The “your KYC will expire in 24 hours, click here to update” SMS is the single biggest banking scam in India today. RBI has clarified — repeatedly — that no bank ever asks customers to update KYC by clicking a link, by installing an app, or over a call. This page explains exactly how the scam runs, how to spot it in 30 seconds, how to lock the account if you've already clicked, and how to claim a refund under the RBI customer-liability framework.
Citizen Crisis Response Network — 90-minute rule
If you clicked a fake KYC link or shared an OTP: hang up → freeze your account through net-banking → call 1930 → file at cybercrime.gov.in → write to your bank within 24 hours. Most refunds depend on action inside the first 90 minutes.
Genuine KYC updates in India are done only by visiting the bank branch, through the bank's verified app/website (no link in SMS), or via a video-KYC session that you initiate. A KYC update SMS that contains a link, a phone number, or threatens 24-hour account closure is a scam. If you have already clicked: change your net-banking password, call 1930, file a complaint at cybercrime.gov.in, freeze your debit card, and email a written complaint to your bank within 24 hours quoting the reference numbers — RBI's 2017 framework can give you a full refund if you reported within 3 working days.
The pattern is identical across operators. The bait, trap, and drain are three separate steps:
The defining signature is time pressure (“24 hours”) and out-of-channel contact (you didn't initiate). Banks never threaten time-bound closures by SMS link.
| Flag | What you'll see | Why it's a scam |
| 1. URL shortener or odd domain | bit.ly/x, .xyz, kyc-sbi-update.in, sbi-kyc.online | Real banks use only their root domain (sbi.co.in, hdfcbank.com) |
| 2. APK download | “Install this app to update KYC” | Real KYC never requires a third-party APK |
| 3. Toll-free in SMS body | “Call 8XXXXXXXXX urgently” | Banks publish only their published toll-free numbers |
| 4. SMS sender ID is a 10-digit number | sent from +91-9XX… | Bank SMSes come from registered DLT IDs (e.g., HDFCBN, ICICIB) |
| 5. Threat of account block | “Account suspension in 24 hours” | RBI prohibits coercive language in genuine KYC reminders |
| 6. Asks for OTP / password / CVV | “Share OTP to confirm KYC” | Banks never ask for OTP, full card number, CVV or password |
Citizen tip — Before you act on any KYC SMS, log into your bank's app directly (not from the SMS link). If KYC is genuinely due, you'll see a banner inside the app. If the app shows nothing, the SMS is fake.
Pull data off if you installed an APK — the screen recorder cannot stream OTPs without internet. End the call. Do not answer the same number's redial.
Use a laptop / family member's phone. Login → Profile → Change Password. If the password was already changed by the attacker, use Forgot Password with debit-card details + OTP to your registered number (assuming the SIM is still in your control — if SIM is gone too, run the stolen-SIM playbook in parallel).
Most apps: Cards → Manage → Block / Hot-list. Or call the 24×7 card-block number printed on the card / the bank's IVR.
UPI: open the app → De-register / Remove account → confirm. Then revoke any device-binding shown under “Linked devices.”
National Cyber Crime Reporting Portal — call 1930 within the golden hour. The operator generates a complaint number. The portal then issues a lien on the receiving account at the destination bank, which is the only mechanism that can claw back funds before they layer.
Submit a structured complaint at cybercrime.gov.in (Financial Fraud → Online Banking / UPI / Net-banking). Upload the SMS screenshot, the APK file (if available), the bank statement entry, and any URL/screenshot of the cloned page.
Email + the bank's online “Report Unauthorized Transaction” form. Include: time of click, time of debit, 1930 reference, cybercrime portal reference, screenshot of the SMS. Demand temporary credit pending investigation — RBI requires 90-day resolution.
Emergency step — If you installed an APK, factory-reset the phone after backing up only photos / contacts (no APK). Some KYC trojans persist after the app is uninstalled.
Keep all reference numbers in one document. You will need them for the bank, the ombudsman, and any future consumer-court claim.
RBI's Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 2017 governs every such fraud:
| Reporting delay | Customer liability (Savings) | Customer liability (Current) |
|---|---|---|
| 0–3 working days | Zero (full refund) | Zero |
| 4–7 working days | ₹5,000 max | ₹10,000 max |
| Beyond 7 days | Per bank's board-approved policy | Per bank's board-approved policy |
The 90-day clock starts the day you report. The bank must:
Refund probability is highest when (a) you reported within 3 working days, (b) you have a 1930 reference, © the bank cannot prove you shared the OTP intentionally with no scam pretext, and (d) the receiving account was lien-frozen before layering.
To, The Branch Manager, [Bank Name], [Branch], [City] Subject: Unauthorised debit / Fake KYC fraud — A/C [last 4 digits] — request for refund under RBI Master Direction 2017 Sir / Madam, I, [Full name], holder of Savings A/C [number], wish to report unauthorised debit(s) totalling ₹[amount] on [date] at approximately [time], arising from a fake KYC update SMS / call that I responded to in the belief that it was from your bank. The transactions are itemised below: [Date] [Time] [UTR / Ref] [Amount] [Beneficiary] ... I have already (a) blocked my debit card, (b) changed net-banking credentials, (c) filed a complaint at 1930 and cybercrime.gov.in (Reference No. _______, _______), and (d) reported the SMS at Chakshu (Reference No. _______). Per the RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 2017, since I have reported the loss within ___ working day(s) of debit, my liability is [Zero / capped at ₹5,000]. I request you to: 1. Provide temporary / shadow credit within 10 working days. 2. Resolve the dispute within 90 days. 3. Issue a written reply with the result of investigation. Yours faithfully, [Signature, Name, Date] [Phone, Email, Aadhaar last 4]
Yes. Three independent paths:
Use the 1930 reference + bank acknowledgement + ombudsman number as the audit trail across all three.
fake KYC update scam India 2026, KYC SMS scam how to recover, RBI fake KYC link, KYC update scam refund, 1930 KYC fraud complaint, fake KYC APK, bank KYC link fraud, SBI KYC scam SMS, HDFC KYC fake link, ICICI KYC update scam
“Hey Google, what is the fake KYC update scam?” · “Is RBI sending KYC SMS?” · “How do I report a fake KYC link?” · “Block debit card after KYC scam.” · “1930 cyber crime complaint.”
[Anatomy diagram] "Fake KYC scam — 3-step trap"
1. BAIT : SMS + link + 24-hour deadline
2. TRAP : cloned page / APK / OTP capture
3. DRAIN : UPI added to new device → sweep → mule accounts → crypto
[Decision tree] "Did you click the link?"
NO → ignore SMS, report at Chakshu
YES → 7-step 90-min drill (block card / 1930 / cybercrime / bank email)
[Authority ladder] Bank branch → RBI Ombudsman → Consumer Forum
→ 1930 / cybercrime.gov.in (parallel)
++++ Is “video KYC” through a link safe? | Only if you initiate it from the bank's official app. A link sent over SMS / WhatsApp / email — even one that says “video KYC” — is a phishing vehicle. ++++
++++ I got a call asking to download AnyDesk for KYC verification. Is it ever genuine? | Never. RBI has prohibited remote-screen-sharing apps in any banking process. End the call. ++++
++++ My bank says I “voluntarily” gave OTP, so no refund. What now? | Quote RBI's 2017 framework — it specifically allows refund where the customer was “deceived.” File the Banking Ombudsman complaint and consumer-court complaint in parallel. ++++
++++ Should I share the SMS forensics with my bank? | Yes. The DLT sender ID and the URL help the bank's fraud-monitoring unit blacklist the originator. It also strengthens your refund case. ++++
++++ Can the police actually trace the receiving account? | Yes — the 1930 lien mechanism freezes the destination account within minutes (across banks). Tracing the human is harder, but getting your money back doesn't depend on tracing them. ++++
| Myth | Reality |
|---|---|
| “RBI sends KYC SMSes.” | RBI never contacts customers. Banks do, and never with a link. |
| “If I gave OTP, I have no recovery.” | RBI 2017 framework allows refund when reported within 3 working days. |
| “1930 is just for emergencies.” | 1930 is the only way to lien the receiving account before money layers. Use it always. |
| “APK from a 'bank' must be safe.” | No bank distributes APK files directly. Always Play Store / App Store. |
| “Banks update KYC by phone call.” | All KYC happens at branch, in-app, or via initiated video-KYC. |
Fake KYC is the highest-volume banking scam in India because the cost of failure (₹2,000–₹5,00,000 in seconds) is enormous and the cost of defence (10 seconds of scepticism) is trivial. Treat any KYC message that reaches you out-of-channel as a scam by default; verify only by walking into the branch or opening the app you trust. If you've already clicked, the 90-minute drill on this page closes the loss window — and the RBI 2017 framework gets your money back if you act within 3 working days.
This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through RBI Master Directions, CERT-In advisories, and judgments of the National Consumer Disputes Redressal Commission.