Friday, June 12, 2026
Cyber KannadigasCybersecurity & Digital Literacy · also known as CyberKannadig
Subscribe
Cyber Kannadigas — also CyberKannadig · CyberKannadiga · Cyberkannadiga · Cyber Kannadiga · Independent · Free · No login · Karnataka-trusted
Scam Awareness ALERT

Fake KYC Update Scams: SMS and Calls Never to Trust

Fraudsters send convincing SMS messages and phone calls claiming your bank account, UPI, or wallet will be blocked unless you complete a KYC update immediately. These messages are fake — and acting on them can empty your account.

Deepa Shenoy
By
Scam Awareness Editor
Published April 15, 2026 · Updated April 15, 2026 · 3 min read
Fake KYC Update Scams: SMS and Calls Never to Trust
Quick Answer

Legitimate banks and payment apps never ask you to complete KYC by clicking a link in an SMS, installing an app sent over WhatsApp, or reading out an OTP on a call. If you receive such a message, do not click, do not call the number in it, and do not install anything. Use your bank's official branch or verified app directly.

Key Takeaways

  • RBI requires KYC updates to happen in person or through the bank's own verified channel — never via an SMS link.
  • The name 'SBI' or 'HDFC' in an SMS header does not make it genuine; sender IDs can be spoofed.
  • Installing a remote-access app such as AnyDesk as instructed by a 'KYC executive' hands over control of your phone.
  • Report fake KYC messages to 1930, and forward suspicious SMS to TRAI's spam number 1909.
In this article

    What a Fake KYC Message Looks Like

    The SMS arrives with an air of authority: ‘Dear customer, your SBI KYC is expired. Your account will be blocked within 24 hours. Update now: [link]’. The sender ID might show ‘SBI-Bank’ or ‘HDFCKYC’. The link leads to a page that looks like your bank’s login — sometimes almost pixel-perfect. Variants target UPI apps, wallets, and telecom operators too.

    The Three Common Attack Paths

    1. Phishing Link

    The link goes to a lookalike website. You are asked to enter your account number, card details, and OTP to ‘verify your identity.’ The fraudster captures these in real time and empties the account.

    2. Remote-Access App

    A caller claims to be a KYC executive and says you must install a small ‘verification app’ — often AnyDesk or TeamViewer QuickSupport. Once installed, they see your screen, read OTPs as they arrive, and initiate transfers while keeping you on the call.

    3. OTP Harvesting

    No link, no app — just a call. The fraudster has already started a login on your bank’s site; the OTP they say they are ‘sending to verify’ is a real bank OTP. Reading it out completes their login.

    Warning

    The Reserve Bank of India has repeatedly stated banks do not ask for OTPs, CVV, or full card details over calls or SMS links. No legitimate KYC process requires installing a third-party remote-access app.

    Why Fake Sender IDs Are Convincing

    India’s SMS system uses alphanumeric sender IDs. TRAI runs a DLT registration platform to control them, but fraudsters register misleading headers or spoof them before filters catch up. Seeing ‘SBI-Alerts’ is not proof of legitimacy.

    Warning Signs

    • Urgency: ‘within 24 hours,’ ‘account will be suspended.’
    • A shortened URL or a domain that is not the bank’s official one.
    • A ‘bank executive’ walks you through it rather than directing you to a branch or the official app.
    • You are asked to install any app other than the bank’s official Play Store app.
    • The caller asks for your full card number, expiry, or CVV.
    • The caller asks to enable screen sharing.
    What to do

    Delete the SMS. Do not call any number in it. If worried about your KYC, open your bank’s official app directly or call the number printed on the back of your debit card. Report the SMS to 1930 and to TRAI’s spam helpline 1909; you can also report at cybercrime.gov.in.

    What to Do if You Are Targeted

    1. Do not click any link in the message.
    2. Do not install any app the caller directs you to.
    3. Do not share your OTP, PIN, CVV, or account number.
    4. If you already entered details or shared an OTP, call your bank’s fraud helpline immediately to block the card and account.
    5. File at cybercrime.gov.in or call 1930. Report within minutes if money has moved.
    6. If you installed a remote-access app, uninstall it and change all banking passwords and UPI PINs from a different, clean device.

    Targeted by a scam — or already lost money?

    Act immediately: (1) call your bank and freeze the account · (2) call the national Cyber Crime Helpline 1930 · (3) file a complaint at cybercrime.gov.in · (4) visit your nearest police station. See our scam-awareness guide for step-by-step help.

    Sources

    1. RBI Be(A)ware Booklet on Financial Frauds
    2. TRAI on SMS DLT and Spam
    3. CERT-In Advisories
    4. National Cyber Crime Reporting Portal
    #Cyber Helpline 1930#KYC Fraud#OTP Theft#WhatsApp Scams
    Deepa Shenoy
    Scam Awareness Editor

    Deepa Shenoy

    Deepa Shenoy is the Scam Awareness Editor at Cyber Kannadigas. A consumer-affairs journalist based in Mangaluru, she has reported on financial fraud and cybercrime across coastal Karnataka for more than nine years, and has interviewed dozens of scam victims and cybercrime investigators.… Read full profile →

    Frequently Asked Questions

    Visit your bank's official website by typing the URL yourself, or call the number on the back of your debit card. Do not use any contact details from the message. Genuine KYC happens only through the official branch, verified app, or a video-KYC link from an official bank email.
    Yes. Alphanumeric sender IDs can be spoofed or registered deceptively. The name 'SBI-Alerts' does not guarantee the message came from the bank. Verify through official channels, not the message itself.
    Call your bank's fraud helpline immediately to block your card and place a watch on your account, then file at cybercrime.gov.in or call 1930. The faster you act, the more likely a transaction can be stopped.
    Banks do periodically require re-verification, but always through official letters, branch visits, or the bank's own app — with ample notice, never via SMS links from unknown numbers.

    Stay scam-safe: alerts in your inbox

    Get new scam alerts, UPI-safety tips, and digital-literacy guides weekly. Free.

    Related Articles

    More from Deepa Shenoy