The Growing Threat of OTP Scams: How to stay safe

Let me share a story that will hit home for many, particularly seniors. Sunil, my neighbour,a retired bank manager who stepped down in 2019, received a call one afternoon from someone claiming to be from his bank. The caller was convincing, even addressing Sunil by name and knowing some of his account details. The conversation turned personal as the caller talked about Sunil’s old colleagues, regretting that he couldn't attend Sunil’s farewell function. He also inquired about Sunil’s son in New Zealand and his daughter in Delhi, which put Sunil at ease.

After building this rapport, the caller mentioned needing Sunil's OTP (One-Time Password) to verify a routine transaction. Trusting the familiar tone and seemingly genuine knowledge, Sunil shared the OTP without a second thought. Moments later, a notification arrived on Sunil's phone—?50,000 had been withdrawn from his account. In a matter of minutes, Sunil became the victim of OTP fraud.

Unfortunately, Sunil's story isn't unique. Scammers are becoming increasingly sophisticated, preying on trust, especially among senior citizens, to carry out fraud. In a world where digital transactions are now the norm, seniors often find themselves vulnerable, as they may not be as familiar with the latest scams and tech tricks.

What Is OTP Fraud?

An OTP, or One-Time Password, is meant to add a layer of security to your online transactions. It's a temporary code sent by your bank or service provider to your registered mobile number or email to authenticate actions like transferring money or logging into your account. The idea is simple: you get the OTP, enter it, and you're good to go. But when scammers manage to get hold of that OTP, they can access your bank account or other sensitive information, leading to financial and data loss.

How do scamsters get your OTP?

Scammers have a range of tricks up their sleeves, and here are some of the most common ways they get you to share your OTP:

?1. Phishing Calls: They pretend to be someone you trust, like a bank employee, asking for your OTP to "verify" a transaction or update your KYC (Know Your Customer) details.

?2. Fake Websites and Links: Fraudsters may create a fake version of your bank's website or a popular shopping platform. When you enter your details, including the OTP, it goes straight to them.

3. Social Engineering: They might gain your trust through friendly or official-sounding conversations. Once you're comfortable, they ask for the OTP, claiming it’s needed to "help" you with an order or service.

?4. Malware Links: Scammers send messages with malicious links. If you click on one, it can infect your device and steal your OTPs as they come in.

Real-life example: The ride-hailing scam

In one notorious case in India, scammers called unsuspecting users posing as ride-hailing company representatives. They claimed there was an issue with a booking and asked for the OTP sent to cancel the ride. Many victims, thinking they were helping resolve an issue, shared their OTP, only to have their accounts used to make fraudulent rides and transactions.

Another example involved fraudsters posing as food delivery agents. They would call, claim the order was on its way, and ask for an OTP to confirm the delivery. But instead of confirming anything, the scammers would use the OTP to drain the victim's bank account.

Can we combine bank and non-bank OTPs?

Now, some of you may wonder if it's safe to aggregate all your OTPs—whether for banking, shopping, or social media—into one convenient app. The short answer is no. While it might sound convenient, aggregating your bank OTPs with others increases your risk. If one app is compromised, hackers could gain access to everything—your bank, social media accounts, and shopping profiles. It's like handing over all your house keys in one go!

?Always keep your banking OTPs separate. It may require a little extra effort, but it dramatically reduces the chances of falling victim to fraud. Consider using a password manager or secure OTP generators provided by banks, but keep each service compartmentalized. While this adds an extra step in your daily routine, it’s a small price to pay for peace of mind.

Fraudsters’ tricks: How do they do It?

Fraudsters are clever and have found several ways to deceive people into sharing their OTPs. Here’s a look at some of their common tactics:

- Fake Identity: Fraudsters often impersonate bank officials, government agencies, or companies, claiming they need your OTP for verification, updating KYC, or processing an order.

?- Free Gifts/Discounts: Scammers offer fake promotions or deals, tricking you into thinking you’ve won something. They ask for your OTP to “claim” the prize, but instead, they’re stealing your information.

- Credit Limit Enhancements or Easy Loans: They convince people to share their OTP by offering tempting financial deals like easy loans or increasing credit card limits.

?- KYC Fraud: Seniors, in particular, are vulnerable to KYC (Know Your Customer) fraud. Scammers pretend to be bank representatives asking to "update" your KYC details and insist on getting your OTP to complete the process. Once you share it, the fraud is done.

How can seniors protect themselves?

Now that we know how scammers operate, let's talk about prevention. Here’s a checklist of simple, practical steps seniors can take to stay safe:

1. Never Share Your OTP: No legitimate company or bank will ever ask you for your OTP. If someone does, it’s a red flag. Hang up immediately!

?2. Verify the Source: If you receive a suspicious call or message, don’t take it at face value. Always verify by calling your bank or service provider directly using their official number.

?3. Avoid Clicking on Random Links: Don’t click on links sent via text or email unless you're 100% sure they’re from a trusted source. These links can contain malware that steals your data.

?4. Two-Factor Authentication (2FA): For non-banking services, always enable 2FA for added security. It requires both a password and an OTP, giving you an extra layer of protection.

?5. Use Official Apps and Websites: For any banking or sensitive transactions, always use official apps or websites. Don’t rely on links sent via messages.

?6. Be Wary of Apps Asking for Unnecessary Permissions: Avoid downloading apps that request excessive permissions, like screen-sharing apps (e.g., AnyDesk or TeamViewer). These can give scammers direct access to your phone.

?7. Monitor Your Accounts Regularly: Keep an eye on your messages and bank statements. If an OTP is generated without your knowledge, act fast and inform your bank immediately.

?8. Dispose of Sensitive Documents Carefully: Ensure that old passbooks, cheque books, or Aadhar cards are disposed of properly. Never share photocopies with strangers.

?9. Use Strong Security Software: Keep your devices safe by installing reputable antivirus and security software to block malware and hacking attempts.

Should Governments and Telecom providers step in?

Absolutely. While individual vigilance is crucial, there's much that governments and telecom providers can do to prevent OTP fraud. Governments can introduce stricter regulations requiring service providers to implement stronger authentication measures. For instance, multi-layer OTP systems could include biometric verification or voice recognition to ensure the person entering the OTP is the legitimate account holder.

?Telecom providers should also improve fraud detection systems by flagging unusual activity and sending alerts to users when suspicious transactions are detected. Additionally, telecom companies can collaborate with banks to implement more secure ways of delivering OTPs, such as encrypted messages or time-limited codes that expire after a few seconds.

A final thought: Stay alert and trust Your gut

Seniors, like Sunil in our story, are increasingly targeted by fraudsters who prey on trust and lack of familiarity with digital systems. But by staying informed, cautious, and alert, you can avoid falling victim to these scams. Remember, your OTP is the key to your bank account—treat it like gold, and don’t share it with anyone.

The world of digital transactions is filled with convenience, but it’s also full of risks. With a little extra care and awareness, you can keep your money and data safe from the growing threat of OTP fraud.