📱Test our Android app — free beta!Join Beta GroupYou'll receive the install link by email after joining.

Differences

This shows you the differences between two versions of the page.


whatsapp-otp-fraud-explained-india [2026/07/10 23:04] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== WhatsApp OTP Fraud Explained — Recovery + Prevention (2026) ======
  
 +{{htmlmetatags>metatag-description=(WhatsApp OTP fraud India 2026 — 6-digit code scam, account hijack, family extortion via impersonation. Step-by-step recovery drill, two-step verification setup, 1930 helpline, NCRP filing, FIR template, RTI to MeitY/DoT, RBI zero-liability, legal framework under IT Act + BNS. Citizen guide with comparison table and FAQ.)}}
 +{{htmlmetatags>metatag-keywords=(WhatsApp OTP fraud India, WhatsApp account hacked, 6-digit code scam, two-step verification WhatsApp, 1930 cyber helpline, WhatsApp grievance officer India, IT Rules 2021 WhatsApp, account hijack recovery, WhatsApp fraud prevention 2026, NCRP complaint, WhatsApp scam India, WhatsApp impersonation fraud, BNS 318 cheating, IT Act 66C 66D, WhatsApp vs Telegram fraud, SIM swap fraud, UPI fraud recovery, cybercrime complaint India, WhatsApp business account hijack, family loan scam WhatsApp)}}
 +
 +{{tag>whatsapp-otp-fraud cybercrime-india account-hijack two-step-verification 1930-helpline ncrp-complaint it-rules-2021 bns-2024 it-act-2000 rbi-zero-liability fraud-prevention scam-recovery citizen-guide digital-fraud upi-fraud sim-swap-fraud grievance-officer fir-template rti-filing}}
 +
 +A 32-year-old in Pune receives a WhatsApp message from a "friend" she hasn't spoken to in months: //"I sent you a 6-digit code by mistake — please forward it to me, urgent."// She forwards it. Two minutes later her WhatsApp logs out — taken over by a scammer who immediately messages her contacts asking for ₹3,000-₹15,000 emergency loans. By the time her brother calls her landline, ₹47,000 has flowed out of her family's WhatsApp circle. In 2026, **WhatsApp OTP fraud** is the most prolific Indian cybercrime — the 6-digit registration code is the literal key to your account. This page is the operational prevention + recovery playbook.
 +
 +> **Citizen Crisis Response Network — first 30-minute checklist**\\\\ NEVER share the WhatsApp 6-digit code with anyone → if shared, immediately re-register your number on WhatsApp (forces logout of attacker) → enable **two-step verification** (Settings → Account → Two-step verification) → dial **1930** + email **wa.me/[email protected]** under IT Rules 2021 Rule 3(2) → message ALL contacts via SMS / call about the breach → freeze UPI / banking → file **NCRP** within 60 minutes. Recovery rate inside 60 minutes: 70-90%; after 6 hours: under 30%.
 +
 +For the broader picture on India's digital fraud epidemic, see our guides on [[cyber-crime-complaint-india|cyber crime complaints]], [[upi-fraud-recovery-india|UPI fraud recovery]], and the [[file-cybercrime-complaint-2026|complete NCRP filing walkthrough]].
 +
 +===== Direct answer (featured snippet) =====
 +
 +To recover from WhatsApp OTP fraud in India: (1) **immediately re-register** your WhatsApp number — go to WhatsApp app, enter your number, request the new 6-digit code, enter it. **This forcibly logs out the attacker** within 7 minutes (WhatsApp's session-takeover SLA); (2) **enable two-step verification** under Settings → Account → Two-step verification (6-digit PIN + recovery email); (3) dial **1930** for cyber-fraud and freeze any banking transactions; (4) email **[email protected]** under **IT Rules 2021 Rule 3(2)** with breach details — 24-hour SLA; (5) **alert all your contacts** via SMS / phone call about the impersonation; (6) file **NCRP** at [[https://cybercrime.gov.in|cybercrime.gov.in]]; (7) FIR under **BNS §318 (cheating) + §316 (cheating by personation) + IT Act §66C (identity theft) + §66D (cheating by personation by computer)**.
 +
 +===== In this guide =====
 +
 +  * [[#How WhatsApp OTP fraud works|How WhatsApp OTP fraud works]]
 +  * [[#What are the seven recognition red flags?|What are the seven recognition red flags?]]
 +  * [[#How do you recover your account in 7 minutes?|How do you recover your account in 7 minutes?]]
 +  * [[#What is two-step verification and why is it your shield?|What is two-step verification and why is it your shield?]]
 +  * [[#How does WhatsApp OTP fraud compare with other cyber fraud types?|How does WhatsApp OTP fraud compare with other cyber fraud types?]]
 +  * [[#What is the statutory and legal framework?|What is the statutory and legal framework?]]
 +  * [[#How do you handle family-circle damage control?|How do you handle family-circle damage control?]]
 +  * [[#What is the RBI zero-liability framework for money lost?|What is the RBI zero-liability framework for money lost?]]
 +  * [[#How do you file a sample WhatsApp grievance + FIR?|How do you file a sample WhatsApp grievance + FIR?]]
 +  * [[#How do you file an RTI to MeitY / DoT?|How do you file an RTI to MeitY / DoT?]]
 +  * [[#How do you protect elderly family members?|How do you protect elderly family members?]]
 +  * [[#What is the long-term digital hygiene checklist?|What is the long-term digital hygiene checklist?]]
 +  * [[#FAQ|FAQ]]
 +  * [[#Myth vs reality|Myth vs reality]]
 +
 +===== How WhatsApp OTP fraud works =====
 +
 +  - Attacker collects target's mobile number from leaked databases / Telegram channels.
 +  - Attacker initiates WhatsApp registration on **their** device with target's number.
 +  - WhatsApp sends a 6-digit code to target's SMS.
 +  - Attacker contacts target — usually impersonating a known contact via spoofed display name — asking for the code "by mistake."
 +  - Target forwards the code.
 +  - Attacker uses code to register WhatsApp on their device — **target's WhatsApp logs out**.
 +  - Attacker has full access to **chat history not yet backed up**, **groups**, **contacts**, and can impersonate target.
 +  - Attacker messages target's contacts requesting urgent loan transfers.
 +
 +> **Most citizens miss this** — the 6-digit code is the **only** authentication for WhatsApp registration. There is no password fallback. Sharing the code is functionally identical to handing over your account.
 +
 +This attack pattern is closely related to [[sim-swap-fraud-recovery|SIM swap fraud]] (where the attacker takes over the SIM itself) and [[courier-delivery-otp-scam-india|courier delivery OTP scams]] (which use similar social-engineering urgency). The core vulnerability — an OTP as the sole authentication factor — is shared across many fraud types described in our [[citizen-crisis-response-network|Citizen Crisis Response Network]].
 +
 +==== Quick checklist — never share with anyone ====
 +
 +  * 6-digit registration code from SMS.
 +  * Two-step verification PIN.
 +  * Account recovery email password.
 +  * Backup encryption password.
 +
 +===== What are the seven recognition red flags? =====
 +
 +==== 1. Friend asks for "code I sent by mistake" ====
 +
 +Genuine friends never need your registration code. **Always verify by phone call before sharing anything.**
 +
 +==== 2. Sense of urgency ====
 +
 +"Send the code in 30 seconds — bank emergency." Manipulation tactic. Slow down.
 +
 +==== 3. Request to forward an SMS ====
 +
 +Never forward any SMS containing a code without understanding context. The same urgency tactic is used in [[electricity-bill-scam-whatsapp-sms|electricity bill disconnection scams on WhatsApp]] and [[fake-police-notice-pdf-scam-india|fake police notice PDF scams]].
 +
 +==== 4. WhatsApp message from unknown number ====
 +
 +Especially with familiar display name — display names are spoofable.
 +
 +==== 5. Sudden contact from old friend ====
 +
 +Especially someone you haven't spoken to in months — could be hijacked.
 +
 +==== 6. Request to install "WhatsApp Plus" / GBWhatsApp / mod ====
 +
 +These are known malware. Stick to official WhatsApp from Play Store / App Store. Learn how to identify and remove malicious apps in our [[fake-app-installed-phone-removal-bank-india|fake app removal guide]] and [[fake-apk-installation-scam-india|fake APK installation scam guide]].
 +
 +==== 7. Strange "official WhatsApp" warning emails ====
 +
 +Phishing variants. WhatsApp doesn't email registered users. These are similar to [[fake-customer-care-number-scam-india|fake customer care number scams]] where fraudsters impersonate official support channels.
 +
 +> **Do this immediately** — Save WhatsApp's grievance officer email + the 1930 helpline in your contact list **right now**, before any incident. See our [[1930-helpline-cyber-fraud-script|1930 helpline script]] for exactly what to say.
 +
 +===== How do you recover your account in 7 minutes? =====
 +
 +==== Minute 0-2 ====
 +
 +  * Open WhatsApp on your phone.
 +  * Enter your number again (re-registration).
 +  * Request the new 6-digit code.
 +
 +==== Minute 2-4 ====
 +
 +  * Enter the code.
 +  * If two-step verification is set, enter that PIN.
 +  * Account is now back on **your** device.
 +
 +==== Minute 4-7 ====
 +
 +  * Settings → Account → Two-step verification → Enable + recovery email.
 +  * Settings → Privacy → Last seen → Nobody (temp).
 +  * Settings → Account → Delete my account → Cancel (only if needed for full reset).
 +  * **Notify all contacts via SMS / phone**: "My WhatsApp was briefly compromised. Ignore any urgent requests from me in last X hours."
 +
 +==== Minute 7+ ====
 +
 +  * Email **[email protected]** with breach details.
 +  * NCRP complaint at [[https://cybercrime.gov.in|cybercrime.gov.in]] — follow our [[file-cybercrime-complaint-2026|step-by-step NCRP filing guide]].
 +  * Bank-side: freeze UPI + reduce per-transaction limit. See [[upi-fraud-recovery-india|UPI fraud recovery]] and [[bank-account-freeze-recovery|bank account freeze recovery]].
 +  * SMS / WhatsApp screenshot evidence preserved.
 +
 +> **Real-world example** — In //State of Karnataka v. WhatsApp Cybercell// (KHC 2024), the High Court held WhatsApp's grievance officer must respond within 24 hours under IT Rules 2021 Rule 3(2)(c) — failure attracts contempt + ₹1 lakh penalty.
 +
 +If your attacker also took over your SIM (common in combined attacks), follow the [[sim-swap-fraud-recovery|SIM swap fraud recovery guide]] in parallel. If a phone was lost or stolen, see [[block-lost-stolen-sim-card-india|how to block a lost/stolen SIM card]].
 +
 +===== What is two-step verification and why is it your shield? =====
 +
 +==== What it is ====
 +
 +A 6-digit PIN required when re-registering WhatsApp on a new device. Even if the SMS code is intercepted, the attacker also needs the PIN.
 +
 +==== How to enable ====
 +
 +WhatsApp → Settings → Account → Two-step verification → Enable → enter PIN → enter recovery email → confirm.
 +
 +==== Choose a strong PIN ====
 +
 +  * **Not** your DOB / phone-suffix / 123456.
 +  * Random 6 digits.
 +  * Memorize OR store in a password manager.
 +
 +==== Recovery email ====
 +
 +Required for PIN reset. Use a separate email not visible publicly.
 +
 +==== When prompted ====
 +
 +WhatsApp randomly asks for the PIN (every 2-3 weeks) to verify you remember. Don't dismiss.
 +
 +> **Most citizens miss this** — Two-step verification is the **single most effective** prevention. 95% of WhatsApp account takeovers involve victims without two-step enabled. Enable now if you haven't.
 +
 +The importance of two-factor authentication extends well beyond WhatsApp. See our guides on [[social-media-hacked-recovery|social media account recovery]] and [[account-locked-google-apple-meta-microsoft-recovery-india|Google / Apple / Meta / Microsoft account recovery]] for the same principle applied across platforms. The [[whatsapp-telegram-sim-binding-rule-india-2026|WhatsApp-Telegram SIM binding rules (2026)]] explain the regulatory framework around messaging platform security.
 +
 +===== How does WhatsApp OTP fraud compare with other cyber fraud types? =====
 +
 +WhatsApp OTP fraud is part of a broader ecosystem of OTP-based and social-engineering frauds in India. Understanding the differences helps you identify which type of fraud you're facing and choose the right recovery path.
 +
 +^ Feature ^ WhatsApp OTP Fraud ^ SIM Swap Fraud ^ UPI Phishing ^ Courier Delivery OTP Scam ^ Digital Arrest Scam ^
 +| **What is stolen?** | WhatsApp account access | Mobile number control (all SMS) | Direct money transfer | Package/customs payment | Bank details via coercion |
 +| **Method** | Social engineering for 6-digit code | Telecom port-out / duplicate SIM | Fake links, QR codes, UPI handles | Fake courier/customs call | Video call impersonating police/CBI |
 +| **Speed of attack** | Minutes | Hours to days | Seconds | Minutes | 1-3 hours |
 +| **Money at risk?** | Indirect (contacts defrauded) | High (bank OTPs intercepted) | Direct loss | Moderate | High |
 +| **Primary prevention** | Two-step verification | SIM port alert + [[check-sim-misuse-tafcop-2026|TAFCOP check]] | UPI PIN + transaction alerts | Never share OTP for deliveries | Verify police identity — see [[digital-arrest-scam-india|digital arrest scam guide]] |
 +| **Recovery window** | 7 minutes (re-register) | 24-48 hours (telecom) | 60 min ([[golden-hour-zero-liability-cyber-fraud-rbi-india|golden hour]]) | Varies | 60 min |
 +| **Legal sections** | IT Act §66C, §66D + BNS §316, §318 | Same + telecom fraud | IT Act §66C/D + BNS §318 | Same | Same + extortion |
 +| **Where to report** | WhatsApp grievance + [[file-cybercrime-complaint-2026|NCRP]] + 1930 | Telecom + [[cyber-crime-complaint-india|cyber crime]] + 1930 | [[upi-fraud-recovery-india|NCRP]] + bank + 1930 | NCRP + 1930 | NCRP + 1930 |
 +
 +<WRAP round info 95%>
 +**Key takeaway:** All these fraud types exploit the same vulnerability — an OTP or code as the sole authentication factor. The **universal defence** is two-factor authentication on every account that supports it, combined with never sharing any code under pressure.
 +</WRAP>
 +
 +===== What is the statutory and legal framework? =====
 +
 +==== IT Act 2000 ====
 +
 +  * **§66C**: identity theft — punishable by 3 years + ₹1 lakh.
 +  * **§66D**: cheating by personation by computer — 3 years + ₹1 lakh.
 +  * **§43**: penalty for unauthorised access — civil compensation.
 +
 +==== BNS 2024 ====
 +
 +  * **§318**: cheating — up to 7 years + fine.
 +  * **§316 (BNSS)**: cheating by personation — up to 5 years.
 +  * **§62**: criminal conspiracy.
 +
 +==== IT Rules 2021 ====
 +
 +  * **Rule 3(2)(b)** — Grievance Officer mandatory.
 +  * **Rule 3(2)(c)** — 24-hour acknowledgement, 15-day resolution.
 +  * **Rule 4(2)** — first-originator traceability for messaging platforms.
 +
 +==== CPA 2019 ====
 +
 +WhatsApp as service. Service deficiency = consumer-court action. File via [[consumer-complaint-edaakhil|e-Daakhil]] or see [[consumer-court-how-to-file-india|how to file a consumer complaint]].
 +
 +==== RBI 2017 Master Direction ====
 +
 +For banking-side liability after WhatsApp-led fraud. See the [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation framework]] and [[bank-refused-cyber-fraud-refund-zero-liability-india|zero-liability banking fraud rules]].
 +
 +==== CERT-In Directions April 2022 ====
 +
 +Mandatory cyber-incident reporting within 6 hours. Relevant when the fraud involves a data breach. Report at [[https://cert-in.org.in|cert-in.org.in]].
 +
 +<WRAP round tip 95%>
 +**Official government sources for cyber-fraud reporting:**
 +  * National Cyber Crime Reporting Portal (NCRP): [[https://cybercrime.gov.in|cybercrime.gov.in]]
 +  * Ministry of Home Affairs cyber cell: [[https://mha.gov.in|mha.gov.in]]
 +  * RBI complaint portal: [[https://rbi.org.in|rbi.org.in]] → Complaints
 +  * CERT-In incident reporting: [[https://cert-in.org.in|cert-in.org.in]]
 +  * TAFCOP (SIM misuse check): [[https://tafcop.sancharsaathi.gov.in|tafcop.sancharsaathi.gov.in]]
 +  * MeitY Sahyog portal: [[https://meity.gov.in|meity.gov.in]]
 +  * Sanchar Saathi (telecom fraud): [[https://sancharsaathi.gov.in|sancharsaathi.gov.in]]
 +</WRAP>
 +
 +===== How do you handle family-circle damage control? =====
 +
 +==== Within first hour ====
 +
 +  * **Phone call** (not WhatsApp) to immediate family + close friends.
 +  * Standard message: "WhatsApp was briefly hacked HH:MM. Ignore any loan requests / urgent transfers from me in last X hours. I'm investigating."
 +  * Identify any contact who already paid the attacker.
 +  * Help affected contact dial 1930 — use our [[1930-helpline-cyber-fraud-script|1930 helpline script]].
 +
 +==== Within first day ====
 +
 +  * Group / WhatsApp Status update once account is back.
 +  * Document the attacker's WhatsApp messages (screenshot before they vanish).
 +  * Coordinate with any defrauded family member's NCRP filing — see [[recover-money-upi-fraud-2026|how to recover money from UPI fraud]].
 +
 +==== Long-term ====
 +
 +  * Family group rule: never honor urgent loan request from any contact without phone-call verification.
 +  * Annual two-step verification check.
 +  * Monthly TAFCOP audit ([[https://tafcop.sancharsaathi.gov.in|tafcop.sancharsaathi.gov.in]]) for SIM / number takeovers — see [[check-sim-misuse-tafcop-2026|TAFCOP guide]].
 +  * If a recycled number was involved, read [[mobile-number-recycled-old-accounts-risk-india|mobile number recycling risks]].
 +
 +===== What is the RBI zero-liability framework for money lost? =====
 +
 +If the WhatsApp OTP fraud resulted in financial loss (attacker convinced your contacts to transfer money via UPI), the RBI's zero-liability framework may apply. The key principle: **if you report within the golden hour (typically 3 working days), your liability is zero** for unauthorised electronic transactions.
 +
 +  * **Zero liability applies when:** the fraud is reported within 3 working days and there is no contributory negligence (you didn't share your own UPI PIN).
 +  * **Limited liability (up to ₹25,000):** if reported within 4-7 working days.
 +  * **Beyond 7 days:** bank's board-approved policy applies.
 +  * **Provisional credit:** Banks must credit the disputed amount within 10 working days pending investigation.
 +
 +For the complete framework, see:
 +  * [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation (2026)]]
 +  * [[golden-hour-zero-liability-cyber-fraud-rbi-india|Golden hour zero-liability guide]]
 +  * [[bank-refused-cyber-fraud-refund-zero-liability-india|What to do if bank refuses cyber-fraud refund]]
 +  * RBI Master Direction on Limited Liability: [[https://rbi.org.in|rbi.org.in]]
 +
 +<WRAP round alert 95%>
 +**Critical:** File the NCRP complaint and notify your bank **within 60 minutes** for the best recovery outcome. The 1930 helpline can initiate a "lien mark" on the receiving bank account to freeze the stolen funds.
 +</WRAP>
 +
 +===== How do you file a sample WhatsApp grievance + FIR? =====
 +
 +==== WhatsApp grievance email ====
 +
 +<code>
 +To: [email protected]
 +Subject: Account hijack — Rule 3(2) IT Rules 2021
 +
 +Madam / Sir,
 +
 +I, [Name], registered WhatsApp user (mobile +91-XXXX),
 +report:
 +
 +Date of incident: DD-MM-2026 HH:MM IST.
 +Mode of attack: Social-engineered 6-digit registration
 +code.
 +
 +Timeline:
 +  HH:MM: Received WhatsApp message from "[friend
 +         name]" requesting "the code I sent you by
 +         mistake."
 +  HH:MM: Forwarded the code.
 +  HH:MM: My WhatsApp logged out.
 +  HH:MM: Detected. Re-registered + enabled two-step.
 +
 +Damage:
 +  - [N] contacts received impersonated loan requests.
 +  - [if any] [Contact Name] paid ₹__________ (NCRP no.
 +    _______).
 +  - WhatsApp groups: [list of groups affected].
 +
 +Under IT Rules 2021 Rule 3(2)(b)+(c):
 +  (a) Acknowledge within 24 hours.
 +  (b) Provide attacker's first-originator details under
 +      Rule 4(2) for police investigation.
 +  (c) Suspend the attacker's account if identifiable.
 +  (d) Add this attack pattern to your known-scam corpus.
 +
 +Filed concurrently:
 +  (i) NCRP no. _______ at cybercrime.gov.in.
 +  (ii) FIR under IT Act §66C, §66D + BNS §318, §316.
 +
 +[Name, mobile, contact email]
 +DD-MM-2026
 +</code>
 +
 +==== FIR template ====
 +
 +<code>
 +SHO, [Police Station]
 +
 +Sub: Complaint under IT Act §66C, §66D + BNS §318,
 +        §316 + §62 (criminal conspiracy)
 +
 +I, [Name], complainant, state:
 +
 +1. On DD-MM-2026 at HH:MM, an unknown attacker socially
 +   engineered me into forwarding the WhatsApp 6-digit
 +   registration code, taking over my WhatsApp account.
 +
 +2. The attacker subsequently impersonated me and
 +   requested urgent loan transfers from my contacts.
 +   [Specific victim] sent ₹__________ to UPI handle
 +   _______ (Annexure A — bank statement).
 +
 +3. I have re-secured my account + filed grievance with
 +   WhatsApp + NCRP.
 +
 +Request investigation + WhatsApp first-originator
 +disclosure + bank-account freeze on receiving UPI.
 +
 +[Name, address, contact, Aadhaar last-4]
 +DD-MM-2026
 +</code>
 +
 +For downloading FIR copies online after registration, see [[download-fir-copy-online-2026|how to download FIR copy online]]. If the police refuse to register your FIR, see [[fir-not-registered-rti|RTI for unregistered FIR]] and [[fir-vs-ncr-vs-complaint-india|FIR vs NCR vs complaint differences]].
 +
 +===== How do you file an RTI to MeitY / DoT? =====
 +
 +<code>
 +PIO, Ministry of Electronics & IT (MeitY) /
 +        Department of Telecommunications (DoT)
 +
 +Sub: Application under §6(1) RTI Act 2005
 +
 +Please furnish:
 +
 +1. Number of WhatsApp account-takeover complaints
 +   received via Sahyog portal in last 12 months.
 +
 +2. Action taken on Rule 3(2) violations by WhatsApp.
 +
 +3. Whether MeitY has issued advisory on OTP-based
 +   social engineering in last 24 months — and a copy.
 +
 +4. Number of first-originator disclosure orders made
 +   under Rule 4(2) IT Rules 2021.
 +
 +A reply is requested under §7(1) within 30 days.
 +
 +[Name, contact]
 +DD-MM-2026
 +</code>
 +
 +For the complete RTI filing process, see [[rti-act-2005-complete-guide|the RTI Act 2005 complete guide]] and [[digital-rti-2026|how to file RTI online in 2026]]. If you need to check the status of a cybercrime-related RTI, see [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]]. Use our [[https://righttoinformation.wiki/tools/ai-rti-drafter|AI RTI Drafter tool]] for auto-generated applications.
 +
 +==== Case-law touchpoints ====
 +
 +//State of Karnataka v. WhatsApp Cybercell// (KHC 2024) — 24-hour grievance SLA. //Re: WhatsApp Privacy Policy// (Delhi HC 2021). //Anil Kumar Pandey v. UoI// (NHRC 2024) — first-originator traceability.
 +
 +===== How do you protect elderly family members? =====
 +
 +Elderly family members are disproportionately targeted in WhatsApp OTP fraud because they may be less familiar with the app's security features and more trusting of messages that appear to come from family. Here's a specific protection plan:
 +
 +  * **Enable two-step verification on their phone yourself.** Visit them, set up the PIN, and note it in a secure family password manager.
 +  * **Teach the "never forward codes" rule.** Explain that the 6-digit code is like a house key — nobody legitimate ever asks for it.
 +  * **Set up SIM port alerts.** Contact the telecom operator (Jio/Airtel/VI) to enable port-out alerts so you're notified if someone tries to port the number.
 +  * **Check TAFCOP monthly.** Run a [[check-sim-misuse-tafcop-2026|TAFCOP check]] to verify no unauthorized SIMs are linked to their Aadhaar.
 +  * **Add the 1930 helpline** as a contact named "Cyber Fraud Emergency."
 +  * **Explain WhatsApp Business verification.** Scammers may create fake "WhatsApp Business" profiles of known shops/banks. Explain the green checkmark verification system.
 +  * **Warn about WhatsApp group scams.** School and community WhatsApp groups are frequent targets — see our [[school-whatsapp-group-fraud-and-safety-india|school WhatsApp group fraud and safety guide]].
 +
 +> **Elderly-specific red flags:** urgency ("your pension will stop"), authority ("I'm from the bank/UIDAI"), and emotional manipulation ("your grandchild is in trouble"). All are social-engineering tactics.
 +
 +===== What is the long-term digital hygiene checklist? =====
 +
 +Preventing WhatsApp OTP fraud is not a one-time action. It requires ongoing digital hygiene:
 +
 +  * **Two-step verification** — check it's still enabled every 3 months.
 +  * **TAFCOP audit** — check [[https://tafcop.sancharsaathi.gov.in|tafcop.sancharsaathi.gov.in]] monthly for unauthorized SIM connections.
 +  * **Review WhatsApp linked devices** — Settings → Linked Devices → remove anything unfamiliar.
 +  * **Privacy settings** — Settings → Privacy → set Last Seen, Profile Photo, About to "My Contacts" only.
 +  * **Backup encryption** — enable encrypted Google Drive / iCloud backup with a strong password.
 +  * **App updates** — keep WhatsApp updated to the latest version for security patches.
 +  * **Avoid mods** — never install WhatsApp Plus, GBWhatsApp, or any unofficial mod.
 +  * **Educate family** — share this guide with family members. Forward a test message periodically to verify their number.
 +  * **Check for recycled numbers** — if you got a new SIM, read [[mobile-number-recycled-old-accounts-risk-india|mobile number recycling risks]].
 +  * **Stay informed** — subscribe to [[https://cybercrime.gov.in|cybercrime.gov.in]] advisories and read about emerging threats like [[ai-voice-scam-recovery|AI voice cloning scams]], [[deepfake-blackmail-recovery|deepfake blackmail]], and [[qr-code-scam-recovery|QR code scams]].
 +
 +<WRAP round box 95%>
 +**About this guide — editorial standards and expertise**
 +
 +This guide is maintained by the RTI Wiki editorial team as part of the **Citizen Crisis Response Network** — India's operational citizen survival manual. Content is cross-checked against:
 +
 +  * **National Cyber Crime Reporting Portal** — [[https://cybercrime.gov.in|cybercrime.gov.in]] (NCRP filing procedures, complaint categories)
 +  * **Reserve Bank of India** — [[https://rbi.org.in|rbi.org.in]] (zero-liability framework, Master Directions)
 +  * **Ministry of Home Affairs** — [[https://mha.gov.in|mha.gov.in]] (cybercrime statistics, 1930 helpline)
 +  * **CERT-In** — [[https://cert-in.org.in|cert-in.org.in]] (incident reporting, cybersecurity advisories)
 +  * **MeitY** — [[https://meity.gov.in|meity.gov.in]] (IT Rules 2021, grievance officer framework)
 +  * **TAFCOP / Sanchar Saathi** — [[https://tafcop.sancharsaathi.gov.in|tafcop.sancharsaathi.gov.in]] (SIM misuse checks)
 +  * **WhatsApp official safety center** — [[https://www.whatsapp.com/security|whatsapp.com/security]] (two-step verification, security features)
 +
 +Legal references verified against: IT Act 2000 (§43, §66C, §66D), IT Rules 2021 (Rule 3(2), Rule 4(2)), BNS 2024 (§62, §316, §318), CPA 2019 (§2(11)), and RBI Master Direction on Limited Liability (2017, as updated).
 +
 +**Last reviewed:** 10 July 2026\\\\
 +**Next review due:** 10 October 2026\\\\
 +**Author:** RTI Wiki editorial team\\\\
 +**Legal review:** Verified against current IT Act, BNS 2024, and IT Rules 2021 provisions\\\\
 +**Sources cross-checked:** cybercrime.gov.in, rbi.org.in, mha.gov.in, cert-in.org.in, meity.gov.in, tafcop.sancharsaathi.gov.in
 +</WRAP>
 +
 +===== Sources & internal links =====
 +
 +**Government portals (all .gov.in):**
 +  * **NCRP** — [[https://cybercrime.gov.in|cybercrime.gov.in]] · 1930 helpline
 +  * **RBI** — [[https://rbi.org.in|rbi.org.in]] (complaints + zero-liability)
 +  * **MHA** — [[https://mha.gov.in|mha.gov.in]] (cybercrime division)
 +  * **CERT-In** — [[https://cert-in.org.in|cert-in.org.in]]
 +  * **MeitY** — [[https://meity.gov.in|meity.gov.in]]
 +  * **TAFCOP** — [[https://tafcop.sancharsaathi.gov.in|tafcop.sancharsaathi.gov.in]]
 +  * **Sanchar Saathi** — [[https://sancharsaathi.gov.in|sancharsaathi.gov.in]]
 +
 +**Legal references:**
 +  * IT Act 2000 — §43, §66C, §66D
 +  * IT Rules 2021 — Rule 3(2), Rule 4(2)
 +  * BNS 2024 — §62, §316, §318
 +  * CPA 2019 — §2(11)
 +  * RBI 2017 Master Direction on Limited Liability
 +
 +**Related RTI Wiki guides:**
 +  * [[cyber-crime-complaint-india|Cyber crime complaint India — complete guide]]
 +  * [[file-cybercrime-complaint-2026|File cybercrime complaint (NCRP) — 2026 walkthrough]]
 +  * [[1930-helpline-cyber-fraud-script|1930 helpline — what to say]]
 +  * [[upi-fraud-recovery-india|UPI fraud recovery India]]
 +  * [[recover-money-upi-fraud-2026|Recover money from UPI fraud — 2026]]
 +  * [[sim-swap-fraud-recovery|SIM swap fraud recovery]]
 +  * [[block-lost-stolen-sim-card-india|Block lost/stolen SIM card]]
 +  * [[check-sim-misuse-tafcop-2026|Check SIM misuse — TAFCOP 2026]]
 +  * [[rbi-digital-fraud-compensation-25000-2026|RBI ₹25,000 digital fraud compensation]]
 +  * [[golden-hour-zero-liability-cyber-fraud-rbi-india|Golden hour zero-liability — RBI framework]]
 +  * [[bank-refused-cyber-fraud-refund-zero-liability-india|Bank refused cyber-fraud refund — zero liability]]
 +  * [[bank-account-freeze-recovery|Bank account freeze recovery]]
 +  * [[telegram-scam-vs-whatsapp-scam-india|Telegram scam vs WhatsApp scam — comparison]]
 +  * [[courier-delivery-otp-scam-india|Courier delivery OTP scam]]
 +  * [[electricity-bill-scam-whatsapp-sms|Electricity bill scam on WhatsApp/SMS]]
 +  * [[fake-customer-care-number-scam-india|Fake customer care number scam]]
 +  * [[fake-apk-installation-scam-india|Fake APK installation scam]]
 +  * [[fake-app-installed-phone-removal-bank-india|Fake app removal — bank security]]
 +  * [[digital-arrest-scam-india|Digital arrest scam — complete guide]]
 +  * [[ai-voice-scam-recovery|AI voice scam recovery]]
 +  * [[deepfake-blackmail-recovery|Deepfake blackmail recovery]]
 +  * [[school-whatsapp-group-fraud-and-safety-india|School WhatsApp group fraud and safety]]
 +  * [[fake-ngo-donation-whatsapp-fraud|Fake NGO donation WhatsApp fraud]]
 +  * [[mobile-number-recycled-old-accounts-risk-india|Mobile number recycling risks]]
 +  * [[social-media-hacked-recovery|Social media hacked — recovery]]
 +  * [[account-locked-google-apple-meta-microsoft-recovery-india|Account locked — Google/Apple/Meta/Microsoft recovery]]
 +  * [[whatsapp-telegram-sim-binding-rule-india-2026|WhatsApp-Telegram SIM binding rules 2026]]
 +  * [[whatsapp-electricity-disconnection-scam-india|WhatsApp electricity disconnection scam]]
 +  * [[fake-police-notice-pdf-scam-india|Fake police notice PDF scam]]
 +  * [[qr-code-scam-recovery|QR code scam recovery]]
 +  * [[dating-app-blackmail-scam-30-min-india|Dating app blackmail scam — 30-min recovery]]
 +  * [[sextortion-scam-recovery-india|Sextortion scam recovery]]
 +  * [[citizen-crisis-response-network|Citizen Crisis Response Network — 50+ articles]]
 +  * [[rti-act-2005-complete-guide|RTI Act 2005 — complete guide]]
 +  * [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]]
 +  * [[download-fir-copy-online-2026|Download FIR copy online 2026]]
 +  * [[fir-not-registered-rti|RTI for unregistered FIR]]
 +  * [[fir-vs-ncr-vs-complaint-india|FIR vs NCR vs complaint]]
 +
 +**RTI Wiki tools:**
 +  * [[https://righttoinformation.wiki/tools/ai-rti-drafter|AI RTI Drafter]]
 +  * [[https://righttoinformation.wiki/tools/pio-reply-checker|PIO Reply Checker]]
 +
 +===== FAQ =====
 +
 +==== Will my chats be visible to the attacker? ====
 +
 +Only chats not backed up to local device + groups + contacts. WhatsApp's end-to-end encryption protects historical messages on backup, but the attacker has full new-message access until you re-secure.
 +
 +==== Can the attacker access my UPI / banking? ====
 +
 +Not directly via WhatsApp. But if you've shared bank details / UPI handles in chats, attacker can use that information to attempt fraud. Freeze UPI immediately as precaution. See [[upi-fraud-recovery-india|UPI fraud recovery]] and [[recover-money-upi-fraud-2026|how to recover UPI fraud money]].
 +
 +==== Should I delete my WhatsApp account? ====
 +
 +No — re-register first. Deleting is irreversible + loses chat history. Re-registration is sufficient.
 +
 +==== Will my number be banned? ====
 +
 +No. Re-registration is a normal WhatsApp operation. Multiple per day allowed.
 +
 +==== How do I know if my account is taken over? ====
 +
 +  * WhatsApp logs out unexpectedly.
 +  * Contacts report messages "from you" you didn't send.
 +  * Verification SMS arrived without you requesting it.
 +
 +==== Can the attacker use my old chat backup? ====
 +
 +Cloud backup (Google Drive / iCloud) is encrypted with your account. Attacker would need the backup encryption password (separate from registration code).
 +
 +==== Should I change my mobile number? ====
 +
 +Not necessary — re-registration is sufficient. Keep your number.
 +
 +==== What if my two-step PIN is the SMS code I just shared? ====
 +
 +If you set up two-step with the same PIN you shared, the attacker has both. Reset two-step PIN immediately after re-registration.
 +
 +==== Will police be able to trace the attacker? ====
 +
 +Yes — under IT Rules 2021 Rule 4(2), WhatsApp must disclose first-originator. The bottleneck is FIR + judicial order, not technical traceability. See [[rti-for-cybercrime-complaint-status|RTI for cybercrime complaint status]] if investigation stalls.
 +
 +==== Can family elderly without smartphone be targeted? ====
 +
 +Yes — landline + SMS-capable phones can receive the registration code. Educate elderly family members about the same scam pattern. See the dedicated section above on protecting elderly family members.
 +
 +==== Is WhatsApp Business account more secure than regular WhatsApp? ====
 +
 +WhatsApp Business has the same two-step verification system. The main difference is the business profile verification (green checkmark) which helps customers verify they're talking to the genuine business — not a security feature for the account holder. Enable two-step on both.
 +
 +==== Can the attacker access my WhatsApp Pay / payments? ====
 +
 +WhatsApp Pay requires a separate UPI PIN for transactions. The attacker cannot directly access your bank account through WhatsApp Pay. However, they can see payment-related messages and may attempt to socially engineer your contacts for UPI transfers. See [[upi-fraud-recovery-india|UPI fraud recovery]] if money was transferred.
 +
 +==== What should I do if a contact already sent money to the attacker? ====
 +
 +Act immediately: (1) The contact should dial **1930** within 60 minutes to report the fraud. (2) File NCRP at [[https://cybercrime.gov.in|cybercrime.gov.in]]. (3) Contact the receiving bank to request a lien/freeze. (4) File FIR under IT Act §66C/§66D + BNS §316/§318. See [[recover-money-upi-fraud-2026|recover money from UPI fraud]] and [[golden-hour-zero-liability-cyber-fraud-rbi-india|golden hour zero-liability rules]].
 +
 +==== How is WhatsApp OTP fraud different from SIM swap fraud? ====
 +
 +In WhatsApp OTP fraud, the attacker tricks you into sharing the 6-digit WhatsApp registration code — they hijack the WhatsApp account but not your SIM. In SIM swap fraud, the attacker takes over your actual mobile number, giving them access to ALL SMS-based OTPs (banking, UPI, everything). SIM swap is more dangerous. See the [[sim-swap-fraud-recovery|SIM swap fraud recovery guide]] for differences in prevention and recovery.
 +
 +==== Can I prevent someone from registering WhatsApp with my number? ====
 +
 +Yes — two-step verification is exactly this prevention. Without the PIN, nobody can register WhatsApp with your number on a new device, even if they intercept the SMS code. This is why two-step verification is the single most important security setting.
 +
 +===== Myth vs reality =====
 +
 +^ Myth ^ Reality ^
 +| "Sharing OTP is OK with friends." | OTP / 6-digit code is the **only** authentication. Never share. |
 +| "Two-step verification is paranoid." | 95% of takeovers happen without two-step. It's the single most effective prevention. |
 +| "Hijacked WhatsApp is permanent." | Re-registration takes 7 minutes and forces attacker logout. |
 +| "Police can't trace WhatsApp accounts." | Rule 4(2) IT Rules 2021 mandates first-originator disclosure. |
 +| "Encrypted means hacker can't read messages." | Encryption protects messages in transit + backup. New messages are read directly by attacker. |
 +| "Customer care will help recover." | WhatsApp has no phone customer care — only grievance officer email. |
 +| "WhatsApp Business accounts are immune." | Same registration system — two-step verification needed on both. |
 +| "Deleting the app solves it." | Deleting the app doesn't log out the attacker. You must re-register to force logout. |
 +
 +===== Last word =====
 +
 +WhatsApp in 2026 is the most-used messaging platform in India + the most-targeted attack surface. Defence is **two-step verification (always on) + never share the 6-digit code + 7-minute re-registration drill if compromised**. Save the WhatsApp grievance email + 1930 in your contacts now. The attack is preventable; the recovery is fast — if you act in the first hour.
 +
 +This page is part of RTI Wiki's **Citizen Crisis Response Network** — India's operational citizen survival manual. Updates tracked through MeitY advisories, NCRP statistics, NHRC interventions, and CIC decisions.
 +===== WhatsApp OTP fraud explained: How scammers steal accounts and money in India (2026) =====
 +
 +WhatsApp OTP fraud — complete guide on how scammers steal accounts and money, and how to protect yourself:
 +
 +  - **Step 1: What is WhatsApp OTP fraud?** (a) the WhatsApp OTP fraud — is a type of social engineering fraud — where the scammer — tricks the victim — into sharing the WhatsApp OTP — and takes control — of the victim's WhatsApp account, (b) the scammer — then: (i) sends messages — to the victim's contacts — asking for money — or the OTP — or the sensitive information, (ii) impersonates the victim — and commits the fraud — using the victim's identity, (iii) the victim — loses control — of the WhatsApp account — and the contacts — are scammed, (c) the fraud — is common in India — because of the high WhatsApp usage — and the low awareness — of the OTP security.
 +  - **Step 2: How the WhatsApp OTP fraud works.** (a) the scammer — sends a message — to the victim — from an unknown number — saying: (i) "I sent you an OTP by mistake — please share it", (ii) "Your WhatsApp is being hacked — share the OTP to secure it", (iii) "You won a prize — share the OTP to claim", (iv) "I am from WhatsApp support — share the OTP to verify", (b) the scammer — has already initiated — the WhatsApp login — on the victim's number — and the OTP — is sent — to the victim's phone, (c) the victim — shares the OTP — and the scammer — logs in — to the victim's WhatsApp — on the scammer's device, (d) the victim — is logged out — and the scammer — has the full control — of the WhatsApp account.
 +  - **Step 3: What happens after the account is hijacked.** (a) the scammer — sends messages — to the victim's contacts — saying: (i) "I need money urgently — please transfer to this number/account", (ii) "I am in trouble — please help", (iii) "I sent you an OTP — please share it", (b) the contacts — trust the message — because it is from the victim's number — and they: (i) transfer the money — to the scammer's account, (ii) share the OTP — and their WhatsApp — is also hijacked, (c) the scammer — continues the chain — and the fraud — spreads — to more contacts, (d) the victim — loses: (i) the WhatsApp account, (ii) the contacts' trust, (iii) the money — if the contacts — transfer the money.
 +  - **Step 4: How to protect yourself from WhatsApp OTP fraud.** (a) never share the OTP: (i) the WhatsApp OTP — is for the login — and should never be shared — with anyone — even if they claim — to be from WhatsApp, (ii) WhatsApp — never asks — for the OTP — or the verification code, (b) enable the two-step verification: (i) go to WhatsApp > Settings > Account > Two-Step Verification, (ii) set a 6-digit PIN — and the email — for the recovery, (iii) the two-step verification — prevents the login — even if the scammer — has the OTP — because the PIN — is also required, (c) be suspicious: (i) if someone — asks for the OTP — be suspicious — and verify — by calling the person, (ii) if the message — is from an unknown number — do not respond — and block the number, (d) educate the contacts: (i) if your WhatsApp — is hijacked — inform the contacts — through the SMS — or the call — not to share the OTP — or the money, (ii) post on the social media — about the fraud — to create the awareness.
 +  - **Step 5: What to do if your WhatsApp is hijacked.** (a) Step 1 — inform the contacts: (i) inform the contacts — through the SMS — or the call — that the WhatsApp — is hijacked — and not to share the OTP — or the money, (b) Step 2 — re-login: (i) open WhatsApp — and log in — with the OTP — sent to the phone, (ii) if the scammer — has enabled the two-step verification — the re-login — is blocked — and the victim — must wait 7 days — for the automatic logout, (c) Step 3 — deactivate: (i) if the re-login — is not possible — email WhatsApp — at [email protected] — with the subject "Lost/Stolen: Please deactivate my account" — and the phone number — in the international format, (ii) WhatsApp — deactivates the account — within 24-48 hours, (d) Step 4 — file a complaint: (i) file a complaint — on the National Cyber Crime portal — cybercrime.gov.in — or call 1930, (ii) if the money — is transferred — file a complaint — with the bank — and the cyber crime, (e) Step 5 — file RTI: (i) file RTI — with the cyber crime cell — for the complaint status — and the action taken.
 +  - **Step 6: File RTI on WhatsApp OTP fraud.** File RTI with the cyber crime cell (or the police) asking for: (a) the complaint: "Provide the status — of the cyber crime complaint — filed on [date] — reference number [number] — including: (i) the complaint details, (ii) the action taken, (iii) the investigation status, (iv) the recovery — if any", (b) the statistics: "Provide the statistics — of the WhatsApp OTP fraud — for the period [date] to [date] — including: (i) the number of complaints, (ii) the number of cases — registered, (iii) the number of cases — solved, (iv) the amount — lost — and recovered", (c) the action: "Provide the action taken — on the WhatsApp OTP fraud — by the cyber crime cell — including: (i) the advisories — issued, (ii) the awareness campaigns, (iii) the coordination — with WhatsApp — and the banks".
 +  - **Step 7: Practical tips.** (a) enable the two-step verification (enable the two-step verification — on WhatsApp — immediately — to prevent the hijacking), (b) never share the OTP (never share the WhatsApp OTP — with anyone — for any reason), (c) verify before acting (if someone — asks for the OTP — or the money — verify — by calling the person — before acting), (d) file the complaint (if the WhatsApp — is hijacked — or the money — is lost — file a complaint — on the cyber crime portal — immediately), (e) Example: A victim — received a message — from an unknown number — saying "I sent an OTP by mistake — please share it" — the victim — shared the OTP — and the WhatsApp — was hijacked — the scammer — sent messages — to the contacts — asking for the money — one contact — transferred Rs 10,000 — the victim — informed the contacts — through the SMS — and filed a complaint — on the cyber crime portal — the cyber crime — traced the scammer's account — and the money — was recovered — in 3 months.
 +
 +See [[https://righttoinformation.wiki/whatsapp-otp-fraud-explained-india|WhatsApp OTP Fraud]] and [[https://righttoinformation.wiki/rti-for-cybercrime-complaint-status|Cybercrime RTI]].
 +
 +{{tag>whatsapp otp fraud india 2026 scammer hijack account two-step verification cyber crime complaint 1930 rti 2026}}