SMS OTP Fraud in India: Why Authentication Infrastructure Needs to Evolve

Overview

Over the last decade, SMS-delivered one-time passwords (OTPs) have become the load-bearing second factor for almost every consumer-facing digital service in India — retail banking, UPI, capital markets, e-commerce, gas-cylinder bookings, ration cards, tax filing, KYC checks. The model worked because every phone in the country could receive an SMS, and the architecture asked very little of the device or the user.

It is now equally clear that the model is straining under the weight of what it carries. Indian regulators have spent the last two years publishing rules, building portals, and issuing advisories aimed at the same underlying problem: an authentication secret arriving as plaintext in the device messaging inbox is a structurally exposed trust point — and at the scale of Indian digital payments, that exposure is materialising as fraud.

This article walks through what the public record actually shows: how the fraud patterns evolved, what the regulators (RBI, TRAI, DoT, CERT-In) have done, and why an architecture that moves authentication trust closer to the SIM/eSIM secure identity layer is a serious, telecom-compatible direction worth discussing.

Why SMS OTP Became the Default

SMS OTP was a pragmatic answer to a hard problem. It worked on every handset, required no app install, integrated cleanly with the operator's existing SS7/SMSC infrastructure, and let banks and merchants meet a regulator-friendly two-factor authentication requirement without forcing a smartphone or a particular app on the customer. It was almost frictionless to deploy, almost frictionless to use, and almost frictionless to onboard new institutions onto.

The decade after demonetisation accelerated everything. UPI volumes climbed from the low millions to billions of transactions a month. Banks, fintechs, NBFCs, government identity systems, and exchanges all wired their authentication flows around the same shared assumption: an OTP delivered to a registered phone number reaches only the intended user. The infrastructure scaled. The assumption did not.

How SMS OTP Fraud Actually Happens

Across publicly reported cases, advisories, and security research, the fraud patterns clustered into a small number of recurring patterns. None of them require breaking SMS as a protocol or compromising operator core networks. They exploit the fact that the OTP becomes visible plaintext on the user's device — and from that point, the attack surface widens to every actor who can see the inbox or manipulate the user.

Social engineering against the visible code

The dominant pattern. The user is contacted by someone impersonating a bank, KYC verifier, customer-care agent, electricity board, courier, or government office and persuaded — under urgency, fear, or politeness — to share the OTP that just arrived in their inbox. Per a 2025 LocalCircles survey reported by Business Standard, one in five Indian families with a UPI user had experienced fraud at least once in the prior three years, and 20% of victims said they had revealed an OTP or UPI PIN to someone posing as a bank official.

SIM-swap fraud

An attacker obtains a duplicate SIM for a victim's mobile number — typically by social-engineering the operator's KYC process at a retail outlet, or by exploiting a stolen identity document — and the OTPs and account-recovery messages start arriving on the attacker's device. The pattern has been reported repeatedly by Indian banks and police, with cases ranging from a Delhi advocate who lost lakhs to a SIM-swap operation, as covered by Deccan Herald, to a Mumbai private firm owner whose loss reached ₹7.5 crore, of which police could freeze ₹4.65 crore, per Business Standard. Indian banks (e.g. Axis Bank) maintain standing customer-education advisories on the pattern.

Inbox-reading and SMS-forwarder malware

An Android application installed on the victim's phone — typically through a phishing link or an APK delivered alongside a malicious "bank security" call — requests SMS or accessibility permissions and silently forwards the inbox to a command-and-control server. Security researchers documented a global campaign of over 107,000 malicious Android samples between 2022 and 2024 designed specifically to intercept SMS-delivered OTPs, with India among the most-affected countries (The Hacker News, SecurityWeek). CERT-In has issued multiple advisories over the years on Android banking malware families.

Remote-access and screen-sharing scams

The user is persuaded to install AnyDesk, TeamViewer, or a "support" app under the guise of a KYC update, refund, or technical issue. The attacker watches the screen as the OTP arrives and authorises a transaction inside the user's own banking session. The OTP never leaves the device — it just gets read by an unauthorised observer who has been granted screen access.

Notification-reading abuse

Even without full SMS permission, OTP previews surface on the lock screen and in notification shades. Apps with notification-listener access (granted by users for legitimate reasons such as smart-watch pairing or "do not disturb" apps) can capture that preview. The trust boundary slips below the user's threshold of awareness.

Mule-account routing

Once an OTP-driven transaction is approved by any of the methods above, the proceeds are rapidly moved through a chain of mule accounts. The RBI has begun deploying its MuleHunter.AI tool — piloted in two public-sector banks in late 2024 per BusinessToday — specifically to identify mule accounts at the back end of these flows. Detecting mules helps recovery; it does not address the front-end authentication weakness.

India-Specific Fraud Evolution Over the Decade

The trajectory across the public record is consistent. As digital payments grew, the share of fraud loss attributable to digital channels grew with it.

According to the RBI's annual report for FY 2023–24, digital payment fraud rose more than fivefold to a record ₹1,457 crore — and digital payments rose from 1.1% of total fraud value the previous year to 10.4%. Domestic UPI fraud incidence rose roughly 85% year-over-year in the same period. PYMNTS covered the same RBI data as a roughly 400% rise in online payment fraud cases year-on-year.

Public reporting also indicates significant under-reporting: in the LocalCircles survey referenced above, 51% of UPI-fraud victims said they had never filed an official complaint, suggesting the true scale is materially higher than the official figures capture.

On the SIM-swap surface specifically, the National Cyber Crime Reporting Portal (NCRP) logged over 90,000 SIM-swap complaints in 2024 according to publicly reported figures, and TRAI levied a collective fine of approximately ₹3.6 crore on Airtel, Jio, and Vi for KYC lapses around SIM issuance, per industry coverage. The Department of Telecommunications has also tightened SIM-portability and re-issuance rules — a 7-day cooling period for re-issued SIMs from August 2023, and an additional cooling period with SMS verification for MNP port-outs from March 2024.

The Regulatory and Institutional Response

The Indian regulatory ecosystem has responded across four institutions, each addressing a different part of the surface.

TRAI — commercial-communications hygiene and SMS traceability

The Telecom Regulatory Authority of India's Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018 created the Distributed Ledger Technology (DLT) framework — one of the first telecom regulatory frameworks globally to apply DLT to commercial-communication governance. Senders register principal entities, headers, and templates; only registered headers and pre-approved templates can carry promotional or transactional SMS.

In 2024, TRAI tightened the framework further. From 1 October 2024, URL links carried inside commercial SMS — including shortened URLs — had to be pre-registered and whitelisted against the sender. On 11 December 2024, TRAI's SMS traceability framework went live, requiring telecom operators to ensure that all commercial SMS messages could be traced back to their originating principal entity, as covered by ThePrint. TRAI's full regulatory text is published on its official site.

This work addresses the sender-side of SMS fraud — making it harder for phishing SMS to reach the inbox in the first place. It does not change what happens once a legitimate OTP arrives at a legitimate handset.

Department of Telecommunications — Sanchar Saathi and SIM hygiene

The DoT launched the Sanchar Saathi portal in 2023 to give citizens a way to detect lost or stolen devices, see which mobile connections were registered against their identity, and report suspected fraudulent communications. The portal's reporting feature, Chakshu, accepts complaints about suspected fraud via calls, SMS, or WhatsApp — including KYC-update scams.

The cumulative public numbers are material. According to coverage in Business Standard and a PIB press note, more than three crore fraudulent mobile connections have been terminated, 3.19 lakh devices blocked, 16.97 lakh WhatsApp accounts disabled, and over 20,000 bulk SMS senders blacklisted under the portal's operations. Citizen-reported fraud communications rose from approximately 2.08 lakh in 2024 to over 5 lakh by 2025 as awareness of the portal grew.

RBI — customer protection, the January 2025 circular, and the move beyond SMS OTP

The RBI's circular RBI/2024-25/105 of 17 January 2025, titled "Prevention of Financial Frauds Perpetrated Using Voice Calls and SMS — Regulatory Prescriptions and Institutional Safeguards", directs regulated entities to use the Mobile Number Revocation List (MNRL) on the Digital Intelligence Platform (DIP) to keep customer-mobile-number databases clean and to monitor for mobile numbers that have been re-issued, blocked, or flagged.

Separately, the RBI Authentication Directions, 2025 expand the country's two-factor authentication framework beyond SMS OTP, requiring device-bound alternatives for domestic digital payment transactions over a transition period — coverage of the directive is summarised by Entrepreneur India and Corbado. The RBI's broader Master Direction on Cyber Resilience and Digital Payment Security Controls sets the surrounding posture for payment-system operators.

Read alongside, the regulatory direction is explicit: SMS OTP is no longer the only acceptable second factor for digital payments, and the system is being pushed toward device-bound, principle-based authentication mechanisms.

CERT-In — advisories on inbox-reading and OTP-stealing malware

The Indian Computer Emergency Response Team has issued a series of public advisories over the past several years on Android malware families targeting Indian bank customers, including SMS-permission abuse, banking trojans, and clipboard-monitoring patterns. The advisories typically describe the indicators of compromise, the permissions to scrutinise, and remediation guidance for end-users and institutions.

The Structural Limitation of Plaintext OTP

Every one of the patterns above shares a single structural property: the authentication secret becomes visible plaintext on the user's device at some point in the flow. From that moment, the security of the authentication is no longer a property of the protocol — it is a property of every actor and every piece of software that can observe the user's messaging surface.

This is not a problem of SMS delivery, and tightening SMS delivery does not solve it. The DLT framework, sender-ID hygiene, and SMS traceability address an important but distinct surface — they make it harder for fraudulent SMS to reach inboxes. They do not change what happens once a legitimate OTP, sent by a legitimate sender, arrives on a phone where:

• An accessibility-permitted "screen reader" application is running
• A previously-installed banking-trojan is monitoring the inbox
• A remote-support tool is mirroring the screen to an attacker
• A notification-listener is forwarding lock-screen previews
• The user themselves can be persuaded to read the code aloud

For an authentication flow that anchors transactions worth hundreds of crores per day, the device messaging inbox is the wrong place for the secret to be.

Architecture Shift: Inbox-Less Secure Authentication

The architectural direction the AmbiSecure SIM-Auth Platform is developing takes the secret out of the inbox entirely.

Instead of placing an OTP as readable plaintext in the user's messaging app, the relying party (bank, fintech, government service, enterprise), the operator's infrastructure, the SIM/eSIM secure identity layer on the device, and the AmbiSecure platform participate in an authenticated flow where the authentication value is processed within the tamper-resistant secure-element boundary already present on the SIM/eSIM. The transaction can be authorised without surfacing a plaintext code that malware, social engineering, or notification-readers can harvest.

The trust anchor — the SIM/eSIM — is already deployed at national scale, already recognised by operator infrastructure, and already engineered for tamper-resistance under widely accepted secure-element standards. What changes is where in the flow the authentication is processed, not whether the operator is involved. The operator's infrastructure is part of the trust model, not a transport medium that is bypassed.

The specific implementation details — the protocol design, applet behaviour, key custody, and the operator-collaboration mechanics — are deliberately not the subject of this public article. The substantive design work is intended to be done with operator engineering and security teams, inside operator-controlled environments, on operator terms. For the public-facing architecture overview, see the SIM-based authentication architecture page.

How the AmbiSecure Direction Helps

The architecture addresses the structural weakness — plaintext authentication value on the device messaging surface — rather than treating individual fraud patterns in isolation. The expected outcome is a material reduction in OTP-linked fraud exposure, achieved by changing where the authentication is processed, not by tightening the surface around which the fraud has organised.

• Materially reduced plaintext exposure. The OTP value does not need to be present as readable SMS text on the device. Inbox-reading malware, notification-listeners, screen-sharing observers, and OTP-forwarding apps no longer see a code to harvest.
• Structurally stronger trust boundary. Compared with the SMS-OTP model, where the authentication value traverses an unprotected user-visible surface, the SIM/eSIM-rooted flow places it inside a tamper-resistant secure-element boundary already engineered to operator-grade cryptographic standards.
• Operator-integrated architecture. Operator infrastructure participates in the trust model. The architecture is built to be exercised inside operator sandboxes, with operator-set boundaries and observability.
• Standards-aware substrate. The direction is grounded in widely accepted substrates — eUICC remote SIM provisioning, SIM-resident applet conventions, and operator-controlled identity binding.
• India-localised infrastructure path. A telecom-integrated authentication trust layer is most valuable when built and operated locally, in collaboration with Indian operators and ecosystem participants.

The engineering substrate behind this work has carried identity and trust products through to public deployment before, with active engagement across European, African, and Middle Eastern markets in adjacent identity and infrastructure domains and discussions underway in additional regions. The Indian deployment is intended to be developed locally, with Indian operators and ecosystem partners, against India's specific authentication scale and regulatory environment.

Social engineering, mule networks, and ecosystem hygiene remain ongoing work across the system. What the architecture removes is the specific, structural availability of an authentication secret as readable text on the user's device — the surface that the public record has shown to be the operative weakness.

Why Telecom Operators Should Care

For Airtel, Jio, Vi, and BSNL, the conversation is no longer just about reducing OTP-related abuse of operator infrastructure. It is about whether the operator's role in digital trust is that of a delivery medium or a trust provider.

• Enterprise authentication is a B2B opportunity. Banks, fintechs, NBFCs, exchanges, and government services authenticate billions of transactions a month. A telecom-integrated authentication layer positions the operator as part of that trust, not as a bystander.
• Customer-security differentiation. An operator that visibly modernises authentication trust for its retail and enterprise customers differentiates on a dimension that already drives procurement.
• Reduced OTP-fraud surface on operator infrastructure. Lifting authentication out of the SMS-inbox plane reduces the volume of fraud-driven traffic, complaints, and customer-support load that currently flows through SMS channels.
• Sovereign-infrastructure positioning. A SIM/eSIM-rooted authentication layer, designed and operated in India, is the kind of infrastructure-scale capability that is most valuable when it is local.

Why Regulators Should Care

For TRAI, TEC, DoT, and the broader policy ecosystem, the question is whether the country's authentication infrastructure evolves in a way that is standards-aligned, telecom-respectful, and consumer-protective — or stays anchored to a surface (plaintext SMS) that the public record has now made it harder to defend.

• Authentication resilience at infrastructure scale. An architecture that does not depend on a plaintext value reaching the user's messaging inbox is structurally more resilient to the recurring fraud patterns documented across RBI, DoT, and CERT-In advisories.
• Consistency with the RBI's direction. The RBI's 2025 authentication directions explicitly push the system beyond SMS OTP. A SIM/eSIM-rooted authentication layer is one of the architecturally credible directions that satisfies that brief while preserving the established mobile-number identity model that Indian users already trust.
• Standards-aligned innovation. The architecture is designed against widely accepted substrates (eUICC RSP, SIM-resident applets, operator-controlled identity binding) — not against bespoke or non-standard interfaces.
• Consumer protection. Reducing the surface on which a plaintext OTP can be read, forwarded, screenshotted, or socially engineered is a direct contribution to consumer-protection outcomes that the regulatory framework already prioritises.

Why Banks, Fintechs, and Government Systems Should Care

• Direct exposure to OTP fraud loss. Banks and fintechs absorb the bulk of OTP-related fraud loss. Reducing the inbox-level visibility of the authentication value reduces the surface most cleanly aligned with the fraud patterns documented in the RBI's reporting.
• Stronger audit story behind "the customer authenticated". Authentication processed inside the SIM/eSIM trust boundary has a stronger audit narrative than "an SMS reached a phone".
• Citizen-scale identity flows. Government identity, citizen-service authentication, and benefits-disbursement systems all rely on phone-number-as-identity. An architecture that strengthens authentication at the SIM/eSIM layer respects that identity model while modernising the trust underneath it.
• Regulated authentication readiness. An architecture aligned with the RBI's direction toward device-bound authentication is one less compliance bridge to build later.

Boundaries Worth Stating Plainly

A few things are worth saying directly so the framing of this article is unambiguous:

• The regulatory references in this article are descriptive — they describe the published direction of RBI, TRAI, DoT, TEC, and CERT-In. They do not represent endorsement of, certification of, or approval for the AmbiSecure architecture by any regulator.
• The architecture depends on operator infrastructure as substrate. It is not a path around operator systems, and is not designed to be exercised outside operator-controlled environments.
• The architecture is not a replacement for the broader fraud-mitigation ecosystem. Mule-account detection, KYC discipline, customer education, and consumer-protection mechanisms remain essential alongside any change to the authentication layer.

Frequently Asked Questions

Why are SMS-delivered OTPs structurally vulnerable?

An SMS OTP arrives as plaintext in the device messaging inbox — visible to the user, visible to applications that hold SMS or accessibility permissions, and reachable by anyone who can persuade the user to read or forward the code. The authentication secret traverses a surface that was never designed to be a security boundary.

What is SIM-swap fraud?

SIM-swap fraud is the issuance of a duplicate SIM for a victim's mobile number — typically through social engineering of the operator's KYC process or compromised retail outlets — followed by interception of the OTPs and account-recovery messages now routed to the attacker's SIM. India's NCRP logged over 90,000 SIM-swap complaints in 2024 per publicly reported figures.

Can malware really read OTP messages from the inbox?

Yes. A large-scale campaign identified by security researchers documented over 107,000 malicious Android applications between 2022 and 2024 designed to intercept incoming SMS messages and exfiltrate OTPs, with India among the most-affected countries. Any application granted SMS or accessibility permissions on a device can in principle read inbox content.

What is the RBI doing about it?

The RBI issued circular RBI/2024-25/105 in January 2025 directing regulated entities to use the Mobile Number Revocation List on the Digital Intelligence Platform to keep customer-mobile-number databases clean. The RBI Authentication Directions, 2025 explicitly extend two-factor authentication beyond SMS OTP toward device-bound alternatives for domestic digital payment transactions.

How does SIM/eSIM-based authentication differ from SMS OTP?

Authentication is processed within the tamper-resistant secure-element boundary on the SIM or eSIM — a layer already engineered to operator-grade cryptographic standards — rather than delivered as a plaintext code in the device's messaging inbox. The result is materially stronger structural security against the inbox-reading, screen-share, OTP-forwarding, and notification-listening patterns the SMS-OTP model exposes. The relying party, operator infrastructure, and SIM/eSIM secure identity layer participate in an authenticated flow without surfacing a plaintext value on the user's screen for malware or social engineering to harvest.

Does AmbiSecure replace telecom operators?

No. The architecture depends on operator infrastructure — connectivity, identity binding, and signalling — as substrate. The operator becomes part of the trust model, not a delivery medium that is bypassed. Every step is designed to be exercised inside operator-controlled environments, on operator terms.

Conclusion

The case for evolving India's authentication infrastructure beyond plaintext SMS OTP is not a vendor claim. It is reflected in the public direction of the RBI, in the work TRAI has done on commercial-communication hygiene and SMS traceability, in the SIM-swap and inbox-malware patterns that DoT and CERT-In have responded to, and in the documented growth of OTP-linked fraud across the banking and UPI surfaces.

The AmbiSecure SIM-Auth Platform is developing a telecom-compatible, standards-aware, operator-collaborative architecture that moves authentication trust closer to the SIM/eSIM identity layer — and out of the device messaging inbox. The work is intended to be done with telecom operators, banks, regulators, and enterprise security teams, inside operator-controlled environments. The Indian deployment is the focus; the engineering substrate behind it is the same team that has carried identity and trust products through to public release in adjacent markets.

We'd welcome the conversation.

Sources

1. TRAI — Regulation text (gazette of India, Feb 2025)
2. ThePrint — India's new SMS traceability framework goes live (11 Dec 2024)
3. IndiaLaw — Key highlights of RBI circular RBI/2024-25/105 on financial frauds via voice calls and SMS
4. TeamLease RegTech — RBI Prevention of Financial Frauds notification
5. Entrepreneur India — RBI rules moving beyond SMS-based OTPs
6. Corbado — RBI 2FA directives explained
7. KPMG — RBI Master Direction on Cyber Resilience and Digital Payment Security Controls
8. BusinessToday — Digital payment frauds surge per RBI annual report FY24
9. PYMNTS — Online payment fraud in India surges ~400% YoY (RBI data)
10. Business Standard — LocalCircles survey: 1 in 5 UPI users faced fraud
11. Business Standard — Mumbai SIM-swap fraud case (₹7.5 cr)
12. Deccan Herald — Delhi advocate SIM-swap case
13. Axis Bank — SIM-swap fraud customer advisory
14. Sanchar Saathi — Department of Telecommunications portal
15. PIB — Sanchar Saathi press note
16. Business Standard — DoT disconnects 3.9 mn connections via Sanchar Saathi
17. The Hacker News — 100K+ malicious Android apps stealing OTP codes
18. SecurityWeek — Massive OTP-stealing Android malware campaign
19. CERT-In — Indian Computer Emergency Response Team (advisories portal)

Related Articles

• SIM-Based Authentication Architecture — AmbiSecure
• LTE Authentication Meets Enterprise PKI Identity
• Hardware-Backed Identity for IoT Devices
• eSIM vs eUICC vs iSIM: The Engineering Difference
• What Makes IoT Security "Telecom-Grade"?

Related capability: SIM-Based Authentication · Telecom Integration · IoT Security