KYC Update Scam SMS in India: Real Examples and the Three Tells
If you bank in India, you have probably received the SMS at least once. It says your KYC has expired, your account will be blocked in 24 hours, and you need to click a link right now to update. The bank name varies, SBI today, HDFC tomorrow, ICICI next week, Axis the week after, but the script is identical, and the script works often enough that the people running it have not bothered to change it in years.
This post walks through what real KYC reminders actually look like, how the scam version differs in three specific ways, and what happens after you tap the link if you ever do. Names of banks are mentioned because the scams use them; this is a guide on how to tell the impersonations apart from the real thing, and we have nothing but respect for the actual banks involved, they are the targets, not the attackers.
The pattern
Three redacted real examples, drawn from samples submitted to ScanTotal over the past 30 days:
You can almost taste the formula. A real or near-real bank brand. A “deactivation”, “block”, or “suspension” threat. A 24-hour or “today” deadline. A link with a domain that, on inspection, has nothing to do with the bank.
Real bank notice vs scam notice, side by side
Real Bank SMS
Sender: 6-character header (e.g. VK-SBIINB, VM-HDFCBK, JD-ICICIB) registered under TRAI’s DLT framework.
Action: “Visit your nearest branch” or “Log in to the bank app to update.” No link.
Tone: Reminder. No deadline. No threat of immediate suspension.
Asks for: Nothing. You go to the bank yourself.
Scam SMS
Sender: 10-digit mobile number, or a non-DLT header.
Action: Tap a link to a non-bank domain.
Tone: Urgent. Today. 24 hours. Account will be blocked.
Asks for: Net-banking credentials, OTP, debit card details, sometimes “install AnyDesk so we can help you.”
The three tells
You do not need to remember the specifics of every bank’s real SMS format. These three tells, in order, identify every variant of this scam:
Tell #1, Sender is a 10-digit mobile number
Indian banks send transactional and promotional SMS through DLT-registered headers, never from regular mobile numbers. If your “HDFC” SMS arrives from a number like +91 98765 43210, it is not HDFC. The bank does not own that number. Real HDFC headers look like VM-HDFCBK, JD-HDFCBK, or JM-HDFCBK (the prefix varies by region/operator).
Tell #2, Link does not go to the bank’s real domain
Each bank has exactly one official domain (and sometimes a small number of related ones for specific services). For SBI it is onlinesbi.com (and sbi.co.in). For HDFC it is hdfcbank.com. For ICICI it is icicibank.com. The scam domains will use those words inside the URL but not as the actual hostname, e.g. sbi-yono-update.in is not SBI; the actual TLD ownership is whoever registered sbi-yono-update.in, not the State Bank of India.
If you can’t tell at a glance, paste the link into ScanTotal’s URL scanner and look at the Active Analysis output. A real bank URL will resolve to the bank’s production servers and have a long-established reputation. A scam URL will be flagged by either reputation, heuristics, or both.
Tell #3, Asks for OTP, password, or to install a remote-access app
This one is binary. No genuine bank, no genuine RBI process, and no genuine KYC procedure ever asks you to share an OTP over a link or call. No legitimate “KYC officer” will ask you to download AnyDesk, TeamViewer, QuickSupport, or any similar tool. RBI has issued specific public warnings against the remote-access variant of this scam.
If any of these requests appear, stop. Close the page or hang up the call. There is no scenario where the request is legitimate.
The remote-access twist (this is the dangerous one)
An evolving variant of the KYC scam in 2026 does not just want your password, it wants the phone. The flow:
- Victim taps the SMS link, enters net-banking credentials on a fake page.
- Scammer calls within minutes (using the phone number the victim entered earlier or already on file from a separate breach), claiming to be a “KYC officer”.
- Scammer says “the system is showing your update is incomplete, please install AnyDesk and share the access code so we can help.”
- Once AnyDesk is installed and the code shared, the scammer has full remote view and control of the phone.
- Scammer reads OTPs from the SMS app, opens the bank app, and transfers funds while the victim watches the screen, sometimes confused, sometimes already realising what is happening but unsure how to stop it.
The fix during this stage is to force the device offline: switch on aeroplane mode, or hold the power button until the phone shuts down. AnyDesk needs network connectivity to maintain control. Don’t try to navigate the AnyDesk uninstall flow while the attacker is watching, just kill the connection.
If you have already shared something
The first hour matters. In order:
- Call your bank’s official anti-fraud line (number on the back of your debit card). Ask for: account freeze, card block, reversal of any pending transactions.
- Call 1930, the national helpline for cyber-financial fraud. Funds moved through UPI or NEFT can sometimes be recalled if the receiving bank is alerted before withdrawal.
- File a complaint at cybercrime.gov.in. You will need an FIR for many bank dispute processes.
- Change net-banking and UPI PINs from a different device. If you installed AnyDesk or similar, do this after uninstalling and ideally after a full device reset.
- Monitor your account for the next 30 days, a small successful theft sometimes precedes a larger second attempt with the same compromised credentials.
Why this scam keeps working
The honest answer: KYC updates are a real RBI compliance requirement, and banks really do prompt customers periodically. The scam exists in the gap between “legitimate prompts exist” and “most people don’t know exactly what those prompts look like”. Closing that gap with the three tells above immunises you to the entire family of scams, not just the current variants but whatever the same crews iterate to next year.
The tells will not change. The 10-digit-sender, fake-domain, OTP-or-AnyDesk-request pattern is the scam’s structural signature. As long as you check those three things, you cannot be tricked by the SMS variant of this scam, only by entirely different scams that this article does not cover.
Got a KYC SMS that looks suspicious?
Paste the link into ScanTotal and we’ll show you exactly where it goes, before you tap.
Open URL Scanner