Friday, June 12, 2026
Cyber KannadigasCybersecurity & Digital Literacy · also known as CyberKannadig
Subscribe
Cyber Kannadigas — also CyberKannadig · CyberKannadiga · Cyberkannadiga · Cyber Kannadiga · Independent · Free · No login · Karnataka-trusted
Scam Awareness GUIDE

Why You Must Never Share an OTP, Even With ‘Your Bank’

The one-time password sent to your phone is the last line of defence between your money and a fraudster — and it is designed to be shared with no one, not even a bank employee calling you. This guide explains why the rule is absolute.

Deepa Shenoy
By
Scam Awareness Editor
Published April 9, 2026 · Updated April 9, 2026 · 3 min read
Why You Must Never Share an OTP, Even With ‘Your Bank’
Quick Answer

An OTP is generated by your bank to confirm that you — the account holder — are authorising a transaction. Your bank already knows you are its customer; it has no reason to ask for your OTP. Anyone asking for it is trying to complete a transaction you did not authorise. Hang up and call your bank on its official number.

Key Takeaways

  • Banks, payment apps, and telecom operators never legitimately ask for an OTP over a call or chat.
  • An OTP is transaction-specific — sharing it always completes a specific action, usually a transfer or account takeover.
  • Social engineering scripts are designed to make the request sound logical; the more convincing the reason, the more suspicious you should be.
  • If you share an OTP and money moves, call your bank immediately and file at cybercrime.gov.in.
In this article

    What an OTP Actually Is

    A one-time password is a short, time-limited code your bank sends to your registered mobile to confirm a specific action — a login, a transfer, a password reset, or a new payee. Entering it is your explicit, irreversible authorisation for that action. The crucial detail: an OTP is only generated because a transaction or access attempt is already in progress. If a caller asks for your OTP, it is because they have already started something on your account and need you to unknowingly approve it.

    Why ‘Even Your Bank’ Is Not an Exception

    People often ask, ‘But what if it really is my bank?’ Your bank does not need your OTP to help you — its own systems generated that code. If a bank employee genuinely needed to verify you, they would ask security questions on your account, never a code sent to your phone. The Reserve Bank of India states clearly that bank employees are not authorised to ask for OTPs, PINs, or CVV. If anyone claiming to be from your bank asks, do not comply.

    The Scripts Fraudsters Use

    • ‘We are reversing a wrong debit and need the OTP to credit you.’ — An OTP cannot credit money; it only authorises outgoing actions.
    • ‘This OTP is just to verify your KYC — it will not debit anything.’ — Entering it completes whatever transaction is pending.
    • ‘Your account is compromised; share the OTP so we can block it.’ — You block an account by calling the official helpline, not by sharing an OTP.
    • ‘If you don’t share it, your account will be permanently blocked.’ — Manufactured urgency. Hang up and call the bank yourself.
    Warning

    The SMS carrying your OTP almost always says: ‘Do not share this OTP with anyone, including bank officials.’ That line is there because your bank is telling you so in writing. Fraudsters rely on you ignoring it under pressure.

    OTPs Across Platforms

    • UPI apps: OTPs authenticate device binding and PIN resets. Sharing them hands over your UPI profile.
    • Telecom: an OTP for a SIM swap can give a fraudster a SIM with your number, capturing all future OTPs.
    • Email and social media: login OTPs allow account takeover.
    • Delivery apps: a delivery OTP shared early lets a fraudster claim your package.

    What Happens After You Share One

    Most fraudulent transfers are initiated within seconds. The money moves to mule accounts, and recovery requires police coordination with banks across states — success rates fall rapidly with time.

    What to do

    If you have shared an OTP: call your bank’s fraud helpline immediately (the number is on the back of your debit card) to block the account and reverse pending transactions, then call 1930 and file at cybercrime.gov.in. Note the caller’s number, the time, and the bank’s reference number. Speed is everything.

    Protecting Yourself

    • Never read an OTP aloud to anyone, in person or on a call.
    • Set transaction limits on UPI and net banking to cap maximum loss.
    • Turn on transaction alerts so you are notified the moment money moves.
    • If you receive an OTP you did not request, treat it as a sign someone has your credentials and call your bank proactively.
    • Remind elderly relatives often: ‘do not share’ means with everyone, always.

    Targeted by a scam — or already lost money?

    Act immediately: (1) call your bank and freeze the account · (2) call the national Cyber Crime Helpline 1930 · (3) file a complaint at cybercrime.gov.in · (4) visit your nearest police station. See our scam-awareness guide for step-by-step help.

    Sources

    1. RBI Consumer Awareness — Frauds
    2. NPCI UPI Safety Guidelines
    3. CERT-In Advisories
    4. National Cyber Crime Reporting Portal
    #Cyber Helpline 1930#KYC Fraud#OTP Theft#UPI Safety
    Deepa Shenoy
    Scam Awareness Editor

    Deepa Shenoy

    Deepa Shenoy is the Scam Awareness Editor at Cyber Kannadigas. A consumer-affairs journalist based in Mangaluru, she has reported on financial fraud and cybercrime across coastal Karnataka for more than nine years, and has interviewed dozens of scam victims and cybercrime investigators.… Read full profile →

    Frequently Asked Questions

    An unrequested OTP means someone has already entered your credentials somewhere. Do not share it. Call your bank's official customer care to report a possible unauthorised login, and change your net-banking password. It is a warning sign of a targeted attack.
    Even with trusted people, sharing OTPs creates risk. Instead, have them sit with you while you enter the OTP yourself. The safest practice is that only you enter the OTP on the device that received it.
    Often, yes. With your phone number and some personal details from breaches or social media, they can trigger password resets or new-device logins that generate an OTP. This is why you must also guard your account number, date of birth, and registered mobile.
    Yes. Entering an OTP inside your bank's own official app to complete a transaction you started yourself is normal and legitimate. The rule is never to dictate an OTP to another person or enter it on a website reached via a link from an unknown contact.

    Stay scam-safe: alerts in your inbox

    Get new scam alerts, UPI-safety tips, and digital-literacy guides weekly. Free.

    Related Articles

    More from Deepa Shenoy