A few months ago, Maroof Lone, a student from Sopore in Kashmir, received a suspicious call. The caller, claiming to be an official from Lone’s Jammu and Kashmir bank branch, warned him that he needed to complete a KYC process immediately or risk losing his scholarship funds.
From the outset, Lone sensed something suspicious. “The caller’s tone was very casual, and the number didn’t look official,” he recalled.
Trusting his instincts, he decided not to fall for the trap. Yet, what unnerved him most was the amount of personal information the caller knew. “The caller knew my name, my father’s name, our residential address, and even bank details like the IFSC code,” he told Decode.
“This was quite unsettling,” he added.
Lone believes the call may be linked to a betting app he had installed just days before. The app, like many others under government scrutiny, was available only briefly on the Play Store before being taken down.
“These apps offer a small amount of money when you install them using a referral link,” Lone explained. A friend had shared a link, and by downloading the app, Lone received Rs 100, while his friend earned Rs 20. “We were just testing it out to see if it actually worked,” he said.
However, the seemingly harmless experiment with the app may have come at a greater cost. Lone suspects that the app harvested his personal data, including contact lists and banking details, leading to the unsettling call. “These apps often end up taking a lot of user information,” he added
In recent months, several users on X (formerly Twitter) have complained about receiving fraudulent WhatsApp messages urging them to complete their KYC (Know Your Customer) to avoid having their bank accounts suspended. The messages, posing as official warnings from banks such as ICICI Bank, Union Bank of India, and Bank of India, aim to deceive unsuspecting customers.
One particularly dangerous variant of these scams involves an APK (Android Package Kit) file attached to the message, which, when opened, could compromise the user's device.
For example, messages supposedly from ICICI Bank and Union Bank have been found asking customers to open an APK file with the warning: “Dear user, your bank account will be blocked today, please complete your KYC by opening the APK file.”
APK files are commonly used to distribute and install Android applications, and while those from the Google Play Store are generally safe due to rigorous vetting, files downloaded from unknown or untrusted sources can carry malicious code that endangers the device and user data.
Punjab National Bank (PNB) recently issued a public warning about sophisticated frauds exploiting APK files to steal sensitive information. Once these rogue files are installed, cybercriminals can gain control over the victim’s mobile device, potentially leading to significant financial losses as they can access sensitive banking credentials.
Another method used by fraudsters involves sending fake notices on official-looking letterheads. In one instance, a message posing as a communication from Bank of India (BOI) included a poorly formatted notice filled with grammatical errors, urging the recipient to contact a 'BOI official' named Rahul Gupta.
Decode found that the number associated with the message is marked as ‘fraud’ on Truecaller.
The notice was undersigned by Vilas R. Parate, a name that matched a former BOI General Manager in Mumbai, but he had retired in April 2024, according to his LinkedIn profile.
This modus operandi is not new— scammers often use real names to appear legitimate.
Decode had earlier covered how Deputy Superintendent of Police Sunil Dutt Dubey from Gorakhpur, Uttar Pradesh, became an unwitting victim of impersonation scams, with his photo being misused by fraudsters posing as a police officer on WhatsApp.
Dubey spends much of his time responding to calls from people who have been scammed or nearly fell victim to scams. Despite creating cyber awareness videos to educate the public, scammers continue to exploit his image.
KYC Verification: RBI Guidelines and Recommendations
These scams prey on people’s fears of losing access to their bank accounts. Notably, the KYC (Know your customer) is a mandatory process for verifying customer identity in India, introduced formally by the Reserve Bank of India (RBI) in 2002 and made compulsory for all banks by 2004.
The guidelines were further strengthened under the Prevention of Money Laundering Act (PMLA) in 2005. KYC methods include physical KYC, Aadhaar eKYC, digital KYC, and video KYC, each offering different ways of verifying identity and updating information..
RBI has repeatedly cautioned customers about fraudulent activities under the guise of KYC updates, especially with the rise in scams. In September 2021 and again in February 2024, RBI advised customers to directly contact their banks for verification and avoid using numbers or contact details from unofficial sources.
They also urged customers to report any cyber fraud immediately. According to the RBI's Master Direction on KYC, issued in 2016 and later amended, banks must periodically update KYC details: every two years for high-risk customers, every eight years for medium-risk customers, and every ten years for low-risk customers.
If there are no changes, customers can submit a self-declaration through various channels like registered email, mobile, or ATMs.
Despite these precautions, KYC scams continue to cause significant financial damage. RBI data reveals that in 2021-22, there were 9,053 reported cases of fraud in banking operations in India, totaling Rs 45,598 crore, with a substantial portion involving identity-related frauds.
Tricks Of KYC Scams
In one tragic case in Kolkata, an 83-year-old retired government official lost his life savings of Rs 2.5 lakh after a scammer posing as a bank representative convinced him to update his KYC over the phone.
The elderly man, with the help of his 11-year-old grandson, followed the instructions of the caller only to realise that his account had been drained and he had also lost access to his fixed and recurring deposits.
In a similar case, a resident of Port Blair fell victim to a sophisticated scam when a fraudster tricked him into sharing sensitive information under the guise of KYC verification. The scammer even conducted a WhatsApp video call to gain the victim's trust and extracted an OTP that allowed them to transfer over Rs 2 lakhs from the victim’s account in seconds.
Explaining the modus operandi of such scams, cyber security expert Shubhum Singh told Decode that these scams often “involve fake phone calls, emails, or text messages claiming that there is an issue with the customer's account”, while creating a false sense of urgency.
Singh advised, “Always verify the authenticity of any communication that requests personal information. Instead of clicking on links in unsolicited emails or messages, navigate directly to the official website by typing the URL into your browser.”
The cyber security expert also recommended using strong security measures such as enabling two-factor authentication (2FA) and creating strong, unique passwords on apps which contain personal sensitive information.
“If one encounters suspicious activity, one must report it immediately to the bank or the relevant authorities without any delay,” he added.
Since the call, Lone has been bombarded with promotional messages from various betting apps with some of them also offering jobs, each urging him to click on a link to either claim a cash prize or complete a job application process. These messages contain links that redirect to websites requesting bank details for further steps.
Lone's friend, who initially sent him the referral link to download the betting app, has also been receiving similar messages.