First72
Sign in

OTP and phishing compromise

A fake bank message, a KYC update link, or a delivery confirmation collects your OTP or credentials. The debit happens within seconds of entry.

Last reviewed: 1 October 2025

What it is

An OTP or phishing compromise occurs when you enter a one-time password, your debit card details, or your net banking credentials into a webpage or form that appeared legitimate but was controlled by an attacker. Within seconds of entry, money is debited from your account — usually by an immediate UPI transfer or a card transaction.

The trigger is almost always a message that creates urgency: your account is about to be suspended, your KYC is expiring, a parcel needs to be confirmed, a payment has failed. The link in the message leads to a page that looks exactly like your bank's website, your UPI app's portal, or a known delivery platform.

The OTP you receive is real. It is generated by your bank. But the transaction it authorises is one the attacker set up — not the "login verification" or "KYC update" you believed you were completing.

Common delivery methods

Phishing attempts reach victims through several channels. The message is tailored to the channel:

SMS. Appears to come from your bank's sender ID. Warns of account suspension, failed KYC, or a suspicious login. Contains a shortened link.

WhatsApp. Often appears to come from a known number (compromised contact) or an official-looking business account. May include a screenshot of a bank notification to appear credible.

Email. Uses a domain that closely resembles a known institution — "sbi-support.in," "hdfcalert.net." The visual design is often copied precisely from the legitimate site.

Voice call followed by SMS. A caller identifies a problem with your account and sends an OTP "for verification." The OTP is for a transaction the caller has already initiated.

The signs you were targeted

  • You clicked a link in a message and entered your account number, debit card number, or net banking credentials
  • You received an OTP you did not request and entered it at someone's instruction or on a linked page
  • Money was debited within seconds of entering the OTP or your credentials
  • The link in the message had a domain that was similar to but not identical to your bank's official domain
  • Your bank sent an OTP for a transaction you do not recognise

What to do in the first 12 hours

  1. Call your bank's 24/7 fraud helpline and ask them to block your account or the affected card immediately.
  2. Call 1930 — the National Cybercrime Helpline.
  3. Change your net banking password and debit card PIN from a separate, uncompromised device.
  4. Do not click any further links from the same sender, including "recovery" links.
  5. Save the original message. Screenshot the SMS, email, or WhatsApp message including the sender details and the link (without clicking it again).

What to do in the first 72 hours

The RBI customer-liability framework distinguishes between negligence and third-party fraud. If you entered your credentials on a phishing page without knowingly sharing your OTP with a third party who asked for it verbally, the classification of the fraud matters significantly for your complaint.

A formal written complaint to your bank within three working days of discovery is required to preserve your rights under the framework. The complaint must correctly characterise the fraud as phishing — distinguishing it from a case where the victim verbally shared credentials — and must cite the relevant RBI circular.

File a cybercrime portal complaint at cybercrime.gov.in in parallel. Retain the acknowledgement number.

When the bank denies you

The most common denial is "Authorised but Unintended" (AbU) — the bank's position that the OTP was entered voluntarily. Phishing cases are specifically addressed in the RBI's customer-liability framework, and a correctly drafted complaint makes this argument directly.

If the bank does not respond substantively within 30 days of your complaint, the matter is escalatable to the RBI Ombudsman. The Ombudsman process is free and does not require a lawyer.

What First72 does for you

The triage takes five minutes. It determines your fraud type, your window status, and what you need to file. If your case is eligible, we draft the complete complaint package within four hours.

Start the free triage

Or talk to us — +91 72000 72000 · help@first72.in

Inside the 72-hour window?

Start the free triage. It takes five minutes, establishes your fraud type and window status, and tells you exactly what to file.

Start free triage