TRAI now forces every SMS sender to label each changeable slot in a registered message template by content type, so a bank text must declare in advance which slot holds a web link and which holds a phone number. From November 2025, a fraudster can no longer quietly drop a fake link into a message that looks like it came from your bank. If the link or number was not pre-declared, the network rejects the SMS and it never reaches you.
If you are short on time: jump to what you will actually notice to see what changes on your phone, and a suspicious sms still got through what now to report a scam text.
On 18 November 2025, the Telecom Regulatory Authority of India (TRAI) issued Press Release No. 133/2025 announcing a Direction under the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR 2018). The Direction tells phone companies and bulk senders to pre-tag every variable field in their SMS templates. Senders have about 60 days to fix existing templates. After that window, messages built on a non-compliant template are rejected and not delivered. (Source: TRAI Direction, 18 November 2025.)
The “OTP is 482913” text from your bank travels through a regulated pipeline built under TCCCPR 2018. Two things are registered in advance with the operators:
The blanks are the variables. The static text stays the same for everyone. The variable is the OTP, amount, link, or callback number that differs per message. Before this rule, the system checked that the wording matched an approved template, but it did not always check what kind of content went into each blank.
A fraudster who got hold of an approved template could keep the trusted wording and the fixed parts, then push a malicious payload into a variable slot. The message still passed the template check and still arrived under a header that looked official. But the “link” inside it now pointed to a phishing page, or the “callback number” rang a scam call centre.
TRAI's own investigations found that the absence of predefined tagging was routinely exploited to insert unapproved links, app-download links, and callback numbers into otherwise legitimate templates. That is the loophole the new Direction closes.
Tagging means the sender must declare, in advance, what each blank is allowed to contain. Instead of a generic blank, the template now says: this slot holds a web link, this slot holds a phone number, this slot holds a numeric OTP. The sending system then checks the live message against those declarations before it goes out.
Think of it like a form with typed fields. A field marked “phone number” rejects letters. A field marked “web link” rejects a stranger's URL that was never registered. If the actual content does not match the declared type, the message fails the check.
Once a slot is tagged as a link, the network can compare the link in a live message against what the sender registered. A random phishing URL slipped into that slot no longer matches, so the message is stopped before delivery. The same logic applies to a callback number: a scam number dropped into a slot tagged for a verified contact number will not match, and the SMS is rejected.
In short, the trusted wording and the trusted header are no longer enough on their own. The contents of every changeable slot must also line up with what was pre-declared. That removes the fraudster's favourite trick: borrowing a genuine template and quietly swapping the dangerous part.
For ordinary genuine messages, almost nothing should change. Your OTPs, delivery updates, and bank alerts arrive as usual. Over the rollout you may notice:
Note: this rule does not make every SMS safe. It blocks one specific abuse, slipping unregistered links and numbers into approved templates. It does not stop scams sent from ordinary 10-digit mobile numbers or over WhatsApp, which never use this template pipeline.
Treat any unexpected SMS asking you to click a link, share an OTP, or call a number as suspect, even after this rule. Use the right channel:
Do not click the link. Do not call the number in the message. Verify by contacting your bank or service provider through their official app or printed customer-care number instead.
No. It closes one major loophole: inserting an unregistered link or number into an approved commercial template sent through registered headers. Scams sent from ordinary mobile numbers, or over WhatsApp and Telegram, do not use this template pipeline, so they are unaffected. Stay cautious with every unexpected message.
TRAI issued the Direction on 18 November 2025 through Press Release No. 133/2025. Senders were given roughly 60 days to fix existing templates. After that window, a message built on a non-compliant template is rejected and not delivered. Treat early 2026 as the period when the effect becomes visible.
Yes. Legitimate messages that match a properly tagged template pass the check and arrive normally. The rule targets content that does not match what the sender declared. The only risk to a genuine message is if a business was slow to re-register its templates during the compliance window.
Use Chakshu, on the Sanchar Saathi portal, to report a suspected fraud SMS, call, or WhatsApp message before you lose any money. Use 1930 and cybercrime.gov.in after a financial loss has already happened. They are different stages of the same fight, so pick the one that matches your situation.
It is a Direction issued under the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR 2018), the framework that governs commercial SMS, headers, and content templates in India. Press Release No. 133/2025 records the Direction.
It is the changeable blank in an otherwise fixed message: the OTP, the amount, the delivery date, a link, or a callback number. The static wording stays the same for everyone; the variable differs per message. The new rule requires each variable to be labelled by content type before the template is approved.