Aadhaar OTP Phishing — How to Stay Safe

Your Aadhaar number is linked to your bank account, your LPG connection, your PAN, your pension account, your ration card, your mobile SIM and — for most of us — a dozen other services. That is convenient. It is also exactly why scammers target Aadhaar-linked OTPs so aggressively.

In 2025 and early 2026, UIDAI and the RBI both flagged a significant rise in complaints around Aadhaar OTP phishing — SMS messages that impersonate UIDAI, banks or gas companies and trick seniors into sharing a one-time password. Once the OTP is shared, the scammer can authorise payments, change registered mobile numbers, or link your Aadhaar to services you did not intend.

This guide walks through the three Aadhaar scams most likely to hit your phone this week, and the two simple settings that stop 90% of them.

The golden rule

Before the scam patterns, the one rule that protects you:

UIDAI, your bank, your gas company, the Income Tax department, and LPG distributors will NEVER ask you for an OTP over a phone call, SMS, email or WhatsApp. EVER.

If anyone asks for your OTP, the conversation is over. Hang up. Delete the message. Block the number.

Scam 1 — "Your LPG / Electricity subsidy is pending"

You get an SMS that looks like this:

"Dear Customer, your LPG subsidy of ₹1,200 is pending due to Aadhaar mismatch. Please update by clicking [link] within 24 hours."

You click. A form appears that looks like a bank or oil-company page. It asks for your Aadhaar number, mobile number, and then the OTP that has just arrived on your phone.

The OTP is not from the scam site. It is a real OTP from your bank or from UIDAI, generated because the scammer has just tried to link your Aadhaar to a new bank account or initiate a transaction. The moment you share that OTP, the transaction goes through.

Protection:

Oil companies and electricity boards never threaten to cancel subsidy by SMS. Subsidies are processed automatically. Any delays can be checked by calling your distributor directly.
The sender ID on real SMS from HP/Indane/Bharat Gas is a branded short code (AD-IOCLGS, VK-HPGAS). A 10-digit mobile number is almost always a scam.

Scam 2 — The fake UIDAI "update" SMS

"Your Aadhaar will be deactivated in 48 hours. Click [link] to update." Variations include "KYC expiry," "biometric update required," or "link your mobile to avoid service denial."

Aadhaar is never deactivated by SMS or by a missed update. UIDAI's own policy is that Aadhaar remains active for life unless the holder specifically requests cancellation. Periodic updates — especially for Aadhaar enrolled over 10 years ago — are encouraged but entirely free, and are done only through one of three legitimate channels:

The mAadhaar app (download only from the Play Store or App Store — never from a link in SMS)
The official website uidai.gov.in
An authorised Aadhaar Seva Kendra — find one at bhuvan.nrsc.gov.in/aadhaar

Protection: Never click any link that claims to be from UIDAI. If you are genuinely due for an update, open the mAadhaar app directly from your home screen.

Scam 3 — The fake bank-call KYC update

A caller claims to be from your bank. They say your KYC has expired and needs an immediate update to avoid account freeze. They send an OTP to your phone and ask you to read it out "to verify your identity."

That OTP is, again, a real one — used on the scammer's end to authenticate a payment or an account change. The moment you say it aloud, your account is compromised.

Protection:

Banks will never ask you for an OTP over a call. Not even once. This is the easiest scam to recognise.
If you are unsure whether the call is real, tell the caller: "I will call the bank back on the official helpline." Then hang up and call the number printed on the back of your debit card. A real bank call will be accessible through that route.

Two settings that protect 90% of Aadhaar fraud

Setting 1 — Aadhaar Biometric Lock

UIDAI lets you "lock" your biometrics (fingerprint, iris). Once locked, no one — even with your Aadhaar number — can make a payment through AEPS (the Aadhaar-enabled payment system) or authenticate a transaction using your fingerprint.

How to enable:

Download mAadhaar from the Play Store or App Store (official — search "mAadhaar" and verify the publisher is "Unique Identification Authority of India")
Enter your Aadhaar number and verify with an OTP sent to your registered mobile
From the dashboard, tap Services → Biometric Lock/Unlock
Tap Lock Biometrics

You can unlock temporarily when needed for a specific service. The default should be Locked.

Setting 2 — Add your mobile to DND and verify registered number

Scammers target phone numbers they buy from data leaks. Having your number on Do-Not-Disturb registers (TRAI's DND service) reduces junk calls significantly.

Also, verify which mobile number is registered with Aadhaar — scammers sometimes try to change it. Go to myaadhaar.uidai.gov.in and check the masked mobile displayed. If it is not yours, visit an Aadhaar Seva Kendra immediately.

If you have already shared an OTP

Act immediately. The first 10 minutes matter.

Call your bank's fraud helpline — the number is on the back of your debit card and on the bank's home page. Ask them to freeze all transactions on your account.
Change your UPI PIN and login PIN inside your bank's UPI app.
Call 1930 — the national Cybercrime Helpline.
File at cybercrime.gov.in within 24 hours. This formalises the complaint and starts the bank-recovery process.
Change your mobile banking password from a different device (your laptop, a family member's phone).

The sooner the bank freezes the account, the more likely they can reverse the transaction before it settles.

Teach your family in 5 minutes

If you live with parents or grandparents, sit with them this weekend and:

Save 1947 in their phone as "UIDAI Helpline"
Save 1930 as "Cyber Helpline"
Save the bank's fraud number as "Bank Fraud"
Show them what a real UIDAI SMS looks like vs a fake
Explain the rule: "If anyone asks for OTP, hang up"

Frequently Asked Questions

What is Aadhaar OTP phishing?

It is a scam where criminals send fake SMS, calls or emails pretending to be UIDAI, your bank or a government department, tricking you into sharing a one-time password that has been genuinely sent to your phone — so they can complete a fraudulent transaction or account change on the other side.

Can scammers misuse my Aadhaar number alone?

An Aadhaar number by itself is not enough to drain your bank account. A scammer needs additional elements — OTP, biometric, or registered mobile access — to make a transaction. This is why the Biometric Lock inside mAadhaar and never sharing OTPs are the two critical defences.

How do I enable Aadhaar Biometric Lock?

Download the official mAadhaar app from the Play Store or App Store. Log in with your Aadhaar number and OTP. Go to Services → Biometric Lock/Unlock → tap Lock. The lock can be unlocked temporarily when needed.

What is UIDAI's official helpline?

1947 is the UIDAI helpline. It operates 9:00 AM to 7:00 PM, Monday to Saturday. For cybercrime complaints, call 1930, which operates 24 hours.

Are all SMS claiming to be from UIDAI fake?

No. Real UIDAI SMS does exist — for example, confirming successful updates. But UIDAI never asks you to click a link, enter an OTP, or threaten deactivation. If the SMS asks any of these, it is a scam, regardless of how official it looks.

What should I do if a scammer already has my Aadhaar number?

Enable Biometric Lock in mAadhaar — this prevents AEPS payments even if they have your Aadhaar number. Check your registered mobile number at myaadhaar.uidai.gov.in to ensure it has not been changed. File a complaint at cybercrime.gov.in to document the exposure.

Keep reading

✅ Reviewed & Verified by Eleanor Shaw | techfor60s.com Editorial Desk

Last fact-checked: 2026-04-18

Next scheduled refresh: 2026-10-18