A case reported from Uttar Pradesh’s Shamli district marks a sharp departure from conventional cyber fraud patterns. In Kandhla town, ₹8 lakh was siphoned off from the bank account of a mobile phone retailer—even though no OTP was received on the victim’s phone and no suspicious link was clicked. The incident has raised serious questions for both cyber security agencies and banks.
The victim, Amish ur Rahman, who runs a mobile phone shop in Kandhla, said his account is with HDFC Bank’s Shamli branch. On December 26, ₹8 lakh was withdrawn from his account via net banking. The victim maintains that he had never activated net banking on his phone, making the unauthorised withdrawal particularly alarming for both him and the bank.
Net banking accessed via mobile number
Preliminary investigations suggest that the fraudsters exploited the digital ecosystem linked to the victim’s mobile number to gain access to net banking. According to the police, the money was withdrawn by using the mobile phone associated with the account. The victim came to know about the fraud only after the bank flagged suspicious transactions and alerted him.
Subsequently, he submitted a written complaint to the cyber crime police station, following which an FIR was registered and an investigation launched. Police have sought net banking logs, device-access details, and technical records linked to the mobile number from the bank to ascertain how the transactions were carried out without OTP authentication or any user interaction.
Not a traditional fraud, but a ‘next-generation’ cyber attack
Commenting on the case, the Future Crime Research Foundation (FCRF) described it as an example of next-generation cyber fraud. According to the foundation, cybercriminals are no longer dependent solely on OTPs, phishing calls, or malicious links. Instead, they are increasingly exploiting SIM-based identity, mobile-number authentication, and the interdependence of banking systems.
FCRF’s assessment notes a rise in cases where victims receive no warning signs at all—no OTP, no call, no link—yet their accounts are emptied. This trend is particularly dangerous because users often assume they are safe as long as an OTP is not shared.
Digital identity has become the prime attack surface
Former IPS officer and renowned cyber crime expert Triveni Singh said the Shamli case is a clear illustration of attacks targeting digital identity.
“Cybercriminals today are attacking the trust chain between a person’s mobile number, device profile, and banking systems. If they gain control over the mobile number or its associated authentication, net banking can be operated even without an OTP. This is far more dangerous than traditional cyber fraud,” he said.
He cautioned that network-level and system-level attacks are growing rapidly, often without requiring any direct mistake or action from the user.
Beyond investigation, system audits are essential
Cyber experts believe that cases like this require more than just a police investigation. They stress the need for internal banking system audits, detailed scrutiny of SIM swap or mobile number porting records, and deep forensic analysis of device-access trails. Consumers, too, need to recognise that a mobile number is no longer just a communication tool—it has effectively become a banking identity.
New threat, new security strategy
The case underscores that cyber fraud has moved beyond the old “click a link or share an OTP” model. It has evolved into silent system intrusions and digital identity hijacking. Experts say banks and regulators must urgently strengthen net banking security standards, mobile-number-based authentication, and real-time fraud detection systems.
As the investigation progresses, this incident is likely to go beyond a single case of financial loss. It could emerge as a critical example for understanding evolving cyber crime patterns in India and the urgent need to recalibrate digital security frameworks.
