Hackers can now access your bank account without OTP; Here’s how

Cybercriminals have developed advanced methods to defraud individuals, bypassing the need for a One-Time Password (OTP) or ATM PIN. They are now leveraging deceptive messages containing fraudulent links that appear to be from legitimate banks. 

Once an unsuspecting recipient clicks on the link, their money is stolen without any OTP verification. The National Payments Corporation of India (NPCI) has issued a warning about a newly emerging scam involving call merging techniques, which fraudsters use to manipulate victims into unknowingly disclosing their OTPs, leading to financial fraud.

How the scam works

Scammers initiate a call, posing as a friend or acquaintance of the target. They claim to have obtained the victim’s contact information through a mutual connection and request that they merge the call to include another individual. Unaware of the scam, the victim complies, inadvertently linking to a legitimate OTP verification call from their bank.

The fraudsters carefully time their calls so that when the victim receives an OTP, they assume it is related to the ongoing conversation and unwittingly share it. The criminals then use the OTP to authorise unauthorised transactions, resulting in financial losses for the victim.

NPCI’s warning

NPCI, the organisation overseeing the Unified Payments Interface (UPI), issued an alert through social media platform X. In their post, NPCI cautioned users, stating: “Scammers are using call merging to trick you into revealing OTPs. Don’t fall for it! Stay alert and protect your money.”

How to stay safe

To protect against such fraudulent schemes, NPCI has advised individuals to take the following precautionary steps:

Avoid merging calls from unknown numbers: Fraudsters exploit call merging to build trust and deceive victims. If someone requests a call merge, verify their identity before proceeding.

Verify caller identities: Scammers often impersonate bank representatives or mutual acquaintances. Always cross-check their details before sharing any personal or financial information. Exercise caution when receiving unsolicited calls and messages. If a call seems suspicious, confirm the sender authenticity through official channels before acting.

Never share OTPs: Banks and payment platforms never request OTPs over the phone. If you receive an OTP for an unrequested transaction, do not disclose it to anyone.

Report suspicious activity immediately: Refrain from clicking on dubious links, even if they claim to offer vouchers, discounts, or cash prizes. If you suspect fraudulent activity or have accidentally shared an OTP, call 1930, the national cybercrime helpline, and inform your bank promptly to prevent unauthorised transactions.

Never share sensitive information: Refrain from sharing confidential details with unknown individuals. Fraudsters can exploit this information for unauthorised transactions.

Avoid installing apps from unverified sources: Downloading applications from unreliable sources may grant scammers access to your device’s camera and photo gallery, which they can misuse for Know Your Customer (KYC) verification scams.

Other fraudulent techniques: In addition to phishing links, cybercriminals are employing advanced techniques such as:

• Call mergingTrick: victims into sharing OTPs through seemingly harmless conference calls.
• Call forwarding: Redirecting calls to fraudsters to intercept OTPs and confidential details.
• Voicemail scams: Posing as banks or authorities to manipulate individuals into divulging personal information.
• QR code fraud: Convincing victims to scan malicious QR codes that enable unauthorised fund transfers.
• Screen sharing scams: Using screen-sharing applications to gain control over banking transactions.

APK and RAT malware scams

Cybercriminals are also using sophisticated Android Application Package (APK) files and Remote Access Trojans (RATs) to execute scams. According to a senior officer, RATs and APKs allow hackers to gain remote control over a victim’s device without their awareness, leading to severe financial and personal data breaches.