Phishing Scams in India: How to Identify Fake Messages and Protect Your Money
Phishing is the #1 cybercrime in India, costing victims crores every year. Scammers send fake messages impersonating banks, IRCTC, Income Tax, and government agencies to steal OTPs, passwords, and money.
Real Scam Message Examples
These are real examples of messages used in this type of scam. If you receive something similar, do not click any links.
Example 1
“Dear Customer, your PNB net banking has been temporarily suspended due to suspicious activity. Verify your identity immediately: pnb-secure-verify.com/login — PNB Security Team”
Example 2
“Income Tax Dept: A refund of ₹14,200 is pending in your account. Claim it within 48 hours by updating your bank details: incometax-refund.in/claim”
Example 3
“IRCTC: Your account will be deactivated due to inactivity. Re-verify your mobile and Aadhaar now: irctc-verify.net/reactivate”
Warning Signs of a Phishing Message
- ⚠Message asks you to click a link to 'verify your account' or 'avoid suspension'
- ⚠URL in the message is slightly different from the official website
- ⚠Asks for your OTP, net banking password, or CVV number
- ⚠Creates urgent fear — 'your account will be blocked in 2 hours'
- ⚠Sender is an unknown number or email, not an official shortcode
How Does This Scam Work?
- 1You receive a fake message with a phishing link
- 2The link opens a website that looks identical to your bank
- 3You enter your credentials and OTP
- 4Scammer logs in with your details and transfers money
Legitimate vs Scam: How to Tell the Difference
| Aspect | ✓ Legitimate | ✗ Scam |
|---|---|---|
| OTP requests | Banks never ask for OTP over phone, SMS, or email | Asks you to enter or share your OTP on a website or call |
| Website URL | pnb.co.in, hdfcbank.com, sbi.co.in (official domains) | pnb-secure.com, hdfc-verify.in, sbi-update.net (lookalike domains) |
| Refund claims | IT refunds go directly to your bank — no action needed | 'Click link to claim your refund' — always fake |
| Email sender | Official emails from @sbi.co.in, @hdfcbank.com | Gmail/Yahoo address or misspelled domain like @sbl.co.in |
What Should You Do?
- ✓Never share OTP with anyone — banks never ask for OTPs
- ✓Type your bank's URL directly in the browser instead of clicking links
- ✓Report phishing URLs to cert-in.org.in
- ✓Call 1930 (National Cybercrime Helpline) immediately if you've been defrauded
- ✓Paste suspicious messages into ScamCheck for instant analysis
Free Tool
Received a suspicious message?
Paste it into ScamCheck and get an instant AI verdict — free, no signup needed.
Check it now — it's free →Frequently Asked Questions
What is phishing in simple terms?
Phishing is when scammers send fake messages pretending to be a trusted organization to trick you into giving them your passwords or bank details.
Can I get my money back after a phishing scam in India?
If reported within 24 hours to your bank and cybercrime.gov.in, there's a chance of recovery. Speed is critical — report immediately.
How do I check if a link is a phishing link?
Hover over the link to see the actual URL. Or paste it into ScamCheck for an instant AI verdict.
What is smishing?
Smishing is phishing via SMS (text message). It's the most common form in India — fake bank messages, delivery alerts, and KYC notices sent by SMS with malicious links.
What should I do if I entered my bank details on a fake website?
Immediately call your bank's 24/7 fraud helpline to block your card and account. Then file a complaint at cybercrime.gov.in. Act within minutes if possible.
Related Scam Guides
Explore more scam guides
View all guides by category and country →