Fake KYC Update Scam India — How to Detect, Block, and Recover (2026)

The “your KYC will expire in 24 hours, click here to update” SMS is the single biggest banking scam in India today. RBI has clarified — repeatedly — that no bank ever asks customers to update KYC by clicking a link, by installing an app, or over a call. This page explains exactly how the scam runs, how to spot it in 30 seconds, how to lock the account if you've already clicked, and how to claim a refund under the RBI customer-liability framework.

Citizen Crisis Response Network — 90-minute rule
If you clicked a fake KYC link or shared an OTP: hang up → freeze your account through net-banking → call 1930 → file at cybercrime.gov.in → write to your bank within 24 hours. Most refunds depend on action inside the first 90 minutes.

Genuine KYC updates in India are done only by visiting the bank branch, through the bank's verified app/website (no link in SMS), or via a video-KYC session that you initiate. A KYC update SMS that contains a link, a phone number, or threatens 24-hour account closure is a scam. If you have already clicked: change your net-banking password, call 1930, file a complaint at cybercrime.gov.in, freeze your debit card, and email a written complaint to your bank within 24 hours quoting the reference numbers — RBI's 2017 framework can give you a full refund if you reported within 3 working days.

• How the fake KYC scam runs
• Six red flags in 30 seconds
• The first 90 minutes — what to do if you clicked
• The next 24 hours — written complaints
• Recovering money — RBI 2017 framework
• Sample written complaint to your bank
• What not to do
• Can compensation be claimed?
• FAQ

The pattern is identical across operators. The bait, trap, and drain are three separate steps:

1. Bait — An SMS, WhatsApp message, or call claims: “Dear customer, your [Bank] KYC will expire today / your account will be blocked. Update at [link] or call [number].”
2. Trap — The link opens a near-perfect clone of your bank's net-banking page, or installs an APK that records the screen. You enter the user-id, password, debit-card details, and the OTP that the real bank sends because the attacker is simultaneously triggering a transaction at the bank's real site.
3. Drain — Within seconds: UPI is added to a new device, a sweep of the savings is sent to multiple money-mule accounts (often layered through cryptocurrency), and a fake “registered mobile changed” alert is suppressed by the screen-recording app.

The defining signature is time pressure (“24 hours”) and out-of-channel contact (you didn't initiate). Banks never threaten time-bound closures by SMS link.

Citizen tip — Before you act on any KYC SMS, log into your bank's app directly (not from the SMS link). If KYC is genuinely due, you'll see a banner inside the app. If the app shows nothing, the SMS is fake.

Pull data off if you installed an APK — the screen recorder cannot stream OTPs without internet. End the call. Do not answer the same number's redial.

Use a laptop / family member's phone. Login → Profile → Change Password. If the password was already changed by the attacker, use Forgot Password with debit-card details + OTP to your registered number (assuming the SIM is still in your control — if SIM is gone too, run the stolen-SIM playbook in parallel).

Most apps: Cards → Manage → Block / Hot-list. Or call the 24×7 card-block number printed on the card / the bank's IVR.

UPI: open the app → De-register / Remove account → confirm. Then revoke any device-binding shown under “Linked devices.”

National Cyber Crime Reporting Portal — call 1930 within the golden hour. The operator generates a complaint number. The portal then issues a lien on the receiving account at the destination bank, which is the only mechanism that can claw back funds before they layer.

Submit a structured complaint at cybercrime.gov.in (Financial Fraud → Online Banking / UPI / Net-banking). Upload the SMS screenshot, the APK file (if available), the bank statement entry, and any URL/screenshot of the cloned page.

Email + the bank's online “Report Unauthorized Transaction” form. Include: time of click, time of debit, 1930 reference, cybercrime portal reference, screenshot of the SMS. Demand temporary credit pending investigation — RBI requires 90-day resolution.

Emergency step — If you installed an APK, factory-reset the phone after backing up only photos / contacts (no APK). Some KYC trojans persist after the app is uninstalled.

1. Bank — Branch visit + written letter; obtain stamped acknowledgement
2. Card issuer — Separate dispute form for each unauthorized transaction
3. UPI — NPCI dispute (your bank app → “Raise dispute” against the UTR)
4. Police FIR / e-FIR — Citing BNS 2024 §319 (cheating) + §316 (cheating by personation) + §318 (cheating with property)
5. TRAI — File spam-DLT complaint at sancharsaathi.gov.in → Chakshu, attaching the SMS screenshot — this helps trace the registered telemarketer / DLT ID

Keep all reference numbers in one document. You will need them for the bank, the ombudsman, and any future consumer-court claim.

RBI's Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 2017 governs every such fraud:

The 90-day clock starts the day you report. The bank must:

• Provide shadow / temporary credit within 10 working days
• Resolve the dispute within 90 days
• If unresolved, escalate to the RBI Banking Ombudsman: cms.rbi.org.in

Refund probability is highest when (a) you reported within 3 working days, (b) you have a 1930 reference, © the bank cannot prove you shared the OTP intentionally with no scam pretext, and (d) the receiving account was lien-frozen before layering.

To,
The Branch Manager,
[Bank Name], [Branch], [City]

Subject: Unauthorised debit / Fake KYC fraud — A/C [last 4 digits] —
request for refund under RBI Master Direction 2017

Sir / Madam,

I, [Full name], holder of Savings A/C [number], wish to report
unauthorised debit(s) totalling ₹[amount] on [date] at approximately
[time], arising from a fake KYC update SMS / call that I responded to
in the belief that it was from your bank.

The transactions are itemised below:

[Date] [Time] [UTR / Ref] [Amount] [Beneficiary]
...

I have already (a) blocked my debit card, (b) changed net-banking
credentials, (c) filed a complaint at 1930 and cybercrime.gov.in
(Reference No. _______, _______), and (d) reported the SMS at Chakshu
(Reference No. _______).

Per the RBI Master Direction on Limiting Liability of Customers in
Unauthorised Electronic Banking Transactions, 2017, since I have
reported the loss within ___ working day(s) of debit, my liability is
[Zero / capped at ₹5,000]. I request you to:

  1. Provide temporary / shadow credit within 10 working days.
  2. Resolve the dispute within 90 days.
  3. Issue a written reply with the result of investigation.

Yours faithfully,
[Signature, Name, Date]
[Phone, Email, Aadhaar last 4]

• Do not call back the number in the SMS — it leads to a “verification” agent who will harvest more.
• Do not install any “bank update” app from outside the official Play Store / App Store.
• Do not share OTP, CVV, debit-card grid, or net-banking password with anyone — including someone claiming to be the bank.
• Do not run AnyDesk, TeamViewer, QuickSupport, RustDesk, or any remote-access app on a banker's instructions — this is the second-stage trojan.
• Do not write off the loss. Even small “₹2,000 was taken” cases are eligible for refund and tracked through 1930.

Yes. Three independent paths:

1. Bank refund — RBI 2017 framework (above). If denied, escalate to the RBI Banking Ombudsman at cms.rbi.org.in (no fee, online).
2. Consumer court — If the bank's negligence is established (e.g., it ignored unusual-pattern alerts), file at the District Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019. Typical award includes refund + ₹25,000–₹2,00,000 compensation for harassment.
3. Telecom / DLT trace — If the SMS came from a fake DLT, TRAI / DoT may impose penalties on the telemarketer; you can claim as the affected consumer.

Use the 1930 reference + bank acknowledgement + ombudsman number as the audit trail across all three.

1. 0–10 min — Pull data off; change net-banking password from another device
2. 10–20 min — Block debit card; de-register UPI; revoke linked devices
3. 20–35 min — Call 1930; note complaint number
4. 35–60 min — File at cybercrime.gov.in; upload SMS + APK
5. 60–90 min — Email bank's “report unauthorised transaction” with all references
6. +24 h — Visit branch with stamped letter; get written acknowledgement
7. +3 working days — RBI window — your liability is zero if reported

fake KYC update scam India 2026, KYC SMS scam how to recover, RBI fake KYC link, KYC update scam refund, 1930 KYC fraud complaint, fake KYC APK, bank KYC link fraud, SBI KYC scam SMS, HDFC KYC fake link, ICICI KYC update scam

• Q: Does RBI ever send KYC update SMS?
  No. RBI is the regulator — it does not contact bank customers individually. Banks themselves do KYC reminders only inside the app or by branch notice.
• Q: Will I get a refund if I shared the OTP myself?
  Possibly yes — if you can show that the OTP was shared under deceit (the RBI framework defines this as “third-party breach where deficiency lies neither with bank nor customer”). The 1930 + cybercrime references are critical evidence.
• Q: Can I be arrested for sharing my OTP with a scammer?
  No. You are the victim. Sharing OTP under deceit is not an offence — it is the trigger event for the bank's liability.
• Q: How fast does the bank give shadow credit?
  RBI requires within 10 working days of complaint. If delayed, escalate to the Banking Ombudsman.
• Q: What if my bank refuses to refund?
  File at cms.rbi.org.in (RBI Banking Ombudsman) — free, online, decision in ~30 days. Then consumer court if needed.

“Hey Google, what is the fake KYC update scam?” · “Is RBI sending KYC SMS?” · “How do I report a fake KYC link?” · “Block debit card after KYC scam.” · “1930 cyber crime complaint.”

[Anatomy diagram] "Fake KYC scam — 3-step trap"
1. BAIT  : SMS + link + 24-hour deadline
2. TRAP  : cloned page / APK / OTP capture
3. DRAIN : UPI added to new device → sweep → mule accounts → crypto

[Decision tree] "Did you click the link?"
NO  → ignore SMS, report at Chakshu
YES → 7-step 90-min drill (block card / 1930 / cybercrime / bank email)

[Authority ladder] Bank branch → RBI Ombudsman → Consumer Forum
                  → 1930 / cybercrime.gov.in (parallel)

• UPI fraud recovery
• Block lost / stolen SIM
• Fake Aadhaar update fraud
• Social media hijack recovery
• Banking Ombudsman complaint guide
• RBI complaint against bank
• Money sent to wrong account
• ATM fraud recovery
• PAN-Aadhaar fraud recovery

• RBI Master Direction on Limiting Liability of Customers, 2017 — the entire compensation framework
• MHA — National Cyber Crime Reporting Portal: cybercrime.gov.in · Helpline 1930
• RBI Banking Ombudsman: cms.rbi.org.in
• DoT — Sanchar Saathi → Chakshu (report fraud SMS / call)
• TRAI — DLT regulations on commercial communication
• CERT-In advisories on banking phishing
• BNS 2024 §316 (personation), §318 (cheating with property), §319 (cheating)
• Consumer Protection Act, 2019 — district / state / national commission

++++ Is “video KYC” through a link safe? | Only if you initiate it from the bank's official app. A link sent over SMS / WhatsApp / email — even one that says “video KYC” — is a phishing vehicle. ++++

++++ I got a call asking to download AnyDesk for KYC verification. Is it ever genuine? | Never. RBI has prohibited remote-screen-sharing apps in any banking process. End the call. ++++

++++ My bank says I “voluntarily” gave OTP, so no refund. What now? | Quote RBI's 2017 framework — it specifically allows refund where the customer was “deceived.” File the Banking Ombudsman complaint and consumer-court complaint in parallel. ++++

++++ Should I share the SMS forensics with my bank? | Yes. The DLT sender ID and the URL help the bank's fraud-monitoring unit blacklist the originator. It also strengthens your refund case. ++++

++++ Can the police actually trace the receiving account? | Yes — the 1930 lien mechanism freezes the destination account within minutes (across banks). Tracing the human is harder, but getting your money back doesn't depend on tracing them. ++++

Fake KYC is the highest-volume banking scam in India because the cost of failure (₹2,000–₹5,00,000 in seconds) is enormous and the cost of defence (10 seconds of scepticism) is trivial. Treat any KYC message that reaches you out-of-channel as a scam by default; verify only by walking into the branch or opening the app you trust. If you've already clicked, the 90-minute drill on this page closes the loss window — and the RBI 2017 framework gets your money back if you act within 3 working days.

This page is part of RTI Wiki's Citizen Crisis Response Network. Updates tracked through RBI Master Directions, CERT-In advisories, and judgments of the National Consumer Disputes Redressal Commission.