Grahak Mitra

KYC-update and OTP scams: how to spot them and what to do (India)

Last updated: 2026-07-10

A message that says "your KYC will expire", "update KYC or your account will be blocked", with a link to click — or anyone, on any call, asking for your OTP — is a scam.

A bank never asks you for your OTP, PIN, CVV, or full card number, and never sends you a link to "update KYC". Do not click the link. Do not share the code. If you are unsure whether a KYC step is genuine, do it yourself through your bank's own app or branch — never through a link someone sent you.

The one rule

Your OTP is a key to your money. Anyone who asks for it — "bank officer", "KYC team", "electricity office", anyone — is trying to take your money, not protect it. There is no genuine reason to read your OTP aloud to another person.

Never install an app or APK sent to you by SMS, WhatsApp, or a link. A fake app can silently read the OTPs that arrive on your phone — your money can go even if you never read a code aloud.

Real bank vs the scam

What happensA real bankThe scam
OTP / PIN / cardNever asks for your OTP, PIN, CVV or full card number.Asks for exactly these "to verify" or "to update KYC".
KYC updatesDone in your bank's own app or in a branch, never via a link in an SMS or WhatsApp.Sends a link and says "update now or your account is blocked today".
DeadlineGives reasonable notice through official channels.Threatens the account will be blocked within hours to rush you.
AppsNever asks you to install AnyDesk or any screen-sharing app.Asks you to install an app or open a short link so it can watch your screen.
Staying on the callNever asks you to keep a call going while you transact.Stays on the line and walks you through entering codes.

If you shared an OTP and money left

Act fast — the sooner you report, the better the chance that 1930 and your bank can freeze the money before it's withdrawn. Because you shared the code yourself, a bank may treat the transfer as authorised and decline to refund it, so recovery is not assured — but fast reporting is still your best chance.

  1. Call 1930 and report the fraud; note the reference number.
  2. File at cybercrime.gov.in to create the official record.
  3. Tell your bank immediately — ask them to flag the transaction as unauthorised and block further debits, and change your PIN and passwords.

Beware a second scam: the only ways to report are 1930, cybercrime.gov.in, and your own bank. Anyone who phones or messages offering to recover your lost money for a fee — a "recovery agent", "refund officer", or fake "cyber cell" — is a fresh fraud. Never pay to get your money back.

The full first-hour steps are here: UPI fraud — what to do in the first hour.

If the bank does not help

Keep every complaint acknowledgement number. If your bank does not resolve the matter within a reasonable time, you can escalate to the RBI Ombudsman (cms.rbi.org.in) and seek redress through the National Consumer Helpline (1915). All of these are linked below so you can act directly.

Was this helpful? (anonymous — no sign-up, nothing stored about you)

Official sources (verify everything here — and you can act directly through them)