one cross-links to a deeper guide.

Pattern 1: Digital arrest call

The script: caller claims CBI, ED, NCB, Mumbai Police. Says a parcel or SIM in your name was used in a crime. Pushes you to a Skype or WhatsApp video call with a fake officer in uniform. Demands you stay on continuous video while you transfer “verification deposits” to clear your name.

Rule applied:

• Pause: Hang up. There is no Indian law that allows arrest over video. The continuous-video demand is the script itself.
• Verify: Dial 100 or 112. Call the actual local police station. Talk to family.
• Then act: Call 1930 and file at cybercrime.gov.in.

Deep dive: How to spot a digital arrest scam in 2026.

Pattern 2: Fake KYC block or account freeze

The script: SMS or WhatsApp says your bank account, PAN, or Aadhaar will be blocked unless you complete KYC in the next 24 hours. Click this link. Install this APK. Share this OTP.

Rule applied:

• Pause: Real banks send 14 days of multi-channel reminders, not a 24-hour panic SMS.
• Verify: Open your bank’s real app directly. Check for KYC alerts. There almost never is one. If there is, the app guides you through the in-app process, not via an external link.
• Then act: Delete the message, report the sender via the official bank channel, file with 1930 if you clicked anything.

Deep dive: KYC and account block scams.

Pattern 3: WhatsApp message from a “family member” on a new number

The script: a message arrives on WhatsApp from a “+91” number saying “Hi, this is mom/dad/cousin, I lost my phone, this is my new number, please send INR 25,000 urgently.” Sometimes followed by an AI-generated voice note that sounds like the family member.

Rule applied:

• Pause: Real family members are reachable on their existing number. Even if their phone broke, someone else in the family can confirm.
• Verify: Video call the saved number. If unreachable, call a sibling, parent, or close friend on their saved number to confirm whether the family member actually lost their phone.
• Then act: Block the new number. Report to 1930. Warn your family group.

Deep dive: AI voice cloning scam.

Pattern 4: WhatsApp APK or “movie HD” file

The script: someone shares an APK file (or a “WhatsApp Gold,” “WhatsApp Plus,” “free movie HD,” or “voter verification app”) via WhatsApp. Or you receive a screenshot urging you to install a specific app to claim a benefit.

Rule applied:

• Pause: APK files outside the Play Store almost always carry spyware or banking trojans.
• Verify: Search the app on the Play Store directly. Check the publisher. If the legitimate publisher exists, install from Play Store, not from the shared file.
• Then act: Delete the APK. If installed, switch off mobile data, do not factory reset (preserve evidence), get the phone to a trusted technician.

Deep dive: WhatsApp APK malicious app scam.

Pattern 5: Sextortion call or message

The script: a video call from a stranger, often a woman, who appears partially undressed. Recording starts immediately. The video is then used to extort money under the threat of sharing with family or social media contacts.

Rule applied:

• Pause: Do not engage further. Do not pay. Payment never stops the demand.
• Verify: Verification here is not about the caller (assume the threat is real for the purpose of response). It is about the right response channel. Cybercrime.gov.in has a specific sextortion category. 1930 routes these.
• Then act: Preserve the video and chat as evidence. File on cybercrime.gov.in immediately. Use the platform’s report and takedown channel.

Deep dive: Sextortion scam: first-hour response.

Pattern 6: Fake recruiter with malicious test

The script: a recruiter contacts you on LinkedIn or email about a job at a real company. Sends a “technical test” that is actually a malicious script (Trifleck, Blockstar, or similar) that exfiltrates browser data, crypto wallets, and saved credentials.

Rule applied:

• Pause: Real technical tests come from the company’s HR systems, not from a random script in a zip file or a “run this command” instruction.
• Verify: Check the recruiter on LinkedIn against the company’s official employee list. Call the company HR via the official number. Look up the role on the company careers page.
• Then act: If you ran the script, switch off Wi-Fi, change all passwords on a different device, file with 1930.

Deep dive: Fake recruiter Trifleck malware in India 2026.

Pattern 7: Electricity bill cut-off SMS

The script: SMS or WhatsApp from “BESCOM,” “BSES,” “MSEB,” or your state discom claiming your electricity will be cut at 9 PM tonight unless you call a given number or pay immediately.

Rule applied:

• Pause: Real discoms do not threaten same-day cuts via SMS. They follow a multi-week notice process.
• Verify: Open your discom’s official app or website. Check your latest bill and dues. Call the official customer service number printed on a past bill.
• Then act: Delete the SMS. Report to 1930 if you called the fraud number or shared any details.

Deep dive: Electricity bill scam India.

Pattern 8: Boss or CEO WhatsApp asking for urgent wire

The script: a WhatsApp message from a new number, claiming to be your CEO or finance head, asking for an urgent vendor wire or gift card purchase. Sometimes uses the executive’s profile photo. Sometimes followed by an AI-generated voice note.

Rule applied:

• Pause: Real CEOs almost never request wires via WhatsApp from a new number.
• Verify: Call the executive on their saved number. Walk to their cabin. Confirm in your finance team’s standard approval workflow.
• Then act: Block the number. Report internally so the rest of the team is warned. File with 1930.

Deep dive: WhatsApp boss impersonation scam. The Hyderabad ₹1.2 crore case in early 2026, reported by Telangana Today and Newsmeter, is the canonical example of how this pattern plays out at SMB scale.

When to escalate to 1930

You escalate to 1930 when:

• Money has moved (any amount, do not minimise)
• An OTP has been shared
• An APK has been installed and run
• An app has been granted permissions you did not intend
• A fake document with your details has been generated against you
• Sextortion content has been captured of you
• Anyone in your household has been threatened during a scam call

You do not need to “wait and see.” The earlier the 1930 call happens, the higher the fund recovery odds. The freeze window is measured in hours, not days.

For the full first-hour response with the 4-step process in detail, read The First Hour After Cyber Fraud in India.

Teach the rule to your family

The 3 rules work because they are simple enough to remember under pressure. The most useful version is the one your parents and your kids can recite without thinking.

Write these three lines on a sticky note next to the landline phone or on the fridge:

1. Pause. Put the phone down. Wait 10 minutes. Talk to me.
2. Verify. Call the bank or police on the number we saved. Not the number that called us.
3. Then act. Only after verification.

Send this post to your family WhatsApp group. Send it to your team. Read it out loud to your senior parents. The fastest way to inoculate someone is to walk them through the rule with a scenario they would actually face.

Got a call or message? Send it to us, we verify free

If something feels off and you want a sanity check before you act, send it to us privately.

WhatsApp / Call: +91 99644 43350

Send a screenshot, the caller number, the audio recording, whatever you have. We tell you whether it is a real contact or a scam, and what to do next. Verification is free.

What we do:

• Cross-check the contact against the real institution
• Identify the scam pattern (digital arrest, KYC, sextortion, recruiter, etc.)
• Walk you through 1930 and cybercrime.gov.in if needed
• Tell you in plain language whether to proceed, ignore, or report

What we do not do:

• Charge for verification
• Ask for OTPs, bank passwords, or UPI PINs
• Pretend to be a law enforcement agency

You only pay if you want hands-on investigation, recovery support, or ongoing security guidance beyond verification. We always tell you honestly first whether we can help.

Save these numbers now

Save these in your contacts before you ever need them:

• 1930 (National Cybercrime Helpline, 24/7)
• +91 99644 43350 (Cybersecify, free verification, 50 citizens at a time)
• 100 / 112 (Police / Emergency)
• Your bank’s fraud line (back of your debit card)
• cybercrime.gov.in (browser bookmark)

The 3 rules work in the abstract. The numbers work in the panic. You need both.

Related reading

The companion flagship posts:

• The First Hour After Cyber Fraud in India covers the response side when the scam has already worked. This post covers the prevention side.
• Your Digital Footprint Is the Scam’s Raw Material covers the upstream side: how scammers know enough about you to target you in the first place.
• The Karnataka citizen safety guide covers the state-specific umbrella of impersonation patterns across apps, ads, and calls.

Frequently asked questions

Why does the Pause, Verify, Then Act rule work for every scam?

Because every cyber scam in India shares one mechanism: it relies on urgency to bypass your thinking. Digital arrest, fake loan recovery, KYC blocks, fake bank calls, sextortion, courier parcel scams, fake job offers, electricity bill cuts. All of them push you to act within minutes. Pause breaks the urgency. Verify breaks the trust in the contacting channel. Act only on a verified channel removes the scammer from the loop. The pattern works because the script is the same even if the costume changes.

What does ‘verify on a known channel’ actually mean?

It means do not use any number, link, app, or email that came through the suspicious contact. Use a channel you already trust. If your bank called, hang up and dial the number on the back of your debit card. If KYC is the issue, log into the bank app yourself. If the police called, dial 100 or 112 or visit the station. If a family member messaged for money on a new number, video call them on their original saved number. Known channels are channels you already trusted before this contact happened.

How long should I pause for?

Long enough to talk to one person who is not on the call with you. Family member, colleague, friend. The pause itself is the defence. Scammers cannot survive even a 10-minute delay because they need you isolated and emotionally activated. Real banks, real police, real couriers can wait 10 minutes. They can wait an hour. They can wait until tomorrow. Anyone who cannot is not who they say they are.

What if the message looks completely real?

Real-looking is the point. Modern scams use real bank logos, real government letterheads, real police uniforms, AI-generated voices of real officers, spoofed caller IDs of real institutions. Verification on a known channel works precisely because it does not depend on whether the message looks real. It checks against the source itself. If the bank’s real app does not show the alert the message claims, the message is fake regardless of how convincing it looks.

When do I skip the verify step and act immediately?

Almost never. The only situations where speed beats verification are physical emergencies, fire, medical, accident, immediate threat to life. For anything financial, regulatory, legal, or digital, verification almost always costs you nothing and saves you everything. Even a verified emergency call should be cross-checked by calling 100 or 112. The cost of 5 minutes of verification is much lower than the cost of being wrong.

Can I use the rule for messages from people I know?

Yes, especially for messages from people you know. Family fraud using AI voice cloning, WhatsApp boss impersonation, friend’s hacked account, cousin asking for emergency money. These work because the contact looks familiar. Pause, then video call them on their original number. If the original number is unreachable and a ‘new number’ is the only contact, that is the red flag. Real family members and real bosses understand a 30-second verification call.

What if I already started acting and now I am suspicious?

Stop now. Do not complete the next step. Do not transfer more money to fix it. Do not give one more OTP. Do not click one more link. Call 1930 immediately. Even if money has moved, the freeze window is open for the first hour. Read our full first-hour response guide for the exact sequence.

---

Disclaimer: This guide is for public awareness only. Cyber Secify is an independent cybersecurity consultancy and is not affiliated with or endorsed by I4C, the Ministry of Home Affairs, RBI, any bank, or any government department. Verification is best effort guidance, not legal or law enforcement advice. For emergencies and legal reporting, always contact 1930 and file at cybercrime.gov.in.

Ashok Kamat Co-founder, Cybersecify