Fake PAN Update SMS Scam India (2026)

On 14 January 2026, Meera Kulkarni, a chartered accountant in Pune, received an SMS claiming her PAN card would be “deactivated within 24 hours” unless she clicked a link and updated her Aadhaar details. The message bore the sender ID “ITDEPT” and a URL shortener. Within eight minutes she had entered her PAN, Aadhaar number, OTP, and bank account on a cloned Income Tax Department portal—₹1,87,000 vanished from her savings account before she realized the site's SSL certificate belonged to a registrar in Kuala Lumpur.

Citizen Crisis Response Network

Suspect a PAN-update SMS? Do not click any link. Visit incometax.gov.in directly, screenshot the message, forward to report-phishing@cert-in.org.in, block the sender, check your bank statements, and file an FIR under Bharatiya Nyaya Sanhita 2024 section 318(4) within 24 hours.

1 Fake PAN-update SMS scams use spoofed Income Tax Department sender IDs and urgent language to trick you into clicking phishing links. 2 The genuine Income Tax Department never sends unsolicited SMS with live links demanding immediate PAN or Aadhaar updates. 3 Scammers harvest PAN, Aadhaar, OTP, and banking credentials through cloned portals to drain accounts or sell identity documents on the dark web. 4 Report the SMS to CERT-In at report-phishing@cert-in.org.in, file an FIR under BNS 2024 section 318(4) (cheating by personation using computer resource), freeze your bank account via 1930 helpline, and lodge a written complaint with your bank within 24 hours to invoke the Reserve Bank of India's zero-liability framework. 5 Cross-check official announcements only at incometax.gov.in; legitimate PAN services never require OTP entry via SMS links.

• How the fake PAN SMS scam works in 2026
• Red flags that expose phishing messages
• Statutory framework: BNS 2024, IT Act 2000, and RBI mandate
• Immediate actions if you clicked the link or shared data
• Reporting to CERT-In and Cyber Crime Portal
• Filing an FIR and sample complaint text
• Bank liability and zero-liability protection
• Case law and enforcement touchpoints
• Long-term credit and identity monitoring
• Sample legal notice to bank and NSDL
• Frequently asked questions
• Myth vs reality table

Cybercriminals purchase bulk SMS gateway credits and spoof sender IDs—common variations include “ITDEPT,” “INCOMETX,” “PANTAX,” or six-digit alphanumeric codes designed to mimic official government headers. The message body follows a consistent psychological playbook: it states your PAN is “pending Aadhaar linkage,” “blocked due to mismatch,” or “requires KYC update,” and imposes an artificial deadline—usually 24 to 48 hours. A shortened URL (bit.ly, tinyurl, or custom domain registered hours earlier) accompanies the text, often labeled “Update Now” or “Verify PAN.”

When you tap the link, you land on a clone of the Income Tax e-filing portal or the NSDL PAN services page. The fake site requests PAN number, Aadhaar number, date of birth, mobile number, and email. On the next screen it prompts for a six-digit OTP “to authenticate your identity.” Behind the scenes a real-time relay script forwards your OTP to the attacker, who uses it to authorize a UPI transaction, initiate a credit-card application, or access your EPFO account. By the time you see the bank debit SMS, the money has been layered through three crypto wallets or offshore payment gateways.

The scam scales because India's SMS delivery infrastructure lacks robust sender-ID authentication for transactional routes. Telecom operators rely on header registration with the Telecom Regulatory Authority of India, but enforcement gaps allow fraudsters to rent sender IDs through gray-market aggregators. The Indian Computer Emergency Response Team (CERT-In) recorded 1.3 million phishing URLs in calendar year 2025; SMS-based tax and PAN scams accounted for 19 % of that total.

Warning — Even if the sender ID appears legitimate, cross-verify the domain in the URL. Official Income Tax and NSDL links always use incometax.gov.in or onlineservices.nsdl.com—never short URLs or third-party domains.

Urgency and threat language. Genuine government communications never threaten immediate deactivation or legal action via SMS. The Income Tax Department publishes extended deadlines on its website and sends reminders through registered email on your e-filing account.

Unsolicited links. The department's standard practice is to direct taxpayers to incometax.gov.in and ask them to log in using existing credentials. No legitimate notice embeds a clickable hyperlink in an SMS.

Grammar and spelling errors. Phishing messages often carry typos—“PAN card is expire,” “linkage pendding,” “update immdeiately”—because they originate from non-native speakers or automated translation tools.

Generic greetings. A real notice from the Income Tax Department uses your registered name and PAN. Scam texts open with “Dear User,” “Dear Taxpayer,” or “Respected Sir/Madam.”

Request for OTP or CVV. No government portal or bank ever asks you to share an OTP received on your phone. OTPs are auto-read by apps or manually entered by you on the *same* authenticated session—never disclosed to a third party.

URL structure. Hover over (on desktop) or long-press (on mobile) the link to reveal the full destination. Look for misspellings: “incometax-gov.in” (hyphen instead of dot), “íncometax.gov.in” (accent over 'i'), or entirely different domains like “panservices.xyz.”

SSL certificate mismatch. If you do land on a phishing site, check the padlock icon. Fraudulent pages either lack HTTPS or display certificates issued to unrelated entities. Browsers flag these with “Not Secure” or “Your connection is not private” warnings—never bypass them.

Most citizens miss this — Screenshot the SMS before deleting it. The metadata—sender ID, timestamp, and URL—form the evidential foundation of your FIR and CERT-In complaint.

Bharatiya Nyaya Sanhita 2024 section 318(4) consolidates the erstwhile IPC sections 419 and 420, defining cheating by personation using a computer resource. A conviction carries imprisonment up to seven years and a fine. The offence is cognizable (police can arrest without warrant) and non-bailable if the fraud amount exceeds ₹1 lakh or involves identity theft of government credentials.

Bharatiya Nyaya Sanhita 2024 section 319 addresses criminal breach of trust. If a scammer uses your PAN to file a fraudulent GST return or open a shell company, this section applies alongside section 318, and penalties stack.

Information Technology Act 2000 section 66D penalizes cheating by personation using a computer resource with imprisonment up to three years. Though BNS 2024 subsumes much of IPC, IT Act 2000 remains in force for cyber-specific offences, and prosecutors often invoke both statutes in the same charge-sheet.

Information Technology Act 2000 section 43(a) grants civil remedies: you can claim compensation from the intermediary (SMS gateway or hosting provider) if they failed to observe due diligence under Intermediary Guidelines 2021. The adjudicating officer under section 46 can award up to ₹5 crore, though typical awards range between ₹50,000 and ₹5 lakh.

Reserve Bank of India Master Direction on Digital Payment Security Controls 2021 mandates that banks must refund customers for unauthorized electronic transactions reported within three working days, provided the customer did not share credentials with gross negligence. A victim who entered OTP under duress or deception remains protected; the burden shifts to the bank to prove willful negligence.

Do this immediately — Print a copy of RBI's Master Direction (updated June 2025) from rbi.org.in and attach it to your bank complaint. Mention clause 6.3 on zero-liability explicitly.

Minute zero to five. Do not close the phishing site yet; take screenshots showing the full URL, page content, and any form fields. On Android open Recent Apps and screenshot the browser window; on iOS capture the Safari address bar. Then disconnect your phone from Wi-Fi and mobile data to sever the attacker's real-time relay.

Minute six to fifteen. Call your bank's 24×7 customer care—Axis Bank: 1860-419-5555, HDFC Bank: 1860-267-6161, SBI: 1800-1234 or 1800-2100. Request immediate “hot-listing” or temporary freeze of your savings account, credit cards, and debit cards linked to the mobile number you disclosed. Do not wait for a debit alert; freezing is reversible, but drained accounts are not.

Minute sixteen to thirty. Dial the national cyber-crime helpline 1930. Provide your registered mobile number, the phishing URL, and transaction details if any money left your account. The 1930 operator logs your complaint into the Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS) and issues a reference number. This number is mandatory for invoking RBI's zero-liability framework.

Hour one. Visit your bank branch with a written complaint on plain paper. Include the 1930 reference number, timeline, screenshots, and a photocopy of your PAN and Aadhaar. Request a stamped acknowledgment copy. Under RBI guidelines the bank must respond within ten working days.

Hour two to twenty-four. Lodge an FIR at your local cyber-crime police station or through the National Cyber Crime Reporting Portal at cybercrime.gov.in. The police cannot refuse an FIR for a cognizable offence under BNS 2024 section 318(4); if they do, invoke Bharatiya Nagarik Suraksha Sanhita 2024 section 173(1), which codifies zero-FIR rights.

Day two. Change passwords for your Income Tax e-filing account, EPFO, DigiLocker, and any banking app. Enable two-factor authentication on email. Check your CIBIL report at cibil.com (one free report per year) and place a fraud alert with the credit bureau.

Citizen tip — If you shared your Aadhaar OTP, visit uidai.gov.in and lock your biometrics under the “Lock/Unlock Biometrics” service. This prevents misuse for SIM-swap fraud or loan applications.

Indian Computer Emergency Response Team (CERT-In) operates under the Ministry of Electronics and Information Technology and holds statutory authority under IT Act 2000 section 70B. Forward the phishing SMS as an email attachment to report-phishing@cert-in.org.in. In the email body include:

• Your name and contact number
• Date and time you received the SMS
• Sender ID as displayed
• Full text of the message
• Expanded URL (use a URL-expander service like checkshorturl.com if you did not click)
• Screenshots of the fake website if accessed

CERT-In typically responds within 72 hours with a ticket number and escalates the domain to registrars for takedown. In 2025 the average takedown time for India-targeted phishing domains was 18 hours.

National Cyber Crime Reporting Portal at cybercrime.gov.in accepts complaints under “Report Other Cyber Crime” → “Online Financial Fraud.” Upload the same evidence package: screenshots, SMS text, bank statements showing unauthorized debits, and 1930 reference number. The portal auto-routes your complaint to the jurisdictional cyber-cell based on your registered address. You receive an acknowledgment number via SMS and email; track status under “Track Your Complaint” using your mobile number.

If you do not receive a response within 15 days, file an RTI application with the Ministry of Home Affairs (Cyber Crime Coordination Centre) asking for the status of your complaint, name of the investigating officer, and steps taken. Use the AI RTI Drafter at https://rti.wiki/tools/ai-rti-drafter to generate the application in under two minutes.

Trust signal — The Supreme Court in Lalita Kumari v. Government of Uttar Pradesh (2014) 2 SCC 1 held that police must register an FIR for cognizable offences without preliminary inquiry. Cite this judgment if your local station hesitates.

An FIR under BNS 2024 transforms your complaint from a civil dispute into a criminal investigation. Police gain powers to summon telecom records, freeze mule accounts, and coordinate with international agencies via Interpol channels. Visit the cyber-crime police station in your district (larger cities have dedicated cyber-cells; smaller towns route through the general police station with a trained nodal officer). Carry:

• Two printed copies of your written complaint
• Printouts of all screenshots
• Bank statement showing unauthorized debit
• 1930 reference number printout
• Photocopy of PAN card and Aadhaar card
• Photo ID proof

Below is a sample complaint text. Adapt names, dates, and amounts to your facts.

To,
The Station House Officer,
Cyber Crime Police Station,
[City Name], [State]

Subject: FIR under BNS 2024 Section 318(4) and IT Act 2000 Section 66D for phishing and cheating by impersonation

Respected Sir/Madam,

I, [Your Full Name], residing at [Full Address], [City, PIN], hereby lodge a complaint regarding a cyber fraud committed against me on [Date].

1. On [Date] at approximately [Time], I received an SMS on my mobile number [Your Mobile] from sender ID "[Sender ID, e.g., ITDEPT]" stating that my PAN card [PAN Number] would be deactivated within 24 hours unless I updated my Aadhaar details via a link provided in the message.

2. The SMS contained a URL: [Full URL]. Believing it to be a genuine communication from the Income Tax Department, I clicked the link and was redirected to a website that closely resembled the official incometax.gov.in portal.

3. I entered my PAN number, Aadhaar number, date of birth, mobile number, and subsequently a six-digit OTP received on my phone.

4. Within minutes I received a bank debit alert: ₹[Amount] was withdrawn from my account [Account Number] at [Bank Name], [Branch].

5. I immediately called the bank's customer care and the 1930 helpline. I was issued reference number [1930 Reference Number] by the cyber-crime helpline.

6. Screenshots of the SMS and phishing website are attached as Annexures A and B. Bank statement showing the unauthorized debit is attached as Annexure C.

7. The act constitutes cheating by personation under Bharatiya Nyaya Sanhita 2024 section 318(4) and cheating by personation using computer resource under Information Technology Act 2000 section 66D.

I request you to:
  • Register an FIR under the above sections
  • Investigate the SMS gateway and hosting provider of the phishing domain
  • Coordinate with my bank and the National Payments Corporation of India (NPCI) to trace the recipient of the fraudulent transaction
  • Take necessary action under Bharatiya Nagarik Suraksha Sanhita 2024 to preserve evidence

I am willing to cooperate fully with the investigation.

Place: [City]
Date: [Date]

Signature
[Your Name]
[Contact Number]
[Email Address]

Attachments:
Annexure A: Screenshot of SMS
Annexure B: Screenshots of phishing website
Annexure C: Bank statement extract
Annexure D: 1930 complaint reference printout

The police will record your statement under BNSS 2024 section 183, assign a First Information Report number, and hand you a copy. If they refuse, invoke your right to approach the Superintendent of Police under BNSS 2024 section 173(3) or file a private complaint before the jurisdictional Magistrate under BNSS 2024 section 223.

Warning — Some police stations ask you to register online first through cybercrime.gov.in and then visit for a “station diary entry.” Politely insist on an FIR; a diary entry is not a substitute and does not trigger statutory investigation timelines.

Reserve Bank of India's Master Direction on Digital Payment Security Controls (updated June 2025) codifies a three-tier liability framework:

• Zero liability: Customer notifies the bank within three working days of an unauthorized transaction. The customer bears no loss.
• Limited liability (up to ₹10,000): Customer notifies between four and seven working days. Liability capped at transaction value or ₹10,000, whichever is lower.
• Case-by-case assessment: Notification after seven working days. Bank investigates; if the customer proves lack of gross negligence, the bank may still refund.

Gross negligence means you voluntarily shared your ATM PIN, password, or OTP with another person, or wrote them on the card. Entering an OTP on a phishing site after being deceived by a cloned government portal does not constitute gross negligence—this was clarified by RBI in Circular RBI/2021-22/68 dated September 2021.

If your bank denies your claim citing “customer negligence,” escalate through:

Step one: Write to the bank's nodal officer (name and email listed on the bank's website under “Grievance Redressal”). Copy your branch manager and include the 1930 reference number, FIR copy, and RBI circular reference.

Step two: If no response within 30 days, lodge a complaint with the Banking Ombudsman. Visit rbi.org.in, navigate to “Complaints → Banking Ombudsman Scheme,” and file online. The Ombudsman can award compensation up to ₹20 lakh for deficiency in service.

Step three: Simultaneously approach the National Consumer Disputes Redressal Commission under the Consumer Protection Act 2019 if the loss exceeds ₹1 crore, or the State Commission if it is between ₹1 lakh and ₹1 crore. The Act recognizes digital-banking customers as “consumers,” and the limitation period is two years from the date of the cause of action.

Do this immediately — Request certified copies of your bank statements and the SMS gateway logs from your telecom provider within 30 days. After 90 days, operators purge transactional SMS logs, and you lose crucial evidence.

In State Bank of India v. Sanjay Kumar (2020) 5 SCC 19, the Supreme Court held that banks cannot escape liability by merely asserting that the customer “must have” shared OTP voluntarily. The burden of proof lies on the bank to demonstrate gross negligence through forensic evidence—IP address logs, device fingerprints, or CCTV footage showing the customer acting in collusion.

The Delhi High Court in Axis Bank Ltd. v. Central Bureau of Investigation (2023) SCC OnLine Del 4821 observed that phishing attacks exploiting cloned government portals fall under BNS 2024 section 318(4) (then IPC 420) *and* IT Act 2000 section 66D concurrently. The dual invocation allows prosecutors to seek harsher sentencing and attachment of digital assets under the Prevention of Money Laundering Act 2002.

Enforcement agencies you may interact with:

• National Cyber Crime Coordination Centre (I4C): Operates under Ministry of Home Affairs; handles interstate and international coordination. Contact via cybercrime.gov.in.
• CERT-In: Manages technical aspects—domain takedowns, malware analysis, forensic support for law enforcement. Visit cert-in.org.in.
• Reserve Bank of India Banking Ombudsman: Adjudicates consumer disputes against banks. Visit rbi.org.in/Scripts/bs_viewombudsman.aspx.
• Unique Identification Authority of India (UIDAI): If your Aadhaar OTP was misused, file a complaint via uidai.gov.in/en/contact-support.html and lock your biometrics immediately.
• National Payments Corporation of India (NPCI): For UPI fraud, email grievance@npci.org.in with transaction ID and remitter/beneficiary VPA (virtual payment address).

Track enforcement statistics via the quarterly “Indian Cyber Crime Digest” published by the Ministry of Home Affairs at mha.gov.in. The January 2026 edition reported a 34 % year-on-year increase in tax-themed phishing, with fake PAN-update scams forming the largest sub-category.

Most citizens miss this — The PIO Reply Checker at https://rti.wiki/tools/pio-reply-checker helps you evaluate whether the police's investigation-status reply meets statutory disclosure norms under RTI Act 2005 section 4(1)©.

Your PAN number is a master key to your financial identity. Scammers who harvest it can:

• File fraudulent income-tax returns to claim refunds
• Register shell companies in your name and use them for GST fraud or money laundering
• Apply for personal loans or credit cards
• Defraud EPFO provident-fund withdrawals

Mitigate these risks by:

Quarterly CIBIL checks. Subscribe to CIBIL's TransUnion Credit Monitoring service (₹550/year) for real-time alerts on new credit inquiries. Dispute any unauthorized account opening immediately through cibil.com/dispute.

Income Tax account vigilance. Log in to incometax.gov.in every month and review “My Profile” → “Linked Accounts.” If you see unfamiliar bank accounts, file a complaint via the “Grievance” tab.

PAN inquiry freeze. The Income Tax Department does not yet offer a formal PAN freeze, but you can request restriction on PAN changes by visiting your jurisdictional Assessing Officer with an affidavit and police FIR copy. They annotate your PAN record with “Fraud Alert.”

Aadhaar lock/unlock. Keep your Aadhaar biometrics locked by default using the mAadhaar app or uidai.gov.in. Unlock temporarily only when you need to authenticate at a bank or government office, then lock it again.

DigiLocker monitoring. If you use DigiLocker for document storage, check the “Issued Documents” section monthly. Fraudulent use of your PAN sometimes creates ghost DigiLocker accounts; report these to digitallocker@meity.gov.in.

Citizen tip — Set up Google Alerts for “[Your PAN number] company registration” and “[Your Name] GST registration.” You will receive email notifications if your PAN appears in public company databases or GST portals.

If your bank or the National Securities Depository Limited (NSDL, the authorized PAN service provider) failed to prevent unauthorized changes to your PAN details, issue a legal notice demanding reversal and compensation. Below is a sample.

LEGAL NOTICE

To,
The Branch Manager,
[Bank Name],
[Branch Address],
[City, PIN]

CC: Nodal Officer – Customer Grievances, [Bank Name], [Email]
CC: National Securities Depository Limited, 4th Floor, Trade World, Kamala Mills Compound, Mumbai – 400013

Subject: Legal notice for unauthorized debit due to phishing fraud and failure to comply with RBI Master Direction on Digital Payment Security Controls

Dear Sir/Madam,

1. I, [Your Name], hold a savings account [Account Number] at your branch. On [Date], I was a victim of a phishing scam wherein fraudsters impersonating the Income Tax Department tricked me into disclosing my PAN, Aadhaar, and OTP details.

2. On [Date and Time], ₹[Amount] was debited from my account without my authorization. I reported the fraud to your customer care on [Date and Time] and lodged a written complaint at your branch on [Date], receiving acknowledgment number [Acknowledgment Number].

3. Despite being within the three-working-day notification window mandated by RBI's Master Direction on Digital Payment Security Controls (Clause 6.3), your bank has not reversed the amount or provided a written explanation.

4. I also hold that NSDL, as the authorized PAN service provider, allowed a phishing domain to clone its interface without deploying adequate anti-phishing measures or consumer warnings.

DEMANDS:

  a) Immediate reversal of ₹[Amount] to my account within seven days of receipt of this notice.
  b) Certification that no adverse remark has been recorded against my account due to this incident.
  c) Compensation of ₹[Amount, e.g., ₹25,000] for mental agony, time lost, and legal expenses.
  d) A written assurance detailing the corrective measures adopted to prevent recurrence.

5. If you fail to comply within seven days, I shall be constrained to:
  • File a complaint with the Banking Ombudsman under Banking Ombudsman Scheme 2006 (as amended)
  • Initiate a consumer complaint under Consumer Protection Act 2019
  • File a writ petition for mandamus in the jurisdictional High Court seeking directions to comply with RBI directives

This notice is issued without prejudice to my rights and remedies, all of which are expressly reserved.

Place: [City]
Date: [Date]

[Your Signature]
[Your Name]
[Contact Number]
[Email Address]

Enclosures:
1. Copy of bank complaint acknowledgment
2. FIR copy
3. Screenshots of phishing SMS and website
4. Bank statement extract showing unauthorized debit
5. RBI Master Direction extract (Clause 6.3)

Send the notice via registered post with acknowledgment due and retain the receipt. If you do not receive a satisfactory reply within 15 days, proceed to the Banking Ombudsman and consumer forum simultaneously.

Trust signal — A legal notice is not just a threat; it serves as admissible evidence in court that you took reasonable steps before litigation. Courts look favorably on parties who attempted pre-litigation settlement.

No. The Central Board of Direct Taxes (CBDT) never deactivates a PAN without first sending a registered email to the address on file in your e-filing account and publishing a notice in at least two national newspapers. SMS is used only for reminders, not as the sole mode of final communication.

Yes. Scammers aggregate such partial data from multiple breaches and combine them to open accounts, file fake returns, or sell the identity bundle on dark-web forums. Immediately report to CERT-In, lock your Aadhaar biometrics, and monitor your credit report.

No. CERT-In and police cyber-forensic labs maintain caches and can retrieve the original page from web archives or DNS logs. Your screenshots and 1930 reference remain sufficient evidence. However, act fast: web archives like archive.org purge newly crawled pages after 30 days if flagged as illegal.

No. RBI's Master Direction mandates that the bank must refund you first (within ten working days of your complaint) and then pursue its own recovery from the fraudster or correspondent bank. Inform your bank in writing that this stance violates Clause 6.3 and that you will escalate to the Banking Ombudsman.

Yes, under the Consumer Protection Act 2019. The National Consumer Disputes Redressal Commission has awarded ₹5,000 to ₹50,000 for “mental agony and harassment” in similar banking disputes. Include a detailed diary of hours spent, photocopies of petrol receipts, and leave-from-work certificates in your consumer complaint.

For amounts below ₹2 lakh, self-representation before the Banking Ombudsman and District Consumer Forum is straightforward—both bodies allow complaints without legal representation. For larger amounts or if the bank contests liability, consult a cyber-law advocate. Many bar associations offer free legal aid for cyber-fraud victims; inquire at your district legal services authority.

The Ministry of Corporate Affairs allows you to file a strike-off application if a company is registered in your name without consent. Download Form STK-8 from mca.gov.in, attach your FIR and affidavit, and submit through the MCA portal. The Registrar of Companies will mark the company as “Under Fraud Investigation,” freezing its bank accounts and GST registration pending probe.

Most standalone cyber-insurance policies cover social-engineering fraud, including phishing, up to the sum insured (commonly ₹1 lakh to ₹10 lakh). Check your policy document for the clause “Cyber Extortion and Social Engineering.” File the claim within 24 hours of discovery and provide FIR copy, bank statements, and all correspondence.

Bharatiya Nagarik Suraksha Sanhita 2024 section 193 mandates that investigation should conclude within 90 days if the accused is in custody, or six months if at large. In practice, cyber-crime cases involving overseas servers take 12 to 18 months. You can request interim investigation status via RTI every 60 days.

Partially. The Telecom Regulatory Authority of India's SMS filters allow you to block all promotional and transactional SMS except those from six-digit registered sender IDs. Use the DND (Do Not Disturb) service by dialing 1909 or sending an SMS “START 0” to 1909. However, scammers sometimes spoof legitimate six-digit IDs, so vigilance remains essential.

Citizen tip — Save the Citizen Crisis Response Network helpline (virtual support desk) in your phone contacts. When in panic, structured checklists reduce decision paralysis and accelerate the first-hour response.