Aadhaar Phishing in 2026: How the Scams Work and How to Protect Yourself

Published: 4 May 2026 9 min read By ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

Aadhaar is in nearly every Indian wallet, on nearly every Indian phone, and tied to nearly every Indian bank account. That ubiquity is its strength, one digital identity for every public service from rations to subsidies to PAN linkage, but it is also exactly what makes it a phishing target. Every scammer in the country knows that an Indian receiving an “Aadhaar” SMS reads it twice. Most of the time, anxiety wins.

This guide walks through the four shapes Aadhaar phishing actually takes in 2026, the specific signals that distinguish a legitimate UIDAI message from a scam, and a short, repeatable check you can do before you respond to anything Aadhaar-related.

The four scams you will actually see

1. Deactivation-threat SMS

Most common · usually arrives at month-end or quarter-end
UIDAI: Your Aadhaar is blocked due to incomplete KYC. Re-activate within 24 hours to avoid permanent suspension. Click: http://uidai-reactivate-in.xyz/verify -UIDAI

The pressure tactic is “24 hours” or “today”, and the link is always to a domain that looks like a UIDAI subdomain but is actually unrelated. Real UIDAI never sends links and never threatens deactivation in 24 hours. The actual UIDAI policy on Aadhaar status changes is communicated through enrolment centres or the official portal, never through pay-as-you-go SMS gateways with TLDs like .xyz, .online, or .in-with-misspellings.

2. The fake UIDAI website

Often the destination of scam #1 and scam #3

Type “uidai login” into a search engine and you will see the real uidai.gov.in at the top, but you will also see paid ads from sites with names like uidai-online.com or aadhaar-portal.in. Some of these are pure phishing pages that capture your Aadhaar number and OTP; others are intermediary sites that “help” you book an appointment in exchange for fees that UIDAI does not charge.

The legitimate UIDAI portal is exactly one URL: uidai.gov.in. Anything else, even if it appears to mimic the design and branding faithfully, is unofficial. The .gov.in top-level domain is restricted to Indian government bodies and cannot be issued to anyone else.

3. The fake mAadhaar / Aadhaar Manager app

Distributed via WhatsApp forwards and APK download links

The official mAadhaar app is published by “Unique Identification Authority of India” on Google Play and Apple App Store. Clones with names like “Aadhaar Manager”, “mAadhaar Plus”, or “Aadhaar Update Now” appear regularly, sometimes briefly on Play Store before being removed, more often as APK files distributed through links shared in WhatsApp groups or social-media DMs.

The clones do one of three things: silently capture the Aadhaar details and OTP you enter; install a remote-control component that lets the attacker drive the phone; or simply display ads while pretending to be useful. None of them improve on the official mAadhaar.

4. The OTP-relay phone call

Often follows scam #1 if the victim does not click

The pattern: a few hours after the SMS lands, the victim gets a phone call from someone claiming to be from UIDAI, NPCI, or their bank. The caller is calm, gives a fake employee ID, and says they noticed the SMS may have looked confusing, they will help “verify” the Aadhaar over the phone. They walk the victim through what looks like a legitimate process, ending with “you will receive an OTP, please read it out so I can confirm your linked phone is correct.”

The OTP is the one the attacker has triggered on a withdrawal or bank transfer. UIDAI, your bank, NPCI, and any genuine government agency will never ask you to read an OTP back over a phone call. There is no scenario where this is legitimate.

Three checks that catch all four scams

You do not need to remember the specifics of each scam pattern. The same three checks catch them all:

  1. Where did the message originate? A legitimate UIDAI SMS comes from headers like UIDAI-S, NDLAFE, or VK-UIDAIS. It never comes from a 10-digit mobile number. If you see a 10-digit sender, it is not UIDAI, full stop.
  2. Where does the link actually go? Long-press the link (don’t tap) to preview the URL. The destination must be exactly uidai.gov.in or a path under it. Anything else, .com, .in with misspellings, an IP address, a URL shortener, is fake. If you have any doubt, paste the link into ScanTotal first to see what the destination actually serves.
  3. Is the source asking for an OTP, password, biometric, or full Aadhaar number? Real UIDAI never asks for any of these via SMS, call, WhatsApp, or email. The presence of any “please share your OTP / Aadhaar / fingerprint to verify” request is conclusive evidence the message is a scam, regardless of how official it looks.

What to do if you have already shared something

If you typed your Aadhaar number into a fake site or shared an OTP, act in this order:

  • Lock your Aadhaar biometrics through the official UIDAI portal at uidai.gov.in → Aadhaar Services → Lock/Unlock Biometrics. This shuts down AePS withdrawals immediately.
  • Call your bank’s anti-fraud line (the number printed on the back of your debit card, not any number from a recent SMS or call). Ask them to flag the account, freeze AePS, and review recent transactions.
  • Report to cybercrime.gov.in, the National Cyber Crime Reporting Portal. For financial fraud, also call 1930, the national helpline for cyber-financial fraud, ideally within the first hour of realising it.
  • File an FIR if money has moved. The 1930 helpline can guide you to the right local cyber cell. Banks need an FIR copy to dispute transactions in many cases.
The first hour matters. Funds moved through AePS or UPI can sometimes be recalled if the receiving bank is alerted before the attacker withdraws or transfers further. The 1930 helpline exists precisely for this window.

The respectful reality about UIDAI itself

UIDAI publishes clear guidance on what it will and will not do. Legitimate UIDAI communications direct users to the .gov.in portal and never request credentials over uncontrolled channels. The agency runs awareness campaigns and provides locking and masking features that meaningfully reduce the risk of biometric-based fraud. The phishing problem is not a failure of UIDAI, it is the cost of being a trusted brand in a country where criminals will impersonate any trusted brand they can.

The same advice that protects against bank phishing protects against Aadhaar phishing: type the URL yourself, never share an OTP, never trust a 10-digit-number sender, and pause when something feels urgent. Most Aadhaar phishing relies on panic. The pause is the defence.

Got an Aadhaar SMS that looks suspicious?

Paste the link into ScanTotal first, we will tell you where it actually goes before you tap it.

Open URL Scanner

Check any file, link, or message

Free, private scanning across all six tools, no account required.

Open Scanner Read: UPI Scams in India

Sources & Further Reading

Related Articles

UPI Payment Scams in India
Collect-request tricks, fake KYC expiry, QR swap fraud explained.
How to Check If a Link Is Safe
A quick method anyone can follow before they click.
Is That Text Message a Scam?
How to identify smishing attacks across SMS platforms.