First72
Sign in

Fake KYC and account-freeze scam

A caller from 'your bank' says your account will be frozen unless you complete urgent KYC. The 'verification' steps authorise real transactions.

Last reviewed: 1 October 2025

What it is

A fake KYC scam begins with a call or message from someone claiming to represent your bank, your UPI provider, or a government regulatory body. The caller says your account is at risk of being frozen, your Aadhaar linking has failed, or your KYC needs urgent renewal. They offer to complete the process for you over the call, or direct you to a link where you can do it yourself.

The "KYC process" they guide you through is a real transaction authorisation. Each step — entering your mobile number, confirming your Aadhaar number, entering the OTP — is a step in approving a payment from your account to an account the attacker controls. By the time the call ends and the account is "verified," the money has already been debited.

Banks and regulated financial institutions do not conduct KYC by phone call, link, or message. No bank representative will ever ask for your OTP, net banking password, or UPI PIN for any reason.

How callers establish credibility

The scam relies on several credibility mechanisms that make the caller seem legitimate:

Caller ID spoofing. The call appears to come from your bank's published number or an official helpline. Technology available to attackers allows them to display any number on incoming calls.

Personal details. The caller addresses you by name, mentions your bank, and sometimes cites the last four digits of your account number. This information is available from data breaches and social engineering of front-line staff.

Urgency framing. The caller says your account will be blocked within two hours, or that a transaction has already been flagged, or that failure to complete KYC by a specific time will result in a penalty. The urgency is designed to prevent you from verifying the call's legitimacy through the bank's official channel.

Sequential steps. The "KYC process" follows a sequence that resembles real banking flows: enter your account number, confirm your registered mobile, receive an OTP, enter it. Each step is familiar, which prevents the victim from recognising that they are authorising a payment.

The signs you were targeted

  • You received a call from someone claiming to be from your bank about urgent KYC renewal or an account freeze
  • The caller asked you to enter an OTP, share your UPI PIN, or confirm your net banking credentials as part of "verification"
  • Money was debited from your account during or immediately after the call
  • When you called your bank's official number afterwards, they had no record of the call or the KYC process described

What to do in the first 12 hours

  1. Call your bank's official 24/7 fraud helpline — the number on the back of your debit card or on the bank's official website.
  2. Ask them to freeze your account or block the affected card if money has already been debited.
  3. Call 1930 — the National Cybercrime Helpline.
  4. Do not call back any number provided by the attacker. If the attacker contacts you again with a "resolution" offer, do not engage.
  5. Save all evidence. The incoming call log, any SMS messages, any links you received, and all transaction details.

What to do in the first 72 hours

File a written complaint with your bank within three working days of the incident. KYC fraud cases are frequently misclassified by banks as voluntary authorisation, so the complaint must specifically describe the sequence — the credibility mechanisms used, the instruction to enter the OTP as "KYC," and the contemporaneous debit — to position the fraud correctly under the applicable RBI customer-liability framework.

File a cybercrime portal complaint in parallel at cybercrime.gov.in with the fraudulent caller's number, any SMS content, and all transaction references.

When the bank denies you

Banks commonly use the "Authorised but Unintended" (AbU) classification to deny KYC fraud complaints, on the grounds that the victim entered the OTP. The AbU classification is contestable in cases where the authorisation was obtained through social engineering — a fraud mechanism specifically addressed in the RBI framework.

A correctly drafted complaint cites the relevant circular, establishes the social engineering chain, and formally requests review under the applicable customer protection clause. If the bank does not resolve within 30 days, the matter can be escalated to the RBI Ombudsman at no cost.

What First72 does for you

The triage takes five minutes. It establishes your fraud type, your window status, and what you need to file. If your case qualifies, we draft the complete complaint set within four hours.

Start the free triage

Or talk to us — +91 72000 72000 · help@first72.in

Inside the 72-hour window?

Start the free triage. It takes five minutes, establishes your fraud type and window status, and tells you exactly what to file.

Start free triage