Inside India’s war on online bank scams

Such incidents have become almost routine today, leading the Supreme Court to ask the Centre and the CBI how they plan to curb such scams.

Reserve Bank of India (RBI) data shows that bank frauds surged to ₹36,014 crore in 2024-25, a 194% increase in value compared to the previous year. Fraud today is faster, more social, and more networked than anything India has seen before. Now, the regulator, banks, payment platforms, technology companies, card companies, cloud services providers and even telecom companies (telcos) are coming together to create a defence system to prevent scams and catch scamsters.

In September this year, the RBI came out with new guidelines that will come into effect on 1 April 2026. This is to address vulnerabilities around text-based OTPs (one time passwords) needed to complete transactions, which some users tend to share knowingly or unknowingly (the latter, via malware, which relays OTPs to fraudsters). The central bank will make two-factor authentication a must. Currently, two-factor authentication is a combination of a PIN and an OTP received via SMS. From 1 April, the central bank wants the payments ecosystem to use more technology. Mint had earlier reported that the first factor may comprise something user-related, such as a password or a PIN, token, biometrics, etc., while the second one will need to be a dynamic factor, such as OTPs, push notifications, or authenticator applications.

This shift aims to strengthen fraud prevention, improve interoperability, and align with global standards for secure digital payments.

“Banks and the RBI treat customer education as a core pillar of fraud defence, conducting multi-channel awareness campaigns, to fortify the ‘human firewall’. Regulators are also implementing system-level changes such as real-time payee name validation,” says Kartik Shinde, partner, cybersecurity, FS consulting, EY India.

The task is complex, as the fraudsters are usually far from where the crime is committed and often in another country. “While we are trying to protect everything, it’s only as safe as the people using it. They tend to share a lot more information than needed, usually out of greed, fear or ignorance,” says Manish Agarwal, senior vice president of credit intelligence, HDFC Bank.

The greed for a 30% return, fear of a fabricated police notice, ignorance about what a ‘collect request’ (on a fake challan or electricity bill link) can lead to has been the downfall of many.

The threat has mutated

The vocabulary alone tells you how fast the threat surface keeps shifting, from phishing and smishing (email/SMS lures), to vishing (voice scams), to remote-access apps that quietly mirror a phone’s screen, to digital arrests (video calls featuring fake uniforms and forged court orders).

Aside from this there is a second category: scams where the victim authorises a transfer under false pretenses—rewards redemptions, fake job offers or loan offers, and refund baits. In one bucket, the fraudster initiates a transaction using stolen credentials; in the other, customers do it themselves, fully authenticated and therefore harder to stop.

About 60% of users access bank accounts via apps. Here, the role of telcos also becomes important as users rely on mobile networks for banking and payments. The country’s second-largest mobile telephony operator, Bharti Airtel, says it blocks malicious websites and phishing links across SMS, email, OTT apps (WhatsApp, Telegram etc.) and browsers in real time.

Over the last 12 months, Airtel says it has identified 53 billion spam calls and 355,000 malicious domains. While telcos play a key role in enabling digital banking, the buck stops at the bank.

“Our focus is how to make it tougher for the bad actors to access your credentials,” says Sameer Shetty, group executive, digital business, transformation and strategic programs, Axis Bank.

Kill screenshots

Shetty says that apps have an extra layer of security (compared to internet banking) as most banking apps have ‘device binding’ and ‘SIM binding’ as a feature—the app is linked to your phone and SIM; it won’t work on another phone or a different SIM.

Second, bank apps detect if the phone is embedded with a screen sharing app and will go blank if that is the case. When the user calls the bank to inquire what went wrong, she/he is informed of the likelihood of the screen sharing app picking up bank details, such as passwords, when the user enters them.

For example, a program called RunTime Application Self Protection blacks out the HDFC Bank’s mobile app in case the screen sharing app is active on a customer’s phone. The bank’s mobile app also refuses to render anything if it detects malware—screenshots are disabled; copy-pasting sensitive strings is curtailed.

Bank apps detect if the user’s phone is embedded with a screen sharing app and will go blank if that is the case.

“The device is the gateway to all transactions. If somebody was able to put a screen share app on your phone, the OTP passwords become visible to the fraudster,” says Anjani Rathod, chief digital officer, HDFC Bank. “We cannot control the device, but we can control our app. This is where we ensure that the app does not work on any compromised device.”

However, these apps could also be legit, such as MS Teams, Zoom or Google Meet (which also have screen sharing features), in which case the user will not face a problem. “If a user has not installed a screen sharing app herself, but we detect it, we guide them to delete it,” says Axis Bank’s Shetty.

Human in the loop

Banks also trace user behaviour and look at patterns that deviate from the normal to raise an alarm. For instance, the IP signature of the device the fraudster is accessing from will be different from the user’s account.

“Also, the way a person is typing could be different, prompting us to step up checks, like asking an additional question to enable a transaction,” says HDFC Bank’s Rathod. These are questions that a user has set when opening an account, such as, ‘What is your mother’s maiden name?’

Shinde adds, “If log in credentials are correct but the behaviour profile (typing rhythm, mouse movement, swipe gestures and device angle) does not match the legitimate owner, the system flags a potential account takeover.”

A ‘behavioural biometrics’ system usually monitors the unique keystrokes of a user during a session and compares them to historical data to look for fraudulent or atypical behaviour. If an account user is known to be a quick and accurate typer, and the system detects that the current user is much slower and making more errors than usual, the system will flag the session.

Another feature to make banking secure is to create an additional layer of security on top of OTPs.

HDFC Bank is introducing a method called KAVACH, where the customer will have an option to authenticate the transaction through an in-app authentication system or a QR code and not rely on OTPs.

Axis Bank is using Aadhaar biometrics. “This is much like Digi Yatra at the airport, where your face opens the door. In cases where we suspect a fraud transaction, we ask the user to do Aadhaar face authentication. It’s like a third factor (after OTP and password) in cases where we have suspicion,” says Shetty.

At DBS Bank India, a subsidiary of DBS Singapore, instead of relying on OTPs, which can be challenging for senior citizens, soft tokens with device binding (a mobile application linked to a specific device) are used. The bank currently operates across approximately 350 locations in 19 states.

“Beyond technology, we encourage safe habits such as reviewing notifications and contacting banks if suspicious messages or requests appear,” says Alok Kashyap, executive director and head of liabilities product, payments and digital business, consumer banking group, DBS Bank.

AI chasing fraudsters

Apart from these changes at the product level (the app), banks are also using artificial intelligence (AI). For instance, digital monitoring software flags suspicious transactions by analyzing both the beneficiary’s and the account holder’s transaction patterns. So, if a user usually does not transfer more than ₹5,000 and suddenly a transfer of ₹1 lakh is initiated, the software will send an alert and the user gets a call to verify if the transaction is genuine.

View Full Image

But could it be a nuisance for someone who usually spends between ₹700 on Blinkit and is now buying a ₹70,000 laptop at Nehru Place (Delhi’s computer market)?

“We check the location as well. If the user is in Delhi and the purchase is in Delhi, the merchant’s MCC code (merchant category code) will come to us. If we have never seen a transaction on that MCC code, it will raise suspicion. Also, if the transaction is happening in Hanoi (Vietnam) and the user is in Delhi, it will be flagged,” says Axis Bank’s Shetty.

If the payment front-end is getting smarter, the back-end is being re-platformed. Microsoft, which says it helped thwart $4 billion in fraud attempts last year across clients, is embedding AI and confidential computing (protects data during processing) into banks’ operations. Bajaj Finserv Health uses MS Azure to integrate fraud detection capabilities in its systems and flag suspicious medical bills.

“We enable banks to move from reactive management to predictive security,” says Sonali Kulkarni, country head, BFSI, Microsoft India and South Asia.

The haptic alert

A convenient feature of transactions is to link bank accounts and credit cards to payment apps. But the more the linkages, the more the vulnerabilities. Bankers insist that as long as it’s a regulated app, there’s no problem.

“While it seems to increase vulnerability, the technology we are implementing makes linking cards to apps more secure. The key is ensuring the actual card details are never exposed,” says Rajesh Chopra, senior vice president and head, advisors, South Asia, Mastercard. The card company ensures safety via tokenization. When a user links a credit or debit card to an app, say PhonePe, the 16-digit card number is replaced with an encrypted token. This token is used for the transaction. “Even if the fraudster were to intercept the token, it’s useless, making the risk of fraud negligible,” adds Chopra.

Mastercard claims it uses AI across 150 billion transactions annually, scanning for abnormal merchant behaviour (such as pop-up fly-by-night storefronts). Passkeys let users authenticate with biometrics—a fingerprint or face—instead of passwords and one-time codes. The Passkey service is rolling out with partners such as PayU.

Mastercard claims it uses AI across 150 billion transactions annually, scanning for abnormal merchant behaviour, such as pop-up fly-by-night storefronts.

Behind the scenes, Mastercard’s threat intelligence platform prowls the dark web where stolen data and fake IDs are traded to flag exposures early. According to the card major, the dark web attracts around 2.5 million visitors daily and stolen credit card data sells for as little as $25.

At payment major Google Pay, its system analyses transaction patterns across billions of data points. It claims to have prevented scams worth over ₹13,000 crore over the last year.

“We constantly monitor for a variety of threats including phishing, social engineering scams, fake job or loan offers and account takeovers,” says Sharath Bulusu, director, Google Pay India. “To mitigate these, the platform leverages AI and ML models that detect anomalies in real time and flag suspicious transactions.” An unexpected payment request triggers an alert message, which is sometimes supplemented by a haptic (vibration) alert triggered on the user’s phone.

Despite these checks, money often disappears into mule accounts (used by criminals to disguise and launder funds). While users will increasingly see in-app OTPs, biometric authentication, smart nudges, options to lock and control accounts at specific times and so on, much will depend on their behaviour. In the good old days, customers never signed a blank cheque, whereas today, some happily give their OTPs to random callers, compromising their accounts.