MUMBAI — When a prominent South Mumbai physician received a call this September, it seemed routine. The caller claimed to represent his telecom provider and offered to upgrade his physical SIM card to a newer, more convenient e-SIM — a feature many smartphone users are adopting for its flexibility and simplicity.
Reassured by the caller’s professionalism, the doctor followed the instructions: he opened the provider’s official app, submitted an e-SIM request, and received a one-time password (OTP). The caller asked him to share the OTP to “complete verification.”
Within minutes, his phone network went silent. Two days later, his email password had been reset, and ₹10.5 lakh was drained from his bank account through a series of rapid online transfers.
By the time the doctor contacted the Mumbai Cyber Cell, the damage was done. Investigators traced the money trail to a hospital office boy in Pune, who had allegedly rented out his bank account to cybercriminals in exchange for a small commission.
The First Firm to Assess Your DFIR Capability Maturity and Provide DFIR as a Service (DFIRaaS)
This was not an isolated case. It was part of a rising trend in India’s digital fraud landscape — the “e-SIM upgrade scam”, a scheme that turns convenience into catastrophe.
The Mechanics of an Invisible Heist
Unlike older SIM-swap frauds that required physical access to SIM cards, e-SIM scams operate entirely in the digital realm.
“Fraudsters impersonate telecom staff and convince users there’s a problem with their SIM,” explained Deepender Singh, a cyber expert with the Betul Police in Madhya Pradesh. “They ask for OTPs or installation of apps claiming it’s for verification. Once they obtain that OTP, they deactivate the original SIM and activate a duplicate e-SIM on their device.”
With the victim’s number in their control, criminals can reset email and banking passwords, intercept messages, and bypass two-factor authentication systems that rely on SMS-based verification.
Once inside, the fraud moves fast: banking credentials are reset, wallets drained, and loan applications sometimes filed in the victim’s name. Investigators describe it as a “complete digital identity takeover”—one that begins with a single misplaced trust in a phone call.
A System Built on Fragile Trust
Cybersecurity professionals argue that the incident underscores a structural weakness in India’s digital identity infrastructure — one that continues to rely on mobile numbers as the primary verification link for nearly all online services.
“The e-SIM upgrade fraud exposes how fragile mobile-based authentication really is,” said Vijender Yadav, co-founder and CEO of cybersecurity firm Accops. “If someone can hijack your number with just a phone call, the entire chain of security — from banking to personal data — collapses.”
Experts point out that while e-SIM technology offers convenience, it also introduces new vulnerabilities: the absence of physical verification, the ease of remote activation, and the dependence on SMS-based OTPs.
In a country where over 1.2 billion mobile connections serve as the digital backbone for banking, e-governance, and social services, the implications are vast. “Every telecom upgrade or feature rollout must consider how it can be weaponized by fraudsters,” said Yadav.
Awareness: The Only Real Firewall
As cybercriminals become more sophisticated, experts say that awareness is the first and last line of defense.
“Verification should always begin with skepticism,” advised Jyoti Singh, co-founder of Plus91Labs. “Never engage with unsolicited calls, even if they sound official. Always verify through your service provider’s official helpline or app.”
She outlined telltale red flags: unsolicited upgrade offers, calls urging immediate action, requests for OTPs or PINs, and URLs with typos or unusual layouts. “Fraudsters thrive on urgency. The moment you feel rushed, that’s your cue to pause.”
Cyber experts recommend enabling spam detection tools such as Truecaller’s alert system, keeping strong email passwords, and disconnecting phone numbers from critical banking recovery options when possible.
The Mumbai doctor’s case, now under investigation, serves as both a cautionary tale and a policy challenge. As telecom companies race to promote digital services, the human factor — trust — remains the weakest link in India’s digital defense chain.
Or as one investigator put it, “The phone in your hand isn’t just a device anymore. It’s your wallet, your ID, your passport — and to a scammer, your opportunity.”
