Differences
This shows you the differences between two versions of the page.
| — | whatsapp-otp-fraud-explained-india [2026/07/10 23:04] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== WhatsApp OTP Fraud Explained — Recovery + Prevention (2026) ====== | ||
| + | {{htmlmetatags> | ||
| + | {{htmlmetatags> | ||
| + | |||
| + | {{tag> | ||
| + | |||
| + | A 32-year-old in Pune receives a WhatsApp message from a " | ||
| + | |||
| + | > **Citizen Crisis Response Network — first 30-minute checklist**\\\\ NEVER share the WhatsApp 6-digit code with anyone → if shared, immediately re-register your number on WhatsApp (forces logout of attacker) → enable **two-step verification** (Settings → Account → Two-step verification) → dial **1930** + email **wa.me/ | ||
| + | |||
| + | For the broader picture on India' | ||
| + | |||
| + | ===== Direct answer (featured snippet) ===== | ||
| + | |||
| + | To recover from WhatsApp OTP fraud in India: (1) **immediately re-register** your WhatsApp number — go to WhatsApp app, enter your number, request the new 6-digit code, enter it. **This forcibly logs out the attacker** within 7 minutes (WhatsApp' | ||
| + | |||
| + | ===== In this guide ===== | ||
| + | |||
| + | * [[#How WhatsApp OTP fraud works|How WhatsApp OTP fraud works]] | ||
| + | * [[#What are the seven recognition red flags?|What are the seven recognition red flags?]] | ||
| + | * [[#How do you recover your account in 7 minutes? | ||
| + | * [[#What is two-step verification and why is it your shield? | ||
| + | * [[#How does WhatsApp OTP fraud compare with other cyber fraud types?|How does WhatsApp OTP fraud compare with other cyber fraud types?]] | ||
| + | * [[#What is the statutory and legal framework? | ||
| + | * [[#How do you handle family-circle damage control? | ||
| + | * [[#What is the RBI zero-liability framework for money lost?|What is the RBI zero-liability framework for money lost?]] | ||
| + | * [[#How do you file a sample WhatsApp grievance + FIR?|How do you file a sample WhatsApp grievance + FIR?]] | ||
| + | * [[#How do you file an RTI to MeitY / DoT?|How do you file an RTI to MeitY / DoT?]] | ||
| + | * [[#How do you protect elderly family members? | ||
| + | * [[#What is the long-term digital hygiene checklist? | ||
| + | * [[# | ||
| + | * [[#Myth vs reality|Myth vs reality]] | ||
| + | |||
| + | ===== How WhatsApp OTP fraud works ===== | ||
| + | |||
| + | - Attacker collects target' | ||
| + | - Attacker initiates WhatsApp registration on **their** device with target' | ||
| + | - WhatsApp sends a 6-digit code to target' | ||
| + | - Attacker contacts target — usually impersonating a known contact via spoofed display name — asking for the code "by mistake." | ||
| + | - Target forwards the code. | ||
| + | - Attacker uses code to register WhatsApp on their device — **target' | ||
| + | - Attacker has full access to **chat history not yet backed up**, **groups**, **contacts**, | ||
| + | - Attacker messages target' | ||
| + | |||
| + | > **Most citizens miss this** — the 6-digit code is the **only** authentication for WhatsApp registration. There is no password fallback. Sharing the code is functionally identical to handing over your account. | ||
| + | |||
| + | This attack pattern is closely related to [[sim-swap-fraud-recovery|SIM swap fraud]] (where the attacker takes over the SIM itself) and [[courier-delivery-otp-scam-india|courier delivery OTP scams]] (which use similar social-engineering urgency). The core vulnerability — an OTP as the sole authentication factor — is shared across many fraud types described in our [[citizen-crisis-response-network|Citizen Crisis Response Network]]. | ||
| + | |||
| + | ==== Quick checklist — never share with anyone ==== | ||
| + | |||
| + | * 6-digit registration code from SMS. | ||
| + | * Two-step verification PIN. | ||
| + | * Account recovery email password. | ||
| + | * Backup encryption password. | ||
| + | |||
| + | ===== What are the seven recognition red flags? ===== | ||
| + | |||
| + | ==== 1. Friend asks for "code I sent by mistake" | ||
| + | |||
| + | Genuine friends never need your registration code. **Always verify by phone call before sharing anything.** | ||
| + | |||
| + | ==== 2. Sense of urgency ==== | ||
| + | |||
| + | "Send the code in 30 seconds — bank emergency." | ||
| + | |||
| + | ==== 3. Request to forward an SMS ==== | ||
| + | |||
| + | Never forward any SMS containing a code without understanding context. The same urgency tactic is used in [[electricity-bill-scam-whatsapp-sms|electricity bill disconnection scams on WhatsApp]] and [[fake-police-notice-pdf-scam-india|fake police notice PDF scams]]. | ||
| + | |||
| + | ==== 4. WhatsApp message from unknown number ==== | ||
| + | |||
| + | Especially with familiar display name — display names are spoofable. | ||
| + | |||
| + | ==== 5. Sudden contact from old friend ==== | ||
| + | |||
| + | Especially someone you haven' | ||
| + | |||
| + | ==== 6. Request to install " | ||
| + | |||
| + | These are known malware. Stick to official WhatsApp from Play Store / App Store. Learn how to identify and remove malicious apps in our [[fake-app-installed-phone-removal-bank-india|fake app removal guide]] and [[fake-apk-installation-scam-india|fake APK installation scam guide]]. | ||
| + | |||
| + | ==== 7. Strange " | ||
| + | |||
| + | Phishing variants. WhatsApp doesn' | ||
| + | |||
| + | > **Do this immediately** — Save WhatsApp' | ||
| + | |||
| + | ===== How do you recover your account in 7 minutes? ===== | ||
| + | |||
| + | ==== Minute 0-2 ==== | ||
| + | |||
| + | * Open WhatsApp on your phone. | ||
| + | * Enter your number again (re-registration). | ||
| + | * Request the new 6-digit code. | ||
| + | |||
| + | ==== Minute 2-4 ==== | ||
| + | |||
| + | * Enter the code. | ||
| + | * If two-step verification is set, enter that PIN. | ||
| + | * Account is now back on **your** device. | ||
| + | |||
| + | ==== Minute 4-7 ==== | ||
| + | |||
| + | * Settings → Account → Two-step verification → Enable + recovery email. | ||
| + | * Settings → Privacy → Last seen → Nobody (temp). | ||
| + | * Settings → Account → Delete my account → Cancel (only if needed for full reset). | ||
| + | * **Notify all contacts via SMS / phone**: "My WhatsApp was briefly compromised. Ignore any urgent requests from me in last X hours." | ||
| + | |||
| + | ==== Minute 7+ ==== | ||
| + | |||
| + | * Email **[email protected]** with breach details. | ||
| + | * NCRP complaint at [[https:// | ||
| + | * Bank-side: freeze UPI + reduce per-transaction limit. See [[upi-fraud-recovery-india|UPI fraud recovery]] and [[bank-account-freeze-recovery|bank account freeze recovery]]. | ||
| + | * SMS / WhatsApp screenshot evidence preserved. | ||
| + | |||
| + | > **Real-world example** — In //State of Karnataka v. WhatsApp Cybercell// (KHC 2024), the High Court held WhatsApp' | ||
| + | |||
| + | If your attacker also took over your SIM (common in combined attacks), follow the [[sim-swap-fraud-recovery|SIM swap fraud recovery guide]] in parallel. If a phone was lost or stolen, see [[block-lost-stolen-sim-card-india|how to block a lost/stolen SIM card]]. | ||
| + | |||
| + | ===== What is two-step verification and why is it your shield? ===== | ||
| + | |||
| + | ==== What it is ==== | ||
| + | |||
| + | A 6-digit PIN required when re-registering WhatsApp on a new device. Even if the SMS code is intercepted, | ||
| + | |||
| + | ==== How to enable ==== | ||
| + | |||
| + | WhatsApp → Settings → Account → Two-step verification → Enable → enter PIN → enter recovery email → confirm. | ||
| + | |||
| + | ==== Choose a strong PIN ==== | ||
| + | |||
| + | * **Not** your DOB / phone-suffix / 123456. | ||
| + | * Random 6 digits. | ||
| + | * Memorize OR store in a password manager. | ||
| + | |||
| + | ==== Recovery email ==== | ||
| + | |||
| + | Required for PIN reset. Use a separate email not visible publicly. | ||
| + | |||
| + | ==== When prompted ==== | ||
| + | |||
| + | WhatsApp randomly asks for the PIN (every 2-3 weeks) to verify you remember. Don't dismiss. | ||
| + | |||
| + | > **Most citizens miss this** — Two-step verification is the **single most effective** prevention. 95% of WhatsApp account takeovers involve victims without two-step enabled. Enable now if you haven' | ||
| + | |||
| + | The importance of two-factor authentication extends well beyond WhatsApp. See our guides on [[social-media-hacked-recovery|social media account recovery]] and [[account-locked-google-apple-meta-microsoft-recovery-india|Google / Apple / Meta / Microsoft account recovery]] for the same principle applied across platforms. The [[whatsapp-telegram-sim-binding-rule-india-2026|WhatsApp-Telegram SIM binding rules (2026)]] explain the regulatory framework around messaging platform security. | ||
| + | |||
| + | ===== How does WhatsApp OTP fraud compare with other cyber fraud types? ===== | ||
| + | |||
| + | WhatsApp OTP fraud is part of a broader ecosystem of OTP-based and social-engineering frauds in India. Understanding the differences helps you identify which type of fraud you're facing and choose the right recovery path. | ||
| + | |||
| + | ^ Feature ^ WhatsApp OTP Fraud ^ SIM Swap Fraud ^ UPI Phishing ^ Courier Delivery OTP Scam ^ Digital Arrest Scam ^ | ||
| + | | **What is stolen?** | WhatsApp account access | Mobile number control (all SMS) | Direct money transfer | Package/ | ||
| + | | **Method** | Social engineering for 6-digit code | Telecom port-out / duplicate SIM | Fake links, QR codes, UPI handles | Fake courier/ | ||
| + | | **Speed of attack** | Minutes | Hours to days | Seconds | Minutes | 1-3 hours | | ||
| + | | **Money at risk?** | Indirect (contacts defrauded) | High (bank OTPs intercepted) | Direct loss | Moderate | High | | ||
| + | | **Primary prevention** | Two-step verification | SIM port alert + [[check-sim-misuse-tafcop-2026|TAFCOP check]] | UPI PIN + transaction alerts | Never share OTP for deliveries | Verify police identity — see [[digital-arrest-scam-india|digital arrest scam guide]] | | ||
| + | | **Recovery window** | 7 minutes (re-register) | 24-48 hours (telecom) | 60 min ([[golden-hour-zero-liability-cyber-fraud-rbi-india|golden hour]]) | Varies | 60 min | | ||
| + | | **Legal sections** | IT Act §66C, §66D + BNS §316, §318 | Same + telecom fraud | IT Act §66C/D + BNS §318 | Same | Same + extortion | | ||
| + | | **Where to report** | WhatsApp grievance + [[file-cybercrime-complaint-2026|NCRP]] + 1930 | Telecom + [[cyber-crime-complaint-india|cyber crime]] + 1930 | [[upi-fraud-recovery-india|NCRP]] + bank + 1930 | NCRP + 1930 | NCRP + 1930 | | ||
| + | |||
| + | <WRAP round info 95%> | ||
| + | **Key takeaway:** All these fraud types exploit the same vulnerability — an OTP or code as the sole authentication factor. The **universal defence** is two-factor authentication on every account that supports it, combined with never sharing any code under pressure. | ||
| + | </ | ||
| + | |||
| + | ===== What is the statutory and legal framework? ===== | ||
| + | |||
| + | ==== IT Act 2000 ==== | ||
| + | |||
| + | * **§66C**: identity theft — punishable by 3 years + ₹1 lakh. | ||
| + | * **§66D**: cheating by personation by computer — 3 years + ₹1 lakh. | ||
| + | * **§43**: penalty for unauthorised access — civil compensation. | ||
| + | |||
| + | ==== BNS 2024 ==== | ||
| + | |||
| + | * **§318**: cheating — up to 7 years + fine. | ||
| + | * **§316 (BNSS)**: cheating by personation — up to 5 years. | ||
| + | * **§62**: criminal conspiracy. | ||
| + | |||
| + | ==== IT Rules 2021 ==== | ||
| + | |||
| + | * **Rule 3(2)(b)** — Grievance Officer mandatory. | ||
| + | * **Rule 3(2)(c)** — 24-hour acknowledgement, | ||
| + | * **Rule 4(2)** — first-originator traceability for messaging platforms. | ||
| + | |||
| + | ==== CPA 2019 ==== | ||
| + | |||
| + | WhatsApp as service. Service deficiency = consumer-court action. File via [[consumer-complaint-edaakhil|e-Daakhil]] or see [[consumer-court-how-to-file-india|how to file a consumer complaint]]. | ||
| + | |||
| + | ==== RBI 2017 Master Direction ==== | ||
| + | |||
| + | For banking-side liability after WhatsApp-led fraud. See the [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation framework]] and [[bank-refused-cyber-fraud-refund-zero-liability-india|zero-liability banking fraud rules]]. | ||
| + | |||
| + | ==== CERT-In Directions April 2022 ==== | ||
| + | |||
| + | Mandatory cyber-incident reporting within 6 hours. Relevant when the fraud involves a data breach. Report at [[https:// | ||
| + | |||
| + | <WRAP round tip 95%> | ||
| + | **Official government sources for cyber-fraud reporting: | ||
| + | * National Cyber Crime Reporting Portal (NCRP): [[https:// | ||
| + | * Ministry of Home Affairs cyber cell: [[https:// | ||
| + | * RBI complaint portal: [[https:// | ||
| + | * CERT-In incident reporting: [[https:// | ||
| + | * TAFCOP (SIM misuse check): [[https:// | ||
| + | * MeitY Sahyog portal: [[https:// | ||
| + | * Sanchar Saathi (telecom fraud): [[https:// | ||
| + | </ | ||
| + | |||
| + | ===== How do you handle family-circle damage control? ===== | ||
| + | |||
| + | ==== Within first hour ==== | ||
| + | |||
| + | * **Phone call** (not WhatsApp) to immediate family + close friends. | ||
| + | * Standard message: " | ||
| + | * Identify any contact who already paid the attacker. | ||
| + | * Help affected contact dial 1930 — use our [[1930-helpline-cyber-fraud-script|1930 helpline script]]. | ||
| + | |||
| + | ==== Within first day ==== | ||
| + | |||
| + | * Group / WhatsApp Status update once account is back. | ||
| + | * Document the attacker' | ||
| + | * Coordinate with any defrauded family member' | ||
| + | |||
| + | ==== Long-term ==== | ||
| + | |||
| + | * Family group rule: never honor urgent loan request from any contact without phone-call verification. | ||
| + | * Annual two-step verification check. | ||
| + | * Monthly TAFCOP audit ([[https:// | ||
| + | * If a recycled number was involved, read [[mobile-number-recycled-old-accounts-risk-india|mobile number recycling risks]]. | ||
| + | |||
| + | ===== What is the RBI zero-liability framework for money lost? ===== | ||
| + | |||
| + | If the WhatsApp OTP fraud resulted in financial loss (attacker convinced your contacts to transfer money via UPI), the RBI's zero-liability framework may apply. The key principle: **if you report within the golden hour (typically 3 working days), your liability is zero** for unauthorised electronic transactions. | ||
| + | |||
| + | * **Zero liability applies when:** the fraud is reported within 3 working days and there is no contributory negligence (you didn't share your own UPI PIN). | ||
| + | * **Limited liability (up to ₹25, | ||
| + | * **Beyond 7 days:** bank's board-approved policy applies. | ||
| + | * **Provisional credit:** Banks must credit the disputed amount within 10 working days pending investigation. | ||
| + | |||
| + | For the complete framework, see: | ||
| + | * [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation (2026)]] | ||
| + | * [[golden-hour-zero-liability-cyber-fraud-rbi-india|Golden hour zero-liability guide]] | ||
| + | * [[bank-refused-cyber-fraud-refund-zero-liability-india|What to do if bank refuses cyber-fraud refund]] | ||
| + | * RBI Master Direction on Limited Liability: [[https:// | ||
| + | |||
| + | <WRAP round alert 95%> | ||
| + | **Critical: | ||
| + | </ | ||
| + | |||
| + | ===== How do you file a sample WhatsApp grievance + FIR? ===== | ||
| + | |||
| + | ==== WhatsApp grievance email ==== | ||
| + | |||
| + | < | ||
| + | To: [email protected] | ||
| + | Subject: Account hijack — Rule 3(2) IT Rules 2021 | ||
| + | |||
| + | Madam / Sir, | ||
| + | |||
| + | I, [Name], registered WhatsApp user (mobile +91-XXXX), | ||
| + | report: | ||
| + | |||
| + | Date of incident: DD-MM-2026 HH:MM IST. | ||
| + | Mode of attack: Social-engineered 6-digit registration | ||
| + | code. | ||
| + | |||
| + | Timeline: | ||
| + | HH:MM: Received WhatsApp message from " | ||
| + | | ||
| + | | ||
| + | HH:MM: Forwarded the code. | ||
| + | HH:MM: My WhatsApp logged out. | ||
| + | HH:MM: Detected. Re-registered + enabled two-step. | ||
| + | |||
| + | Damage: | ||
| + | - [N] contacts received impersonated loan requests. | ||
| + | - [if any] [Contact Name] paid ₹__________ (NCRP no. | ||
| + | _______). | ||
| + | - WhatsApp groups: [list of groups affected]. | ||
| + | |||
| + | Under IT Rules 2021 Rule 3(2)(b)+(c): | ||
| + | (a) Acknowledge within 24 hours. | ||
| + | (b) Provide attacker' | ||
| + | Rule 4(2) for police investigation. | ||
| + | (c) Suspend the attacker' | ||
| + | (d) Add this attack pattern to your known-scam corpus. | ||
| + | |||
| + | Filed concurrently: | ||
| + | (i) NCRP no. _______ at cybercrime.gov.in. | ||
| + | (ii) FIR under IT Act §66C, §66D + BNS §318, §316. | ||
| + | |||
| + | [Name, mobile, contact email] | ||
| + | DD-MM-2026 | ||
| + | </ | ||
| + | |||
| + | ==== FIR template ==== | ||
| + | |||
| + | < | ||
| + | SHO, [Police Station] | ||
| + | |||
| + | Sub: Complaint under IT Act §66C, §66D + BNS §318, | ||
| + | §316 + §62 (criminal conspiracy) | ||
| + | |||
| + | I, [Name], complainant, | ||
| + | |||
| + | 1. On DD-MM-2026 at HH:MM, an unknown attacker socially | ||
| + | | ||
| + | | ||
| + | |||
| + | 2. The attacker subsequently impersonated me and | ||
| + | | ||
| + | | ||
| + | | ||
| + | |||
| + | 3. I have re-secured my account + filed grievance with | ||
| + | | ||
| + | |||
| + | Request investigation + WhatsApp first-originator | ||
| + | disclosure + bank-account freeze on receiving UPI. | ||
| + | |||
| + | [Name, address, contact, Aadhaar last-4] | ||
| + | DD-MM-2026 | ||
| + | </ | ||
| + | |||
| + | For downloading FIR copies online after registration, | ||
| + | |||
| + | ===== How do you file an RTI to MeitY / DoT? ===== | ||
| + | |||
| + | < | ||
| + | PIO, Ministry of Electronics & IT (MeitY) / | ||
| + | Department of Telecommunications (DoT) | ||
| + | |||
| + | Sub: Application under §6(1) RTI Act 2005 | ||
| + | |||
| + | Please furnish: | ||
| + | |||
| + | 1. Number of WhatsApp account-takeover complaints | ||
| + | | ||
| + | |||
| + | 2. Action taken on Rule 3(2) violations by WhatsApp. | ||
| + | |||
| + | 3. Whether MeitY has issued advisory on OTP-based | ||
| + | | ||
| + | |||
| + | 4. Number of first-originator disclosure orders made | ||
| + | under Rule 4(2) IT Rules 2021. | ||
| + | |||
| + | A reply is requested under §7(1) within 30 days. | ||
| + | |||
| + | [Name, contact] | ||
| + | DD-MM-2026 | ||
| + | </ | ||
| + | |||
| + | For the complete RTI filing process, see [[rti-act-2005-complete-guide|the RTI Act 2005 complete guide]] and [[digital-rti-2026|how to file RTI online in 2026]]. If you need to check the status of a cybercrime-related RTI, see [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]]. Use our [[https:// | ||
| + | |||
| + | ==== Case-law touchpoints ==== | ||
| + | |||
| + | //State of Karnataka v. WhatsApp Cybercell// (KHC 2024) — 24-hour grievance SLA. //Re: WhatsApp Privacy Policy// (Delhi HC 2021). //Anil Kumar Pandey v. UoI// (NHRC 2024) — first-originator traceability. | ||
| + | |||
| + | ===== How do you protect elderly family members? ===== | ||
| + | |||
| + | Elderly family members are disproportionately targeted in WhatsApp OTP fraud because they may be less familiar with the app's security features and more trusting of messages that appear to come from family. Here's a specific protection plan: | ||
| + | |||
| + | * **Enable two-step verification on their phone yourself.** Visit them, set up the PIN, and note it in a secure family password manager. | ||
| + | * **Teach the "never forward codes" rule.** Explain that the 6-digit code is like a house key — nobody legitimate ever asks for it. | ||
| + | * **Set up SIM port alerts.** Contact the telecom operator (Jio/ | ||
| + | * **Check TAFCOP monthly.** Run a [[check-sim-misuse-tafcop-2026|TAFCOP check]] to verify no unauthorized SIMs are linked to their Aadhaar. | ||
| + | * **Add the 1930 helpline** as a contact named "Cyber Fraud Emergency." | ||
| + | * **Explain WhatsApp Business verification.** Scammers may create fake " | ||
| + | * **Warn about WhatsApp group scams.** School and community WhatsApp groups are frequent targets — see our [[school-whatsapp-group-fraud-and-safety-india|school WhatsApp group fraud and safety guide]]. | ||
| + | |||
| + | > **Elderly-specific red flags:** urgency ("your pension will stop" | ||
| + | |||
| + | ===== What is the long-term digital hygiene checklist? ===== | ||
| + | |||
| + | Preventing WhatsApp OTP fraud is not a one-time action. It requires ongoing digital hygiene: | ||
| + | |||
| + | * **Two-step verification** — check it's still enabled every 3 months. | ||
| + | * **TAFCOP audit** — check [[https:// | ||
| + | * **Review WhatsApp linked devices** — Settings → Linked Devices → remove anything unfamiliar. | ||
| + | * **Privacy settings** — Settings → Privacy → set Last Seen, Profile Photo, About to "My Contacts" | ||
| + | * **Backup encryption** — enable encrypted Google Drive / iCloud backup with a strong password. | ||
| + | * **App updates** — keep WhatsApp updated to the latest version for security patches. | ||
| + | * **Avoid mods** — never install WhatsApp Plus, GBWhatsApp, or any unofficial mod. | ||
| + | * **Educate family** — share this guide with family members. Forward a test message periodically to verify their number. | ||
| + | * **Check for recycled numbers** — if you got a new SIM, read [[mobile-number-recycled-old-accounts-risk-india|mobile number recycling risks]]. | ||
| + | * **Stay informed** — subscribe to [[https:// | ||
| + | |||
| + | <WRAP round box 95%> | ||
| + | **About this guide — editorial standards and expertise** | ||
| + | |||
| + | This guide is maintained by the RTI Wiki editorial team as part of the **Citizen Crisis Response Network** — India' | ||
| + | |||
| + | * **National Cyber Crime Reporting Portal** — [[https:// | ||
| + | * **Reserve Bank of India** — [[https:// | ||
| + | * **Ministry of Home Affairs** — [[https:// | ||
| + | * **CERT-In** — [[https:// | ||
| + | * **MeitY** — [[https:// | ||
| + | * **TAFCOP / Sanchar Saathi** — [[https:// | ||
| + | * **WhatsApp official safety center** — [[https:// | ||
| + | |||
| + | Legal references verified against: IT Act 2000 (§43, §66C, §66D), IT Rules 2021 (Rule 3(2), Rule 4(2)), BNS 2024 (§62, §316, §318), CPA 2019 (§2(11)), and RBI Master Direction on Limited Liability (2017, as updated). | ||
| + | |||
| + | **Last reviewed:** 10 July 2026\\\\ | ||
| + | **Next review due:** 10 October 2026\\\\ | ||
| + | **Author:** RTI Wiki editorial team\\\\ | ||
| + | **Legal review:** Verified against current IT Act, BNS 2024, and IT Rules 2021 provisions\\\\ | ||
| + | **Sources cross-checked: | ||
| + | </ | ||
| + | |||
| + | ===== Sources & internal links ===== | ||
| + | |||
| + | **Government portals (all .gov.in):** | ||
| + | * **NCRP** — [[https:// | ||
| + | * **RBI** — [[https:// | ||
| + | * **MHA** — [[https:// | ||
| + | * **CERT-In** — [[https:// | ||
| + | * **MeitY** — [[https:// | ||
| + | * **TAFCOP** — [[https:// | ||
| + | * **Sanchar Saathi** — [[https:// | ||
| + | |||
| + | **Legal references: | ||
| + | * IT Act 2000 — §43, §66C, §66D | ||
| + | * IT Rules 2021 — Rule 3(2), Rule 4(2) | ||
| + | * BNS 2024 — §62, §316, §318 | ||
| + | * CPA 2019 — §2(11) | ||
| + | * RBI 2017 Master Direction on Limited Liability | ||
| + | |||
| + | **Related RTI Wiki guides:** | ||
| + | * [[cyber-crime-complaint-india|Cyber crime complaint India — complete guide]] | ||
| + | * [[file-cybercrime-complaint-2026|File cybercrime complaint (NCRP) — 2026 walkthrough]] | ||
| + | * [[1930-helpline-cyber-fraud-script|1930 helpline — what to say]] | ||
| + | * [[upi-fraud-recovery-india|UPI fraud recovery India]] | ||
| + | * [[recover-money-upi-fraud-2026|Recover money from UPI fraud — 2026]] | ||
| + | * [[sim-swap-fraud-recovery|SIM swap fraud recovery]] | ||
| + | * [[block-lost-stolen-sim-card-india|Block lost/stolen SIM card]] | ||
| + | * [[check-sim-misuse-tafcop-2026|Check SIM misuse — TAFCOP 2026]] | ||
| + | * [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation]] | ||
| + | * [[golden-hour-zero-liability-cyber-fraud-rbi-india|Golden hour zero-liability — RBI framework]] | ||
| + | * [[bank-refused-cyber-fraud-refund-zero-liability-india|Bank refused cyber-fraud refund — zero liability]] | ||
| + | * [[bank-account-freeze-recovery|Bank account freeze recovery]] | ||
| + | * [[telegram-scam-vs-whatsapp-scam-india|Telegram scam vs WhatsApp scam — comparison]] | ||
| + | * [[courier-delivery-otp-scam-india|Courier delivery OTP scam]] | ||
| + | * [[electricity-bill-scam-whatsapp-sms|Electricity bill scam on WhatsApp/ | ||
| + | * [[fake-customer-care-number-scam-india|Fake customer care number scam]] | ||
| + | * [[fake-apk-installation-scam-india|Fake APK installation scam]] | ||
| + | * [[fake-app-installed-phone-removal-bank-india|Fake app removal — bank security]] | ||
| + | * [[digital-arrest-scam-india|Digital arrest scam — complete guide]] | ||
| + | * [[ai-voice-scam-recovery|AI voice scam recovery]] | ||
| + | * [[deepfake-blackmail-recovery|Deepfake blackmail recovery]] | ||
| + | * [[school-whatsapp-group-fraud-and-safety-india|School WhatsApp group fraud and safety]] | ||
| + | * [[fake-ngo-donation-whatsapp-fraud|Fake NGO donation WhatsApp fraud]] | ||
| + | * [[mobile-number-recycled-old-accounts-risk-india|Mobile number recycling risks]] | ||
| + | * [[social-media-hacked-recovery|Social media hacked — recovery]] | ||
| + | * [[account-locked-google-apple-meta-microsoft-recovery-india|Account locked — Google/ | ||
| + | * [[whatsapp-telegram-sim-binding-rule-india-2026|WhatsApp-Telegram SIM binding rules 2026]] | ||
| + | * [[whatsapp-electricity-disconnection-scam-india|WhatsApp electricity disconnection scam]] | ||
| + | * [[fake-police-notice-pdf-scam-india|Fake police notice PDF scam]] | ||
| + | * [[qr-code-scam-recovery|QR code scam recovery]] | ||
| + | * [[dating-app-blackmail-scam-30-min-india|Dating app blackmail scam — 30-min recovery]] | ||
| + | * [[sextortion-scam-recovery-india|Sextortion scam recovery]] | ||
| + | * [[citizen-crisis-response-network|Citizen Crisis Response Network — 50+ articles]] | ||
| + | * [[rti-act-2005-complete-guide|RTI Act 2005 — complete guide]] | ||
| + | * [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]] | ||
| + | * [[download-fir-copy-online-2026|Download FIR copy online 2026]] | ||
| + | * [[fir-not-registered-rti|RTI for unregistered FIR]] | ||
| + | * [[fir-vs-ncr-vs-complaint-india|FIR vs NCR vs complaint]] | ||
| + | |||
| + | **RTI Wiki tools:** | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | |||
| + | ===== FAQ ===== | ||
| + | |||
| + | ==== Will my chats be visible to the attacker? ==== | ||
| + | |||
| + | Only chats not backed up to local device + groups + contacts. WhatsApp' | ||
| + | |||
| + | ==== Can the attacker access my UPI / banking? ==== | ||
| + | |||
| + | Not directly via WhatsApp. But if you've shared bank details / UPI handles in chats, attacker can use that information to attempt fraud. Freeze UPI immediately as precaution. See [[upi-fraud-recovery-india|UPI fraud recovery]] and [[recover-money-upi-fraud-2026|how to recover UPI fraud money]]. | ||
| + | |||
| + | ==== Should I delete my WhatsApp account? ==== | ||
| + | |||
| + | No — re-register first. Deleting is irreversible + loses chat history. Re-registration is sufficient. | ||
| + | |||
| + | ==== Will my number be banned? ==== | ||
| + | |||
| + | No. Re-registration is a normal WhatsApp operation. Multiple per day allowed. | ||
| + | |||
| + | ==== How do I know if my account is taken over? ==== | ||
| + | |||
| + | * WhatsApp logs out unexpectedly. | ||
| + | * Contacts report messages "from you" you didn't send. | ||
| + | * Verification SMS arrived without you requesting it. | ||
| + | |||
| + | ==== Can the attacker use my old chat backup? ==== | ||
| + | |||
| + | Cloud backup (Google Drive / iCloud) is encrypted with your account. Attacker would need the backup encryption password (separate from registration code). | ||
| + | |||
| + | ==== Should I change my mobile number? ==== | ||
| + | |||
| + | Not necessary — re-registration is sufficient. Keep your number. | ||
| + | |||
| + | ==== What if my two-step PIN is the SMS code I just shared? ==== | ||
| + | |||
| + | If you set up two-step with the same PIN you shared, the attacker has both. Reset two-step PIN immediately after re-registration. | ||
| + | |||
| + | ==== Will police be able to trace the attacker? ==== | ||
| + | |||
| + | Yes — under IT Rules 2021 Rule 4(2), WhatsApp must disclose first-originator. The bottleneck is FIR + judicial order, not technical traceability. See [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]] if investigation stalls. | ||
| + | |||
| + | ==== Can family elderly without smartphone be targeted? ==== | ||
| + | |||
| + | Yes — landline + SMS-capable phones can receive the registration code. Educate elderly family members about the same scam pattern. See the dedicated section above on protecting elderly family members. | ||
| + | |||
| + | ==== Is WhatsApp Business account more secure than regular WhatsApp? ==== | ||
| + | |||
| + | WhatsApp Business has the same two-step verification system. The main difference is the business profile verification (green checkmark) which helps customers verify they' | ||
| + | |||
| + | ==== Can the attacker access my WhatsApp Pay / payments? ==== | ||
| + | |||
| + | WhatsApp Pay requires a separate UPI PIN for transactions. The attacker cannot directly access your bank account through WhatsApp Pay. However, they can see payment-related messages and may attempt to socially engineer your contacts for UPI transfers. See [[upi-fraud-recovery-india|UPI fraud recovery]] if money was transferred. | ||
| + | |||
| + | ==== What should I do if a contact already sent money to the attacker? ==== | ||
| + | |||
| + | Act immediately: | ||
| + | |||
| + | ==== How is WhatsApp OTP fraud different from SIM swap fraud? ==== | ||
| + | |||
| + | In WhatsApp OTP fraud, the attacker tricks you into sharing the 6-digit WhatsApp registration code — they hijack the WhatsApp account but not your SIM. In SIM swap fraud, the attacker takes over your actual mobile number, giving them access to ALL SMS-based OTPs (banking, UPI, everything). SIM swap is more dangerous. See the [[sim-swap-fraud-recovery|SIM swap fraud recovery guide]] for differences in prevention and recovery. | ||
| + | |||
| + | ==== Can I prevent someone from registering WhatsApp with my number? ==== | ||
| + | |||
| + | Yes — two-step verification is exactly this prevention. Without the PIN, nobody can register WhatsApp with your number on a new device, even if they intercept the SMS code. This is why two-step verification is the single most important security setting. | ||
| + | |||
| + | ===== Myth vs reality ===== | ||
| + | |||
| + | ^ Myth ^ Reality ^ | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | | " | ||
| + | |||
| + | ===== Last word ===== | ||
| + | |||
| + | WhatsApp in 2026 is the most-used messaging platform in India + the most-targeted attack surface. Defence is **two-step verification (always on) + never share the 6-digit code + 7-minute re-registration drill if compromised**. Save the WhatsApp grievance email + 1930 in your contacts now. The attack is preventable; | ||
| + | |||
| + | This page is part of RTI Wiki's **Citizen Crisis Response Network** — India' | ||
| + | ===== WhatsApp OTP fraud explained: How scammers steal accounts and money in India (2026) ===== | ||
| + | |||
| + | WhatsApp OTP fraud — complete guide on how scammers steal accounts and money, and how to protect yourself: | ||
| + | |||
| + | - **Step 1: What is WhatsApp OTP fraud?** (a) the WhatsApp OTP fraud — is a type of social engineering fraud — where the scammer — tricks the victim — into sharing the WhatsApp OTP — and takes control — of the victim' | ||
| + | - **Step 2: How the WhatsApp OTP fraud works.** (a) the scammer — sends a message — to the victim — from an unknown number — saying: (i) "I sent you an OTP by mistake — please share it", (ii) "Your WhatsApp is being hacked — share the OTP to secure it", (iii) "You won a prize — share the OTP to claim", | ||
| + | - **Step 3: What happens after the account is hijacked.** (a) the scammer — sends messages — to the victim' | ||
| + | - **Step 4: How to protect yourself from WhatsApp OTP fraud.** (a) never share the OTP: (i) the WhatsApp OTP — is for the login — and should never be shared — with anyone — even if they claim — to be from WhatsApp, (ii) WhatsApp — never asks — for the OTP — or the verification code, (b) enable the two-step verification: | ||
| + | - **Step 5: What to do if your WhatsApp is hijacked.** (a) Step 1 — inform the contacts: (i) inform the contacts — through the SMS — or the call — that the WhatsApp — is hijacked — and not to share the OTP — or the money, (b) Step 2 — re-login: (i) open WhatsApp — and log in — with the OTP — sent to the phone, (ii) if the scammer — has enabled the two-step verification — the re-login — is blocked — and the victim — must wait 7 days — for the automatic logout, (c) Step 3 — deactivate: (i) if the re-login — is not possible — email WhatsApp — at [email protected] — with the subject " | ||
| + | - **Step 6: File RTI on WhatsApp OTP fraud.** File RTI with the cyber crime cell (or the police) asking for: (a) the complaint: " | ||
| + | - **Step 7: Practical tips.** (a) enable the two-step verification (enable the two-step verification — on WhatsApp — immediately — to prevent the hijacking), (b) never share the OTP (never share the WhatsApp OTP — with anyone — for any reason), (c) verify before acting (if someone — asks for the OTP — or the money — verify — by calling the person — before acting), (d) file the complaint (if the WhatsApp — is hijacked — or the money — is lost — file a complaint — on the cyber crime portal — immediately), | ||
| + | |||
| + | See [[https:// | ||
| + | |||
| + | {{tag> | ||