Fake Aadhaar Update Website Fraud — UIDAI Verification & Recovery (2026)

“Update your Aadhaar online before 14-Jun deadline or your account will be deactivated” — these phrases, with a near-identical UIDAI logo and a near-real domain (``aadhaar-update.in``, ``uidai-update.online``), are the spine of one of India's largest identity-fraud pipelines. This page tells you exactly how to recognise the fake site, how to lock your biometric the moment you've shared anything, and how to recover under RBI / UIDAI rules.

Citizen Crisis Response Network — domain rule
The only official UIDAI domain is uidai.gov.in (and the mAadhaar app). Anything else — ``.in``, ``.online``, ``.co``, ``.help`` — is a fake.

If you suspect a fake Aadhaar-update site or have already shared OTP / biometric / mobile number: (1) immediately lock your biometrics at uidai.gov.in → My Aadhaar → Biometric Lock, (2) call 1947 (UIDAI helpline), (3) file at cybercrime.gov.in / 1930 if money has moved via AePS, (4) check the TAFCOP portal for any SIMs taken in your name, (5) freeze your bank's AePS limit, and (6) raise an Aadhaar-misuse complaint at uidai.gov.in/file-complaint. Recovery probability is highest within the first 24 hours.

• How the fake Aadhaar update scam runs
• Six red flags in 30 seconds
• The 30-minute lockdown
• Biometric lock — the single most important step
• If money was already taken via AePS
• Sample complaint to UIDAI
• What not to do
• Can compensation be claimed?
• FAQ

1. Bait — SMS / WhatsApp / email / Google ad: “Your Aadhaar will be deactivated on [date] unless you update it online. Click here.” Look-alike domain. Sometimes a “free document upload” feature.
2. Trap — Cloned UIDAI page asks for Aadhaar number, registered mobile, OTP, and “selfie + photo of original docs.” The OTP is the actual UIDAI OTP triggered against the real UIDAI service, captured live.
3. Drain — Once OTP is in attacker hands, they (a) authenticate AePS withdrawals at “merchant” agents, (b) take SIMs in your name on TAFCOP, © seed identity into mule loan applications.

The drain often happens within minutes of the OTP capture.

Citizen tip — Type ``uidai.gov.in`` directly into the address bar or open the mAadhaar app from the official Play Store / App Store. Never click any link in any message claiming to be from UIDAI.

1. Lock biometrics at uidai.gov.in → My Aadhaar → Biometric Lock (need OTP to your registered mobile)
2. Open TAFCOP (tafcop.sancharsaathi.gov.in) → flag any unknown SIM in your name
3. Pull a CIBIL report (cibil.com) → check for unknown loans / cards
4. Freeze AePS — call your bank; ask to disable AePS withdrawal on this Aadhaar
5. Call 1947 — UIDAI 24×7 helpline; note the complaint reference
6. File at cybercrime.gov.in / 1930 if money has moved
7. Email UIDAI at help@uidai.gov.in with full details + screenshots of the fake site
8. Change registered mobile at uidai.gov.in only if your SIM is in your control

UIDAI's Biometric Lock is a free service that disables AePS / fingerprint authentication entirely against your Aadhaar number. Once locked:

• No agent can debit your bank via fingerprint at any AePS terminal
• No identity verification using fingerprint is possible until you unlock it
• E-KYC for SIMs / new bank accounts also requires unlock

How to enable:

1. Open uidai.gov.in (clean browser, typed address)
2. My Aadhaar → Aadhaar Services → Lock / Unlock Biometrics
3. Enter Aadhaar + Captcha → Send OTP to registered mobile
4. Enter OTP → Lock

This is the single most important defensive measure for an Aadhaar-misuse-prone scenario. Lock by default; unlock only when you actively need fingerprint authentication (e.g., during physical bank account opening).

Warning — If your registered mobile is no longer with you, biometric lock requires a visit to an Aadhaar Seva Kendra. Run the stolen-SIM playbook in parallel.

AePS (Aadhaar enabled Payment System) lets bank-correspondent agents withdraw cash from your bank using your fingerprint. Frauds happen when biometric replicas (silicone fingers from leaked databases) are used at unauthorised agent points.

If you see unauthorized AePS debits:

1. Within 3 working days — full refund under RBI's Limiting Liability framework, 2017
2. Within 7 working days — capped liability (₹5,000–₹25,000)
3. Beyond 7 days — bank's board-approved policy

Steps:

1. Call 1930 (cyber helpline)
2. File at cybercrime.gov.in
3. Email bank's “report unauthorised transaction”; attach UIDAI lock confirmation + 1930 reference
4. Demand temporary credit within 10 working days
5. Bank must resolve in 90 days; escalate to Banking Ombudsman (cms.rbi.org.in) if not

To,
The UIDAI Regional Office (Bengaluru / Chandigarh / Delhi / Guwahati /
Hyderabad / Lucknow / Mumbai / Ranchi)

Subject: Aadhaar misuse via fake update website — request for
investigation under Aadhaar Act §29 and §38 — Aadhaar Reference No.
[VID 16-digit]

Sir / Madam,

I, [Full name], holder of Aadhaar [VID 16-digit, masked first 12], wish
to report that on [date] I encountered a phishing site purporting to
be UIDAI ([URL of fake site]) and shared / had captured my:
  [Aadhaar number / registered mobile / OTP / selfie / scan of card]

I have:
  1. Locked my biometrics on uidai.gov.in (timestamp ___).
  2. Filed at cybercrime.gov.in (Reference: ___) and called 1930
     (Reference: ___).
  3. Reviewed TAFCOP and flagged [N] unknown SIMs in my name.
  4. Pulled CIBIL report (Reference: ___) and flagged [N] suspect items.

I request UIDAI to:
  a) Confirm in writing that my Aadhaar has not been used for any
     unauthorised authentication in the [date] window.
  b) Take action under Aadhaar Act §38 (penalty for unauthorised access)
     against the operators of [URL].
  c) Coordinate with MeitY / I4C for takedown of the fake domain.

Yours faithfully,
[Signature, Name]
[VID, Registered Mobile, Email, Date]

• Do not type your Aadhaar number on any website that isn't ``uidai.gov.in`` or your bank's verified portal.
• Do not share your Aadhaar OTP with anyone — including someone claiming to be from UIDAI / a bank / an Aadhaar Seva Kendra.
• Do not upload a scan of your Aadhaar card on random portals; use the VID (Virtual ID) wherever a partial Aadhaar reference is needed.
• Do not ignore unknown SIMs on TAFCOP — these are the second-stage attack vectors.
• Do not keep biometrics unlocked by default — lock them; unlock only when needed.

• AePS / banking refund — RBI Master Direction 2017 (refund if reported within 3 working days)
• Aadhaar Act penalty — UIDAI can fine the perpetrator up to ₹1 crore under §38–§43 for unauthorised access; victim is the complainant
• Consumer court — for bank's negligence in approving AePS without secondary verification
• DPDP Act 2023 — Data Protection Board can impose penalties on data-handlers who leaked Aadhaar metadata enabling the fraud
• Banking Ombudsman — RB-IOS 2021 covers AePS disputes

1. 0–5 min — Lock biometrics on uidai.gov.in
2. 5–15 min — TAFCOP audit; CIBIL pull
3. 15–25 min — Call 1947 + 1930 if money moved; file at cybercrime.gov.in
4. 25–30 min — Bank's “report unauthorised transaction” form
5. +24 h — Branch visit; written acknowledgement; UIDAI Regional Office written complaint
6. +72 h — RBI bank-dispute window for AePS refund

fake Aadhaar update website India 2026, Aadhaar OTP scam recovery, UIDAI biometric lock how to, AePS fraud refund, Aadhaar misuse complaint, fake uidai site list, Aadhaar deadline SMS scam, Aadhaar update fee scam, Aadhaar Seva Kendra fake, mAadhaar fake app

• Q: Is there ever an “Aadhaar update deadline” by which my Aadhaar will be deactivated?
  No. UIDAI runs voluntary 10-yearly update drives but does not deactivate individual Aadhaars by SMS deadline.
• Q: Can a stranger withdraw money from my account using only my Aadhaar number?
  With Aadhaar number alone, no. With Aadhaar + a fingerprint replica or OTP, yes — that's why biometric lock matters.
• Q: Will UIDAI charge me to lock biometrics?
  No. Biometric lock / unlock is free, online, and instant.
• Q: Should I share my Aadhaar with my employer / new SIM agent / hospital?
  Use Masked Aadhaar or VID wherever a copy is requested. Never the full e-Aadhaar with full number visible.
• Q: Can I file an FIR for Aadhaar misuse?
  Yes — under BNS 2024 §319 (cheating), §316 (personation), §336–§338 (forgery), and Aadhaar Act §38.

“How to lock Aadhaar biometric?” · “Fake Aadhaar update website list.” · “Aadhaar OTP scam recovery.” · “1947 UIDAI helpline.” · “AePS fraud refund.”

[Decision tree] "Got Aadhaar update SMS"
Domain is uidai.gov.in? → maybe genuine → verify in mAadhaar app
Anything else? → SCAM → lock biometric + report

[Anatomy] "Aadhaar fraud chain"
1. fake site bait (lookalike domain + deadline)
2. OTP capture (live UIDAI OTP forwarded)
3. AePS drain (silicone fingerprint at agent point)
4. SIM in your name (TAFCOP)
5. mule loan in your name (CIBIL)

[Lockdown ladder] mAadhaar app → biometric lock → TAFCOP audit → CIBIL → 1930

• Fake KYC update scam
• Block lost / stolen SIM
• PAN-Aadhaar fraud recovery
• AePS Aadhaar fraud recovery
• Fake police notice PDF scam
• UPI fraud recovery
• Banking Ombudsman complaint guide
• Money sent to wrong account

• UIDAI — uidai.gov.in · Helpline 1947
• MHA — National Cyber Crime Reporting Portal — cybercrime.gov.in · 1930
• RBI — Master Direction on Limiting Liability of Customers, 2017
• Banking Ombudsman — cms.rbi.org.in
• CIBIL / CRIF Highmark / Equifax / Experian — credit-bureau dashboards
• TAFCOP / Sancharsaathi — tafcop.sancharsaathi.gov.in
• CERT-In advisories on phishing
• MeitY for fake-domain takedown
• Aadhaar Act 2016 §29 (restrictions on use), §38 (penalty for unauthorised access)
• DPDP Act 2023 + Rules 2025
• BNS 2024 §316, §319, §336–§338
• IT Act 2000 §66C (identity theft), §66D (impersonation)

++++ Where do I see if my Aadhaar was used for authentication recently? | uidai.gov.in → My Aadhaar → Aadhaar Services → Authentication History. Shows last 50 authentications. Anything you don't recognise → file a complaint. ++++

++++ Is e-Aadhaar download safe? | Yes — only from uidai.gov.in. Never from third-party “Aadhaar download” sites. ++++

++++ Can I use VID for everything? | Yes — for SIM, gas, e-KYC, EPF, ITR. VID is regenerated on demand and limits exposure of the actual Aadhaar number. ++++

++++ My Aadhaar mobile is wrong — am I in danger? | Yes — anyone who knows your Aadhaar can intercept OTP. Update mobile at the nearest Aadhaar Seva Kendra with biometric authentication. ++++

++++ How long does Aadhaar biometric lock take to activate? | Instant. Same for unlock — but unlock auto-relocks within a window. Set lock as default. ++++

The fake-Aadhaar-update site succeeds because it preys on the genuine fear of identity invalidation. The whole trap collapses if you (a) only ever type ``uidai.gov.in`` directly, (b) keep biometrics locked by default, and © audit TAFCOP + CIBIL once a quarter. Save your Aadhaar enrolment number on a paper note, never in your phone, and never share OTP with anyone — UIDAI included.

This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through UIDAI press releases, MeitY domain takedowns, and judgments under the Aadhaar Act and DPDP Act 2023.