Online Seller Asking for OTP for Refund: Scam Recovery (2026)

Quick Answer: No genuine seller, marketplace, courier, or bank ever needs your OTP to process a refund. Refunds always flow into your account through the original payment channel (UPI, card, wallet) and require no authentication on your end. The moment a “seller” or “support agent” calls you after a return or dispute and asks you to “share OTP,” “approve a request,” or “scan a QR code,” it is a confirmed scam attempt to either drain your account via a UPI autopay mandate or hijack your SIM/banking session. Hang up, do not press any number, and if you have already shared anything, dial NCRP 1930 within 60 minutes and freeze your bank account through the official channel. Recovery rate inside the zero-liability window under the RBI Master Direction on Limited Liability of Customers (2017) crosses 80% if you act within 3 working days.

A homemaker in Pune ordered a ₹2,400 air-fryer, returned it because the heating coil was defective, and waited for the refund. Three days later her phone rang. The caller knew her order ID, the return reason, the courier pickup date, even the partial UPI ID she had paid with. He said the “refund team” could not push the money back because of a “KYC mismatch” and asked her to read out a 6-digit code. She read it. Within 90 seconds ₹1,99,000 left her account in four UPI transactions, all showing as “approved by user” because she had unwittingly authorised an autopay mandate.

She got every rupee back inside 11 days. This guide walks through exactly what she did and how the legal framework forces banks to refund you when you act fast.

The “share OTP for refund” scam is a social-engineering attack that exploits the gap between when you expect money and when it actually arrives. The fraudster has either bought your order data from a leaky logistics partner, scraped it from a fake-courier phishing page, or simply guessed it after you posted a review. They call posing as the seller, the marketplace, the courier, or the payment gateway. The script is always the same:

• “Your refund of ₹X is stuck.”
• “We need to verify your account before releasing it.”
• “An OTP has been sent, please read it out.”
• Or alternatively: “Please scan this QR code to receive the refund.”
• Or: “Click this link to update your bank IFSC.”

What you are actually doing when you “share the OTP” is one of three things, depending on which variant the gang runs:

1. Authorising a UPI autopay mandate that lets them pull money from your account every day for the next 364 days, up to ₹15,000 per transaction without further OTP, under NPCI's UPI AutoPay rules.
2. Approving a SIM swap request with your telecom operator, after which they receive every future OTP you would have got.
3. Confirming a “collect request” on UPI that pulls money out of your account even though the screen says “to receive.”

In all three the user has technically pressed “yes.” Do not blame yourself. Indian law treats unauthorised electronic transactions as the bank's liability the moment you report them inside the prescribed window.

One sentence ends every legitimate refund call: “You don't need to do anything, the money will reflect in 3 to 5 working days.” If the caller deviates from that, the call is fraudulent. Specifically:

• Any request to share OTP, PIN, CVV, or password: scam.
• Any request to scan a QR code to receive money: scam (QR codes only send money on UPI).
• Any request to install AnyDesk, TeamViewer, QuickSupport, or “RBI Helper”: scam.
• Any request to make a small ₹1 or ₹10 “verification” transaction: scam.
• Any threat that “the refund will lapse in 10 minutes”: scam.
• Any caller claiming to be from “RBI refund cell” or “income-tax refund department”: RBI does not call individuals, ever, full stop.

Hang up. Do not be polite. Block the number, then forward the SMS (if any) to 1909, the DoT's spam-complaint number under the Telecom Commercial Communications Customer Preference Regulations.

The first hour is everything. The RBI Master Direction on Limited Liability of Customers (2017) creates three liability bands based on how fast you report. Inside the zero-liability band, the bank carries 100% of the loss. The clock starts the moment the unauthorised transaction is processed, not the moment you discover it.

Step 1, minute 0 to 5: dial 1930, the National Cyber Crime Helpline. It loops in every major bank's fraud desk, the issuing and beneficiary banks, and the payment system operator. Quote your UTR. The operator files a stop-payment request within minutes; if the money is still in the mule account, it gets frozen.

Step 2, minute 5 to 15: log into https://cybercrime.gov.in and file a written complaint under “Financial Fraud.” Save the acknowledgement PDF.

Step 3, minute 15 to 30: call your bank's 24×7 fraud line and block all digital channels: net banking, mobile banking, UPI handles, autopay mandates. Use the phrase “I want to invoke RBI Master Direction on Limited Liability of Customers, 2017, to report an unauthorised electronic banking transaction.”

Step 4, minute 30 to 60: visit your branch with the acknowledgement, call recording (if any), and a written complaint to the Branch Manager. Get a stamped receipt.

Step 5, within 24 hours: revoke all UPI autopay mandates inside your app (Settings → Autopay → Active mandates → Revoke).

This is the sentence most victims never hear: the bank must refund you, by law, if you reported within the window. Stop apologising and start citing.

• IT Act 2000, Section 66D: cheating by personation using a computer resource. Up to 3 years' imprisonment and ₹1 lakh fine. Covers every “I am the seller, share OTP” call.
• IT Act 2000, Section 66C: identity theft using electronic signature, password, or any other unique identification feature. Up to 3 years and ₹1 lakh fine. Covers the fraudster using your OTP.
• Bharatiya Nyaya Sanhita 2024, Section 318: cheating, including dishonest inducement to deliver property. Up to 7 years' imprisonment for cheating with knowledge of likely wrongful loss.
• BNS 2024, Section 319: cheating by personation. Up to 5 years.
• BNS 2024, Section 336: forgery, including electronic records. Up to 7 years.
• RBI Master Direction on Limited Liability of Customers in Unauthorised Electronic Banking Transactions, 2017: zero customer liability if reported within 3 working days, capped liability of ₹5,000 to ₹25,000 if reported within 4 to 7 days, full liability after 7 days. Burden of proof is on the bank, not on you.
• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Rule 4(2): significant social-media intermediaries must trace the first originator of fraudulent messages on court order.
• Information Technology (Reasonable Security Practices) Rules 2011: e-commerce platforms must protect “sensitive personal data” and are liable for compensation under IT Act §43A if they leak your order data to scammers.

The Supreme Court in Avnish Bajaj v. State (2008) settled that intermediaries cannot hide behind “we are just a platform” if they have actual or constructive knowledge of fraud running on their pipes. Shreya Singhal v. Union of India (2015) reinforced that intermediaries must act on “actual knowledge” via court or government order. Together, these mean your written grievance to the marketplace (mandatory under Rule 4(2)) creates a legally enforceable trail.

Banks routinely tell victims “you yourself entered the OTP, so it is not unauthorised.” This is wrong in law. An OTP shared under deception is vitiated consent, like a signature obtained by fraud. Paragraph 6 of the 2017 Master Direction defines “unauthorised electronic banking transaction” to include transactions where the customer's credentials were used by a third party, regardless of whether the customer “shared” them.

If your bank refuses to refund within 10 working days, escalate to:

1. The bank's Internal Ombudsman (mandatory in every scheduled commercial bank since 2018).
2. RBI Integrated Ombudsman Scheme 2021, file at https://cms.rbi.org.in. Decision is binding up to ₹30 lakh.
3. Consumer Commission under the Consumer Protection Act 2019, with deficiency-of-service as the cause of action.

A few telltale patterns that distinguish scammers from real customer-care agents:

• Real platforms send refunds silently. Flipkart, Amazon, Meesho, Myntra, Nykaa, Snapdeal, JioMart: none call to “process” a refund. The email or in-app notification is the only legitimate touchpoint.
• Real banks never ask for OTP. HDFC, ICICI, SBI, Axis, Kotak fraud desks open every call with “we will never ask for OTP.”
• Real couriers (Delhivery, Bluedart, Ekart, India Post) never handle refunds. The refund is between you and the seller.
• Caller-ID spoofing is cheap. End the call and dial back via the app's official help section, never Google search results (see fake customer-care numbers guide).
• Caller asking for WhatsApp OTP: a parallel attack covered in the WhatsApp OTP fraud explainer.

This is the most expensive variant. An “approved” UPI autopay mandate gives a merchant standing instructions to debit your account up to a stated cap, daily, weekly, or monthly, for up to 364 days, without further OTP. Fraudsters abuse this with shell merchant IDs.

To check for fraudulent mandates right now:

1. Open your UPI app (PhonePe, Google Pay, Paytm, BHIM, Amazon Pay).
2. Navigate to Profile → Autopay (or Mandates).
3. Review every active mandate. Anything unrecognised: revoke immediately.
4. Screenshot before revoking, for the FIR.

A detailed walkthrough is at the UPI autopay mandate fraud guide. For the “stuck UTR” problem, see UPI deducted but not received.

Platforms sometimes say “we don't make calls, contact your bank.” This is legally wrong if the scammer used data leaked from the platform: order ID, return reason, partial payment details, courier name. Under IT Act §43A and the 2011 SPDI Rules, the platform is a body corporate handling sensitive personal data and is liable for compensation if it failed reasonable security practices.

File a written complaint with the platform's Grievance Officer (mandatory contact in the website footer under Rule 4(1)). They have 24 hours to acknowledge and 15 days to resolve. Escalate to the Resident Grievance Officer and then Chief Compliance Officer (Rule 4(2)).

If refused, file at https://consumerhelpline.gov.in (Ministry of Consumer Affairs) or at the District Consumer Commission under the Consumer Protection Act 2019 (pecuniary jurisdiction up to ₹50 lakh).

Phone first, paperwork later. This sequence has the best documented recovery rate.

1. 1930 (NCRP helpline): 0 to 60 minutes after fraud.
2. Bank's 24×7 fraud line: 0 to 60 minutes, parallel to 1930.
3. https://cybercrime.gov.in: within 24 hours, written FIR-equivalent.
4. Local cyber-crime police station: within 72 hours if the loss exceeds ₹10 lakh or involves multiple victims.
5. Marketplace Grievance Officer: within 7 days, email with all evidence.
6. Bank Internal Ombudsman: if bank does not refund within 10 working days.
7. RBI Integrated Ombudsman, https://cms.rbi.org.in: 30 days after Internal Ombudsman, or directly if bank ignores.
8. District Consumer Commission: parallel track for compensation beyond the refund.

Save these immediately, because telecom and bank logs are deleted after 30 to 90 days:

• Screenshot of the incoming-call log.
• Screenshot of the OTP SMS with timestamp.
• Screenshot of every UPI debit and mandate creation.
• Screenshot of active UPI autopay mandates.
• Screenshot of the e-commerce return/refund page.
• Bank statement PDF for 7 days around the fraud.
• Voice recording of the fraud call (if available).
• Order confirmation and return-acceptance emails.
• WhatsApp messages with the “agent.”

Send all in one zip to the cyber-crime portal. The upload field has a 10MB cap and 5-attachment limit; a zip counts as one.

If 30 days pass and your bank has neither refunded nor given a written explanation, an RTI to the bank's nodal Public Information Officer is the lever that breaks the silence. Public-sector banks (SBI, PNB, BoB, Canara, Union Bank, Indian Bank, etc.) are fully covered under the RTI Act 2005. Private banks are not directly covered, but the RBI is, and an RTI to the RBI asking “what action has the RBI taken on consumer complaint number XYZ filed against [bank name]” produces results.

Sample questions to ask under the RTI Act 2005:

1. “Provide a copy of all internal correspondence regarding complaint number [your reference] dated [date].”
2. “State the date on which the bank reported the unauthorised transaction to the National Payments Corporation of India and the beneficiary bank.”
3. “Provide the file noting recommending refund or rejection, along with the name and designation of the deciding authority.”
4. “State whether the matter was referred to the Internal Ombudsman, with date of reference and date of decision.”

Drafting an RTI to a bank's PIO is non-trivial and the wording matters. The free AI RTI Drafter generates a compliant draft with the correct statutory references in under 60 seconds. For background on how the RTI Act 2005 works end to end, the complete RTI guide is the master reference.

Recovery is partial, slow, and stressful. Prevention is total, instant, and free.

• Set a UPI per-day cap of ₹10,000 in your UPI app settings. Genuine refunds never exceed this. A fraudster who steals your OTP cannot drain more than ₹10k before being throttled.
• Freeze ECS/NACH/autopay for accounts where you do not need them, by written instruction to the bank. Reactivate only when needed.
• Use a separate “shopping” bank account with only the float you need for online purchases. Keep your salary and savings in a different bank that has no UPI handle linked.
• Enable transaction SMS alerts for every debit above ₹1, not the default ₹1,000. This makes the first ₹1 “test” debit visible.
• Disable international card transactions until the day you actually need them.
• Lock your SIM with a SIM-PIN (Settings → Security → SIM lock on iOS, Settings → Lock screen on Android). This blocks SIM-swap attacks even if the gang social-engineers your telecom store.
• Never read out any code, even if the caller “verified” your name and order ID. Knowing your data does not authenticate them.
• Bookmark the official customer-care number of every platform you use, do not rely on Google. Google's “knowledge panel” has been gamed by SEO scammers for years.

OTP-refund scams overlap with several adjacent fraud families. Each has its own dedicated guide:

• WhatsApp OTP fraud for account-takeover variant.
• UPI deducted but not received for the stuck-UTR variant.
• UPI autopay mandate fraud for the silent-recurring-debit variant.
• Fake customer-care number scam for the Google-search-result variant.
• Fake court summons WhatsApp scam for the threat-based extortion variant.
• Coaching institute refund rights for the offline-education refund family, where similar OTP tricks are used.
• Weekend problem solver for the master index of all weekend-published help articles.
• Citizen crisis response network for the live-support directory of state and central helplines.

If you only remember one thing from this article, remember this checklist. Save it to your phone gallery. The next time someone calls about a “refund,” open this image, follow the boxes in order:

1. Caller asks for OTP, PIN, password, or QR scan? Hang up. No exceptions.
2. Already shared? Dial 1930 in the next 5 minutes.
3. Open https://cybercrime.gov.in within 30 minutes, file written FIR.
4. Call bank fraud line, invoke “RBI Master Direction 2017.”
5. Revoke every UPI autopay mandate in your app.
6. Collect all 9 evidence items in one zip.
7. File grievance with marketplace within 7 days.
8. If bank stalls 10 working days, file at https://cms.rbi.org.in.
9. Use AI RTI Drafter to extract the bank's file noting under RTI Act 2005.
10. Tell three other people about this article. The fraudsters' business model dies the day every household knows the rule: genuine refunds never need an OTP from you.

The Pune homemaker who lost ₹1,99,000 got everything back in 11 days because she did exactly this, in this order, without delay or self-blame. The law is on your side. Use it loudly.

Last updated: 2026-05-07. This article is not legal advice. For case-specific guidance consult a licensed lawyer or a recognised legal-aid clinic. Statute references current as of the date above; check the latest position before acting.