Introduction

The rapid adoption of mobile banking in India, fueled by widespread smartphone penetration, affordable internet, and initiatives like the Unified Payments Interface (UPI), has transformed financial services, making transactions faster and more accessible. However, this digital revolution has also attracted cybercriminals who exploit vulnerabilities in mobile banking systems and user behaviors. The Reserve Bank of India (RBI) reported over 18,461 fraud cases amounting to ₹21,367 crore between April and September 2024, a sharp rise from the previous year’s 14,480 cases involving ₹2,623 crore. Mobile banking frauds, in particular, have surged due to the popularity of UPI and mobile apps. This article explores the latest mobile banking fraud schemes prevalent in India, their methodologies, impacts, mitigation strategies, and a real-world example to illustrate these threats.

Prevalent Mobile Banking Fraud Schemes in India

1. Phishing and Smishing Attacks

Phishing involves fraudulent emails or messages that mimic legitimate banks or organizations, tricking users into sharing sensitive information like login credentials, One-Time Passwords (OTPs), or card details. Smishing, a subset of phishing, uses SMS to deliver malicious links or prompt users to call fake numbers. These messages often claim urgent account updates or KYC requirements. Clicking malicious links can lead to fake websites that capture credentials or install malware. In 2024, phishing and smishing remain prevalent due to their simplicity and effectiveness, especially targeting less tech-savvy users.

2. SIM Swap and Cloning Frauds

SIM swap fraud occurs when cybercriminals trick a mobile service provider into transferring a victim’s phone number to a new SIM card under their control. By gaining access to the victim’s number, fraudsters intercept OTPs and bypass two-factor authentication (2FA) to access banking apps. SIM cloning involves duplicating a SIM card to receive messages and calls. These methods exploit the reliance on mobile numbers for authentication in UPI and mobile banking apps. The RBI has noted an increase in such frauds, with fraudsters posing as telecom staff offering upgrades to lure victims into sharing personal details.

3. Malware and Fake Banking Apps

Malware, such as keyloggers or screen recorders, is often delivered via malicious apps, email attachments, or fake websites. These apps mimic legitimate banking apps, tricking users into entering credentials that are then stolen. In 2025, malware attacks have become more sophisticated, with fraudsters using APK files distributed via SMS or social media to take control of banking apps while users interact with legitimate interfaces. Fake banking apps are designed to look authentic, deceiving users into providing login details or authorizing transactions.

4. QR Code Scams

QR code frauds involve tricking users into scanning malicious QR codes that authorize unauthorized transactions or install malware. Fraudsters send QR codes via SMS, email, or social media, often under pretexts like prize claims or payment requests. Scanning such codes can link a user’s banking app to a fraudster’s account, enabling fund withdrawals. The RBI reported a surge in QR code scams between 2017 and 2023, and this trend continues as UPI transactions grow.

5. Social Engineering and Vishing

Social engineering exploits human psychology to manipulate users into divulging sensitive information. Vishing (voice phishing) involves phone calls where fraudsters impersonate bank officials, government authorities, or trusted contacts to extract OTPs, PINs, or login details. In 2024, vishing scams have leveraged AI-generated voice deepfakes to sound more convincing, making it harder for users to detect fraud. These scams often target vulnerable groups, such as the elderly, who may trust unsolicited calls.

6. Account Takeover (ATO) Attacks

ATO attacks involve fraudsters gaining unauthorized access to a user’s bank account, often using stolen credentials from phishing, malware, or data breaches. In India, ATO accounts for over 55% of digital banking fraud cases, with fraudsters using compromised credentials to initiate transactions or set up automatic transfers. The use of mule accounts—bank accounts used to launder stolen funds—has also risen, with BioCatch reporting that nine out of ten mule accounts go undetected at some Indian banks.

7. Loan and Advance-Fee Frauds

Fraudsters impersonate bank officials offering easy loans with minimal KYC requirements. After obtaining personal details like PAN or Aadhaar numbers, they apply for loans in the victim’s name, leaving the victim liable for repayment. Advance-fee frauds involve convincing users to pay processing fees for nonexistent loans, lotteries, or gifts. These scams exploit trust in digital banking platforms and have led to significant financial losses and credit score damage.

8. Screen-Sharing and Remote Access Scams

Fraudsters trick users into downloading screen-sharing apps like AnyDesk or TeamViewer, claiming to assist with banking issues. These apps allow fraudsters to monitor or control the user’s device, capturing credentials or initiating transactions. The RBI has warned about the rise of such scams, which exploit users’ trust in technical support. In 2025, these scams have grown due to increased reliance on remote troubleshooting.

9. Juice Jacking

Juice jacking involves installing malware through compromised public USB charging ports. When users charge their phones at public stations, malware can steal banking credentials or install malicious apps. This scam is particularly concerning in India, where public charging stations are common in airports, malls, and railway stations.

10. Investment and Ponzi Schemes via Mobile Platforms

Fraudsters use mobile apps or social media to promote fake investment schemes promising high returns. These Ponzi schemes, often disguised as legitimate opportunities, use funds from new investors to pay earlier ones. The SpeakAsia Online scam, which promised returns for completing surveys, is a notable example. Such scams exploit the accessibility of mobile banking to collect funds quickly.

Impacts of Mobile Banking Frauds

1. Financial Losses

Victims face direct financial losses, with frauds costing India ₹100 crore daily in 2021–22. Small businesses and individuals are particularly vulnerable, as recovery of stolen funds is often challenging.

2. Credit Score Damage

Loan frauds and unauthorized transactions can harm victims’ credit scores, affecting their ability to secure future loans or financial services.

3. Erosion of Trust

Frequent frauds undermine public confidence in mobile banking, slowing the adoption of digital financial services. This is critical in India, where financial inclusion is a priority.

4. Operational Disruptions

Banks face reputational damage and operational costs to investigate and mitigate frauds. The RBI’s push for stricter compliance reflects the growing burden on financial institutions.

5. Legal and Regulatory Challenges

Fraudsters often operate across borders, complicating law enforcement efforts. Light penalties, such as three-year imprisonment for phishing under the Indian IT Act, embolden criminals.

Mitigation Strategies

1. Strengthen Authentication

Enable 2FA and biometric authentication on banking apps. The RBI has recommended moving away from text-based OTPs due to their vulnerability.

2. User Education

Public awareness campaigns can teach users to verify suspicious messages, avoid clicking unknown links, and report frauds to the National Cyber Crime Reporting Portal (cybercrime.gov.in).

3. AI-Driven Fraud Detection

Banks should adopt AI-based tools like Mule Hunter.ai to detect mule accounts and anomalous behaviors in real time.

4. Secure App Development

Banks must ensure mobile apps use end-to-end encryption and regular security updates. Avoiding fake apps requires downloading only from trusted sources like Google Play or the App Store.

5. Monitor Transactions

Users should regularly check bank statements and enable SMS alerts for transactions. Immediate reporting of suspicious activity can limit damage.

6. Regulatory Oversight

The RBI and SEBI should enforce stricter KYC and data protection norms, especially for third-party fintech platforms, to close loopholes.

Example: The 2024 UPI QR Code Scam Wave

In 2024, a surge in UPI-based QR code scams was reported across India. Fraudsters sent SMS messages claiming recipients had won a lottery or needed to update their UPI account. These messages included QR codes that, when scanned, linked the victim’s UPI app to a fraudster’s account, authorizing automatic withdrawals. In one case, a Mumbai resident lost ₹2 lakh after scanning a QR code sent via WhatsApp, believing it was a legitimate bank communication. The scam exploited the victim’s trust in UPI’s ease of use and lack of URL verification. This incident highlights the need for user education and app-based safeguards to verify QR code authenticity before authorizing transactions.

Conclusion

Mobile banking frauds in India, including phishing, SIM swapping, malware, QR code scams, and social engineering, have surged alongside the growth of digital payments. These schemes exploit technological vulnerabilities and human trust, causing significant financial and reputational damage. By adopting robust authentication, AI-driven detection, and public awareness campaigns, banks and users can mitigate these risks. The 2024 UPI QR code scam wave underscores the urgency of staying vigilant and implementing advanced security measures. As India continues its digital-first financial journey, proactive cybersecurity is essential to protect users and maintain trust in mobile banking.