New Delhi | Digital payments have made everyday life in India faster, easier and largely cashless—quick checkouts, instant transfers and seamless bill payments. But the same convenience is increasingly being weaponised by cybercriminals. The result is a growing category of fraud where the physical card never leaves the victim’s possession, yet money quietly drains from the bank account.
Investigators across metros and tier-2 cities report a sharp rise in cases where debit or credit cards remain safe at home, but thousands—sometimes lakhs—disappear within hours. The method appears simple on the surface, but experts say it is highly sophisticated and rooted in psychological manipulation.
Criminals no longer “steal” money directly. Instead, they convince victims that they are securing their accounts—prompting them to authorise access themselves.
According to the Future Crime Research Foundation, digital wallet–linked frauds have surged in recent months, particularly in cities where tap-to-pay, UPI and app-based wallets dominate daily transactions.
Where it begins: phishing links, courier messages and fake bank calls
Most cases start with a familiar fear-inducing message:
- “Suspicious transaction detected on your account”
- “KYC not updated—account will be blocked”
- “Courier stuck—pay ₹10 service fee”
In a hurry, users click the link and enter basic details—name, mobile number, email—and sometimes even OTPs or passcodes. Nothing happens immediately, and the victim assumes the issue is resolved.
Days later comes the second stage. A phone call follows. The caller poses as a bank or card-security official and says reassuringly:
“We have blocked a suspicious payment. To secure your account, please approve the notification you are about to receive.”
This is the most dangerous moment.
That “notification” is not a safety step. It is a request to link the victim’s card to a digital wallet Apple Wallet, Google Wallet or another tap-payment platform. Under panic and misplaced trust, many users tap “Allow” or “Approve”, unknowingly handing control to fraudsters.
How the account gets drained
Once the card is linked, criminals move fast. They target outlets where:
- high-value electronics are sold
- gold, jewellery or luxury items are available
- resale value is quick and high
Within hours, credit limits are exhausted or balances wiped out. Purchased goods are converted into cash through resale networks, making the money trail hard to trace.
FCRF notes that the model works because victims believe they are cooperating with their bank, not granting authority to criminals. The foundation warns that in-app approvals like “Approve/Allow” can be even more powerful than an OTP, because they provide system-level permission.
Dr Triveni Singh: ‘Fear plus trust is the biggest weapon’
Former IPS officer and noted cybercrime expert Triveni Singh says this wave of fraud marks a decisive shift in criminal tactics.
“Fraudsters no longer ask for money directly,” he explains. “They create fear and exploit trust in institutions. The victim ends up making the mistake themselves.”
His warning is unequivocal: never share or click any OTP, passcode or in-app approval under pressure—no matter how authentic it appears. Singh adds that the model will only grow more complex, requiring banks, fintech firms and regulators to invest in security-by-design, not just post-fraud remediation.
Patterns emerging across India
Cybercrime analysts point to recurring elements:
- misuse of card/UPI authorisation notifications
- phishing in the name of KYC or Aadhaar update
- fake customer-care numbers circulating online
- “help desk” pages created on social media
Many victims later insist, “But I never shared my OTP.” What they overlook is that pressing “Approve/Allow” can be even more decisive than sharing an OTP—it is a direct authorisation.
How to stay safe: 5 Golden Rules
- Banks never ask you to approve notifications over a call—disconnect immediately.
- OTPs and approvals are master keys—if you don’t fully understand, do nothing.
- Keep alerts switched on monitor SMS/app alerts; block the card and inform the bank at the first sign of misuse.
- Never search for customer-care numbers online use only official apps or numbers printed on the card.
- Report immediately inform your bank and file a complaint at cybercrime.gov.in; every minute matters.
Bottom line
Digital India has delivered speed and comfort but criminals are exploiting the same systems. Real safety begins with a simple habit:
Never treat any link, code, notification or “Approve” button as a bank order.
Pause. Think. Call your bank directly.
In the digital age, caution is the new currency of security.
