A new form of digital deception — call merging fraud — is quietly sweeping across India’s financial landscape. Posing as friends, colleagues, or bank officials, cybercriminals are manipulating victims into merging calls that allow them to intercept one-time passwords (OTPs) in real time. What begins as an innocent chat can end with an emptied bank account — a growing concern now drawing the attention of regulators and cybersecurity authorities.
The Rise of a Subtle but Potent Threat
For most Indians, a phone call from the bank feels routine — a verification, an offer, a follow-up. But behind this familiarity lies a new and cunning scam. Known as call merging fraud, it allows fraudsters to gain access to a victim’s banking information by manipulating them into merging calls at precisely timed moments.
The Ministry of Home Affairs estimates that Indians lost nearly ₹7,000 crore to online scams in just the first five months of 2025. While most citizens are familiar with phishing or OTP scams, call merging is distinct for its psychological precision. It exploits the social instinct to trust — and to act fast.
“A fraudster pretending to be someone you know convinces you to merge a call with a ‘friend or colleague,’” one official explained. “But the second call is actually an automated voice message from the bank delivering an OTP.”
Once the call is merged, the scammer listens in silently, capturing the OTP meant to authenticate a bank transaction or change in account settings.
How the Scam Works — and Why It’s So Effective
The process unfolds in stages, each designed to lower the victim’s guard. First, the fraudster initiates a friendly or official-sounding call, often offering an exclusive event or sale. The tone is warm, conversational — intended to earn trust.
Next comes the request to merge calls. The caller insists it’s someone related to the discussion — perhaps a colleague or bank officer — creating a sense of urgency. What the victim doesn’t know is that the “other line” is actually the bank’s automated system, about to deliver an OTP.
The moment the OTP is read aloud, the trap is sprung. The fraudster, now part of the three-way call, hears it in real time. With that single code, they can access the victim’s banking portal, initiate transactions, and drain accounts within seconds.
“Once the OTP is compromised, the fraudster can practically take complete control of your bank account,” cybersecurity experts warn. “You wouldn’t even realize until the funds vanish.”
Growing Alarms in India’s Financial Corridors
The surge in digital financial frauds has not gone unnoticed. At the Global Fintech Fest 2025, RBI Governor Sanjay Malhotra called the rise in online scams “a growing problem for the country.” He emphasized the need for stronger awareness campaigns and coordination between banks, telecom operators, and enforcement agencies.
Union Finance Minister Nirmala Sitharaman, speaking at the same event, also sounded a warning — not only about monetary frauds but the broader misuse of technology, noting that “deepfake videos” and AI-driven deception are beginning to distort public trust. Together, these developments underscore a shifting reality: cybercrime is no longer just about hacking systems — it’s about hacking human behavior.
Fighting Back: Awareness as the First Line of Defense
Authorities and financial institutions are now urging citizens to remain vigilant. The government’s helpline 1930 has been positioned as the first point of contact for reporting such incidents. Officials advise calling both the helpline and one’s bank immediately upon receiving any unsolicited OTP.
Experts also outline two simple but crucial precautions:
-
Never merge any call at the urging of a stranger.
-
Treat any unexpected OTP as a red flag — a sign that someone, somewhere, is trying to access your account.
Despite its sophistication, call merging fraud relies on one human weakness — trust. As India’s financial ecosystem deepens its digital footprint, the line between convenience and vulnerability grows thinner. In that space, awareness remains the only real firewall.
