What is the Amazon delivery OTP and who is supposed to see it?

For certain shipments — typically higher-value items — Amazon India sends the buyer a one-time password before delivery. The OTP appears in your Amazon app and by SMS. Its only purpose is to confirm handover: you speak it to the delivery agent at your door, at the moment they hand you your parcel, and the agent enters it to mark the delivery complete. That is the entire legitimate flow. The OTP is never required over a phone call, never needed to cancel or reschedule an order, and never requested by Amazon customer service. Anyone asking you to read out an OTP over the phone — whatever the stated reason — is running a scam.

How does the 'your order is being cancelled' OTP call work?

The caller claims to be from Amazon or its courier partner and says there is a problem with your order — wrong address, payment failure, or a cancellation you supposedly requested. To 'process the cancellation' they ask you to read out the OTP that has just arrived on your phone. The OTP they are asking for is not a delivery OTP at all. It is usually a login or password-reset OTP for your own Amazon account, triggered by the scammer entering your email or phone number on the sign-in page while they keep you on the line. Read it out and they take over the account — saved cards, addresses, and the ability to place orders. In another variant, the OTP confirms delivery of a cash-on-delivery parcel ordered to your address as part of a fraud chain. Either way, the rule is the same: an OTP spoken over a phone call only ever benefits the caller.

A courier delivered a COD parcel I never ordered. Is that a scam?

Treat it as one. The pattern: a parcel arrives addressed to you, cash-on-delivery, for a few hundred rupees. If you pay (many people do, assuming a family member ordered it), the follow-up call comes a day later — 'that parcel was sent by mistake, we will refund you, please approve the request in your UPI app or share the OTP'. The refund step is the actual scam: the UPI collect request takes money out of your account, and the OTP hands over an account. The defence is simple: refuse any COD parcel you cannot match to an order in your own app, and if you already paid, treat the money as the cost of the parcel — never engage with an unsolicited 'refund' call afterwards.

I read out an OTP to a caller. What should I do right now?

Act within minutes. First, open the Amazon app and change your password immediately, then go to Your Account → Login & Security and sign out all other devices. Check Your Orders for anything you did not place and Your Payments for saved cards. Second, if money left a bank account or UPI wallet, call 1930 — the national cyber-financial-fraud helpline — and file at cybercrime.gov.in; same-day reporting gives the best chance of freezing the receiving account. Third, report the caller's number through the Chakshu facility on sancharsaathi.gov.in so the SIM can be traced and blocked. Keep screenshots of the SMS, the call log, and any transactions — you will need them for the complaint.

Amazon Delivery OTP Scam in India 2026: Why You Never Read an OTP Over the Phone

Published: 10 June 2026 • 9 min read • By ScanTotal Security Team

Last reviewed: 10 June 2026 by Kumari Rajapaksha — Founder, ScanTotal

You ordered a phone case on Amazon three days ago. This morning your phone rings: a polite voice says he’s calling from the Amazon delivery team, your parcel is out for delivery, but there’s a problem with the address. To fix it — or cancel the order, or reschedule, the story varies — he just needs the OTP that has been sent to your phone. And right on cue, an SMS arrives with a six-digit code. It all lines up: you really do have an order, the SMS really is from Amazon, the caller knew before the message landed. You read out the code.

Here’s what actually happened. The caller was on the Amazon sign-in page with your phone number typed in. The SMS was a login OTP for your own account. By reading it out, you walked him through your front door — saved cards, delivery addresses, order history, and the ability to buy whatever he wants before you can react.

The delivery OTP scam is one of the fastest-growing phone frauds in India because it borrows credibility from a real Amazon security feature that most shoppers have used but few fully understand. This guide explains how the genuine delivery OTP works, walks through the three scam variants built on top of it, and gives you the three signals that catch every one of them.

How the real delivery OTP works

For certain shipments — typically higher-value items — Amazon India adds a one-time password step to delivery. Before the parcel arrives, the OTP appears in your Amazon app (under Your Orders → Track package) and by SMS. When the delivery agent reaches your door, you tell them the code in person, they enter it in their device, and the delivery is marked complete. It protects both sides: parcels can’t be marked “delivered” without reaching you, and agents can’t be blamed for parcels they genuinely handed over.

That is the entire legitimate use of a delivery OTP. Note what’s absent from it:

No phone call is ever part of the flow. The OTP is spoken face-to-face at your door, to a person holding your parcel.
The OTP is never needed to cancel, reschedule, or verify anything. Cancellations happen in the app with no code at all.
Amazon customer service never asks for it. They can see your order status without it.

Every scam variant below works by inventing a reason for the OTP to travel over a phone call. The moment a code leaves your mouth on a call, it’s doing something other than confirming a delivery.

The three variants of the scam in 2026

Variant 1 — the order-problem call. The most common, and the one in the opening. The caller knows you have an order in transit (sometimes from a leaked courier datasheet, sometimes by guessing — tens of millions of parcels move daily, so “your Amazon order has an address problem” lands on someone with a live order more often than you’d think). The “fix” requires the OTP just sent to your phone. That OTP is a login or password-reset code for your own account, triggered by the scammer in real time. Read it out and the account is theirs.

Caller: Sir, your parcel is on hold at our Gurgaon facility due to an address mismatch. I am generating a verification code now — please confirm it so we can release the delivery today itself. [SMS arrives: "123456 is your OTP for Amazon login. Do not share with anyone."]

Read the SMS the scammer is racing past. It says login. It says do not share. The scam depends entirely on you hearing the caller’s story instead of reading the message in your own hand.

Variant 2 — the COD parcel you never ordered. A courier arrives with a cash-on-delivery parcel addressed to you — usually a cheap item, billed at ₹299–₹999. Many people pay, assuming someone in the family ordered it. The real play comes the next day: a call apologising for the “wrongly dispatched” parcel and offering a refund. The refund is processed through a UPI collect request (you approve it and money leaves your account — the same mechanics as the PhonePe collect-request scam) or through an OTP that opens an account somewhere. The parcel was the bait; the refund call is the scam.

Variant 3 — the failed-delivery SMS with a link. No call at all this time: an SMS claims your delivery failed and asks you to “reschedule” through a link, usually with a token fee of ₹5–₹50. The link leads to a card-harvesting page dressed up in Amazon’s colours. The fee is irrelevant — the page exists to capture your full card details, and the small amount keeps your guard down. Amazon redelivery is free and arranged inside the app; no legitimate courier charges a rescheduling fee by SMS link.

Why the SMS looks real: the fake delivery texts often arrive in the same thread as genuine Amazon messages, because sender IDs can be spoofed or because the scammer uses a lookalike DLT header. Never judge an SMS by which thread it lands in — judge it by what it asks you to do.

The three signals that catch every variant

1The delivery OTP is spoken face-to-face, or not at all

There is exactly one legitimate audience for a delivery OTP: the delivery agent physically standing at your door, holding your parcel. Not a caller. Not a WhatsApp message. Not a “verification desk”. If anyone asks for an OTP through any channel other than in-person handover, the answer is no — and you don’t need to be polite about it.

2Read the OTP message itself, not the caller’s story

Every OTP SMS states what it is for: “your OTP for Amazon login”, “your password reset code”, “OTP for payment of ₹X”. The scammer’s script is designed to keep you listening to them instead of reading the message. Make it a hard rule: before any OTP goes anywhere, read the full SMS aloud to yourself. If the purpose in the message doesn’t match the purpose in the caller’s story — and in a scam it never does — hang up.

3Verify in the app, never on the call

Every real order problem is visible in Your Orders in the Amazon app — address issues, delivery holds, cancellations, refunds, all of it. If a caller describes a problem the app doesn’t show, the problem doesn’t exist. Hang up, open the app, and check. Thirty seconds in Your Orders beats any amount of judgement about whether a voice “sounds genuine”.

If you’ve already shared an OTP

Change your Amazon password immediately — app → Your Account → Login & Security. Then use “Sign out everywhere” (or sign out all devices listed) so any session the scammer opened is killed.
Check Your Orders and Your Payments. Look for orders you didn’t place, gift card purchases, and new addresses. Report anything foreign through the app’s own “Report something suspicious” flow.
If money moved, call 1930 within the hour. The national cyber-financial-fraud helpline can in some cases freeze the receiving account if you report the same day. Follow up with a written complaint at cybercrime.gov.in.
If card details were entered on a link, block the card through your bank’s app or 24x7 hotline before anything else. A blocked card beats a disputed transaction.
Report the caller’s number through the Chakshu facility on sancharsaathi.gov.in — the Department of Telecommunications’ portal for reporting fraud calls and SMS. It feeds the SIM-blocking pipeline.
Preserve everything — the SMS, the call log, screenshots of any transactions. The complaint process will ask for them.

The respectful reality about Amazon and its delivery network

None of this is a failure of Amazon’s systems. The delivery OTP is a genuinely good security feature — it exists precisely because marking parcels “delivered” without proof created disputes for both customers and delivery agents. Amazon’s own guidance is consistent and clear: OTPs are for the doorstep, customer service never asks for them, and order issues are handled in the app.

What scammers exploit is the gap between using a feature and understanding it. Millions of people have read an OTP to a delivery agent at their door; the scam call simply moves that familiar ritual onto the phone, where it means something completely different. The same playbook targets Flipkart, Myntra, and every courier brand in India — the brand name changes, the OTP mechanics don’t.

Three rules cover all of it: the delivery OTP is for the doorstep only, read the OTP message before the caller’s story, and verify every “order problem” in the app. None of them require you to out-argue a professional script-reader — they just require you to hang up first and check second.

Got a “delivery failed” SMS with a link?

Paste the link into ScanTotal first — we’ll tell you whether the domain is really Amazon or an impersonation.

Open URL Scanner