Fake Aadhaar Update Website Fraud — UIDAI Verification & Recovery (2026)

“Update your Aadhaar online before 14-Jun deadline or your account will be deactivated” — these phrases, with a near-identical UIDAI logo and a near-real domain (``aadhaar-update.in``, ``uidai-update.online``), are the spine of one of India's largest identity-fraud pipelines. This page tells you exactly how to recognise the fake site, how to lock your biometric the moment you've shared anything, and how to recover under RBI / UIDAI rules.

Citizen Crisis Response Network — domain rule
The only official UIDAI domain is uidai.gov.in (and the mAadhaar app). Anything else — ``.in``, ``.online``, ``.co``, ``.help`` — is a fake.

If you suspect a fake Aadhaar-update site or have already shared OTP / biometric / mobile number: (1) immediately lock your biometrics at uidai.gov.in → My Aadhaar → Biometric Lock, (2) call 1947 (UIDAI helpline), (3) file at cybercrime.gov.in / 1930 if money has moved via AePS, (4) check the TAFCOP portal for any SIMs taken in your name, (5) freeze your bank's AePS limit, and (6) raise an Aadhaar-misuse complaint at uidai.gov.in/file-complaint. Recovery probability is highest within the first 24 hours.

In this guide

How the fake Aadhaar update scam runs

  1. Bait — SMS / WhatsApp / email / Google ad: “Your Aadhaar will be deactivated on [date] unless you update it online. Click here.” Look-alike domain. Sometimes a “free document upload” feature.
  2. Trap — Cloned UIDAI page asks for Aadhaar number, registered mobile, OTP, and “selfie + photo of original docs.” The OTP is the actual UIDAI OTP triggered against the real UIDAI service, captured live.
  3. Drain — Once OTP is in attacker hands, they (a) authenticate AePS withdrawals at “merchant” agents, (b) take SIMs in your name on TAFCOP, © seed identity into mule loan applications.

The drain often happens within minutes of the OTP capture.

Six red flags in 30 seconds

Flag What you'll see Why it's fake
1. Domain not uidai.gov.in aadhaar-update.in, uidai-update.online, my-uidai.help UIDAI uses one domain only
2. “Deadline” language “Last 24 hours to update” UIDAI never imposes 24-hour panic deadlines on individuals
3. Asks for biometric / fingerprint scan over web “Place finger on screen” Biometrics aren't captured through a browser
4. Asks for upload of physical Aadhaar card image “Upload photo of front + back” Update doesn't require a card scan
5. Pay to update “Pay ₹50 / ₹250 to expedite” UIDAI online updates have a fixed ₹50 fee at the real portal — but fake sites mimic this. The clue is the domain.
6. Asks for net-banking / UPI to “match Aadhaar” “Verify Aadhaar-bank link” UIDAI never asks for net-banking
Citizen tip — Type ``uidai.gov.in`` directly into the address bar or open the mAadhaar app from the official Play Store / App Store. Never click any link in any message claiming to be from UIDAI.

The 30-minute lockdown

  1. Lock biometrics at uidai.gov.in → My Aadhaar → Biometric Lock (need OTP to your registered mobile)
  2. Open TAFCOP (tafcop.sancharsaathi.gov.in) → flag any unknown SIM in your name
  3. Pull a CIBIL report (cibil.com) → check for unknown loans / cards
  4. Freeze AePS — call your bank; ask to disable AePS withdrawal on this Aadhaar
  5. Call 1947 — UIDAI 24×7 helpline; note the complaint reference
  6. File at cybercrime.gov.in / 1930 if money has moved
  7. Email UIDAI at help@uidai.gov.in with full details + screenshots of the fake site
  8. Change registered mobile at uidai.gov.in only if your SIM is in your control

Biometric lock — the single most important step

UIDAI's Biometric Lock is a free service that disables AePS / fingerprint authentication entirely against your Aadhaar number. Once locked:

  • No agent can debit your bank via fingerprint at any AePS terminal
  • No identity verification using fingerprint is possible until you unlock it
  • E-KYC for SIMs / new bank accounts also requires unlock

How to enable:

  1. Open uidai.gov.in (clean browser, typed address)
  2. My Aadhaar → Aadhaar Services → Lock / Unlock Biometrics
  3. Enter Aadhaar + Captcha → Send OTP to registered mobile
  4. Enter OTP → Lock

This is the single most important defensive measure for an Aadhaar-misuse-prone scenario. Lock by default; unlock only when you actively need fingerprint authentication (e.g., during physical bank account opening).

Warning — If your registered mobile is no longer with you, biometric lock requires a visit to an Aadhaar Seva Kendra. Run the stolen-SIM playbook in parallel.

If money was already taken via AePS

AePS (Aadhaar enabled Payment System) lets bank-correspondent agents withdraw cash from your bank using your fingerprint. Frauds happen when biometric replicas (silicone fingers from leaked databases) are used at unauthorised agent points.

If you see unauthorized AePS debits:

  1. Within 3 working days — full refund under RBI's Limiting Liability framework, 2017
  2. Within 7 working days — capped liability (₹5,000–₹25,000)
  3. Beyond 7 days — bank's board-approved policy

Steps:

  1. Call 1930 (cyber helpline)
  2. File at cybercrime.gov.in
  3. Email bank's “report unauthorised transaction”; attach UIDAI lock confirmation + 1930 reference
  4. Demand temporary credit within 10 working days
  5. Bank must resolve in 90 days; escalate to Banking Ombudsman (cms.rbi.org.in) if not

Sample complaint to UIDAI

To,
The UIDAI Regional Office (Bengaluru / Chandigarh / Delhi / Guwahati /
Hyderabad / Lucknow / Mumbai / Ranchi)

Subject: Aadhaar misuse via fake update website — request for
investigation under Aadhaar Act §29 and §38 — Aadhaar Reference No.
[VID 16-digit]

Sir / Madam,

I, [Full name], holder of Aadhaar [VID 16-digit, masked first 12], wish
to report that on [date] I encountered a phishing site purporting to
be UIDAI ([URL of fake site]) and shared / had captured my:
  [Aadhaar number / registered mobile / OTP / selfie / scan of card]

I have:
  1. Locked my biometrics on uidai.gov.in (timestamp ___).
  2. Filed at cybercrime.gov.in (Reference: ___) and called 1930
     (Reference: ___).
  3. Reviewed TAFCOP and flagged [N] unknown SIMs in my name.
  4. Pulled CIBIL report (Reference: ___) and flagged [N] suspect items.

I request UIDAI to:
  a) Confirm in writing that my Aadhaar has not been used for any
     unauthorised authentication in the [date] window.
  b) Take action under Aadhaar Act §38 (penalty for unauthorised access)
     against the operators of [URL].
  c) Coordinate with MeitY / I4C for takedown of the fake domain.

Yours faithfully,
[Signature, Name]
[VID, Registered Mobile, Email, Date]

What not to do

  • Do not type your Aadhaar number on any website that isn't ``uidai.gov.in`` or your bank's verified portal.
  • Do not share your Aadhaar OTP with anyone — including someone claiming to be from UIDAI / a bank / an Aadhaar Seva Kendra.
  • Do not upload a scan of your Aadhaar card on random portals; use the VID (Virtual ID) wherever a partial Aadhaar reference is needed.
  • Do not ignore unknown SIMs on TAFCOP — these are the second-stage attack vectors.
  • Do not keep biometrics unlocked by default — lock them; unlock only when needed.

Can compensation be claimed?

  • AePS / banking refund — RBI Master Direction 2017 (refund if reported within 3 working days)
  • Aadhaar Act penalty — UIDAI can fine the perpetrator up to ₹1 crore under §38–§43 for unauthorised access; victim is the complainant
  • Consumer court — for bank's negligence in approving AePS without secondary verification
  • DPDP Act 2023 — Data Protection Board can impose penalties on data-handlers who leaked Aadhaar metadata enabling the fraud
  • Banking Ombudsman — RB-IOS 2021 covers AePS disputes

What to do in the next 30 minutes (printable card)

  1. 0–5 min — Lock biometrics on uidai.gov.in
  2. 5–15 min — TAFCOP audit; CIBIL pull
  3. 15–25 min — Call 1947 + 1930 if money moved; file at cybercrime.gov.in
  4. 25–30 min — Bank's “report unauthorised transaction” form
  5. +24 h — Branch visit; written acknowledgement; UIDAI Regional Office written complaint
  6. +72 h — RBI bank-dispute window for AePS refund

Long-tail keywords this page targets

fake Aadhaar update website India 2026, Aadhaar OTP scam recovery, UIDAI biometric lock how to, AePS fraud refund, Aadhaar misuse complaint, fake uidai site list, Aadhaar deadline SMS scam, Aadhaar update fee scam, Aadhaar Seva Kendra fake, mAadhaar fake app

People also ask

  • Q: Is there ever an “Aadhaar update deadline” by which my Aadhaar will be deactivated?
    No. UIDAI runs voluntary 10-yearly update drives but does not deactivate individual Aadhaars by SMS deadline.
  • Q: Can a stranger withdraw money from my account using only my Aadhaar number?
    With Aadhaar number alone, no. With Aadhaar + a fingerprint replica or OTP, yes — that's why biometric lock matters.
  • Q: Will UIDAI charge me to lock biometrics?
    No. Biometric lock / unlock is free, online, and instant.
  • Q: Should I share my Aadhaar with my employer / new SIM agent / hospital?
    Use Masked Aadhaar or VID wherever a copy is requested. Never the full e-Aadhaar with full number visible.
  • Q: Can I file an FIR for Aadhaar misuse?
    Yes — under BNS 2024 §319 (cheating), §316 (personation), §336–§338 (forgery), and Aadhaar Act §38.

Voice-search queries

“How to lock Aadhaar biometric?” · “Fake Aadhaar update website list.” · “Aadhaar OTP scam recovery.” · “1947 UIDAI helpline.” · “AePS fraud refund.”

SVG / infographic prompts

[Decision tree] "Got Aadhaar update SMS"
Domain is uidai.gov.in? → maybe genuine → verify in mAadhaar app
Anything else? → SCAM → lock biometric + report

[Anatomy] "Aadhaar fraud chain"
1. fake site bait (lookalike domain + deadline)
2. OTP capture (live UIDAI OTP forwarded)
3. AePS drain (silicone fingerprint at agent point)
4. SIM in your name (TAFCOP)
5. mule loan in your name (CIBIL)

[Lockdown ladder] mAadhaar app → biometric lock → TAFCOP audit → CIBIL → 1930

Government & authority references

  • UIDAI — uidai.gov.in · Helpline 1947
  • MHA — National Cyber Crime Reporting Portal — cybercrime.gov.in · 1930
  • RBI — Master Direction on Limiting Liability of Customers, 2017
  • Banking Ombudsman — cms.rbi.org.in
  • CIBIL / CRIF Highmark / Equifax / Experian — credit-bureau dashboards
  • TAFCOP / Sancharsaathi — tafcop.sancharsaathi.gov.in
  • CERT-In advisories on phishing
  • MeitY for fake-domain takedown
  • Aadhaar Act 2016 §29 (restrictions on use), §38 (penalty for unauthorised access)
  • DPDP Act 2023 + Rules 2025
  • BNS 2024 §316, §319, §336–§338
  • IT Act 2000 §66C (identity theft), §66D (impersonation)

FAQ

++++ Where do I see if my Aadhaar was used for authentication recently? | uidai.gov.in → My Aadhaar → Aadhaar Services → Authentication History. Shows last 50 authentications. Anything you don't recognise → file a complaint. ++++

++++ Is e-Aadhaar download safe? | Yes — only from uidai.gov.in. Never from third-party “Aadhaar download” sites. ++++

++++ Can I use VID for everything? | Yes — for SIM, gas, e-KYC, EPF, ITR. VID is regenerated on demand and limits exposure of the actual Aadhaar number. ++++

++++ My Aadhaar mobile is wrong — am I in danger? | Yes — anyone who knows your Aadhaar can intercept OTP. Update mobile at the nearest Aadhaar Seva Kendra with biometric authentication. ++++

++++ How long does Aadhaar biometric lock take to activate? | Instant. Same for unlock — but unlock auto-relocks within a window. Set lock as default. ++++

Myth vs reality

Myth Reality
“UIDAI sends update reminders by SMS link.” UIDAI never sends individual update links via SMS.
“Aadhaar can't be misused without my consent.” Leaked databases + silicone fingerprint replicas enable AePS misuse.
“Once my Aadhaar leaks, nothing can be done.” Biometric lock + TAFCOP + CIBIL audit + 1930 give a working defence.
“Police won't take Aadhaar fraud seriously.” BNS 2024 §316/§319 + Aadhaar Act §38 + IT Act §66D are cognisable.
“Updating online is the same as updating at a Seva Kendra.” Demographic updates are online; biometric updates need a Kendra visit.

Last word

The fake-Aadhaar-update site succeeds because it preys on the genuine fear of identity invalidation. The whole trap collapses if you (a) only ever type ``uidai.gov.in`` directly, (b) keep biometrics locked by default, and © audit TAFCOP + CIBIL once a quarter. Save your Aadhaar enrolment number on a paper note, never in your phone, and never share OTP with anyone — UIDAI included.

This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through UIDAI press releases, MeitY domain takedowns, and judgments under the Aadhaar Act and DPDP Act 2023.