New Fraud Pattern Beyond 2025: No OTP, No Internet, Still Lost Money – Lessons from Shirdi incident

A shocking new fraud pattern emerged in Shirdi: money vanished without OTP or internet. Learn how it happened, overlooked risks, and key lessons.

What Happened

In October 2025, a professor from Shirdi received a call that appeared to be from his bank.
The caller said: “A suspicious debit has been flagged. To cancel it, press ‘No’.”

He pressed.
Within seconds, ₹1.61 lakh vanished from his account.

• No OTP was given.
• Internet was off.
• His ATM card was at home.
• No link was clicked.

Still, the money was gone.
This exposed a new fraud pattern in India’s digital banking system.

How Can Fraud Happen Without OTP or Internet?

Possible methods include:

• Backend exploitation: Weaknesses in banking systems that bypass OTP checks.
• Insider leaks: Customer data misused by internal or third-party actors.
• SIM swap or cloning: Criminals receiving SMS meant for the customer.
• Call manipulation: Pressing a button during a call may trigger hidden USSD/IVR commands.

Similar cases are being reported in Rahata, Shrirampur, and Nashik.

Why This New Pattern Is Dangerous

• It bypasses customer safeguards like OTPs, internet, and cards.
• Even educated victims (professors, engineers) are falling prey.
• Refunds may take time, testing people’s trust in digital banking.

Rare Precautions Most People Forget

Most articles about cyber fraud stop at the usual line: “never share your OTP.” That advice is correct, but today’s fraudsters use new tricks where OTP is not even needed. To truly stay safe, we need to go beyond the basics. Here are some often-forgotten but powerful steps:

• Protect Your SIM Card
  Your phone number is as important as your ATM card. If criminals get control of it, they can receive your bank alerts and OTPs. Call your mobile company and ask them to notify you if anyone tries to replace or duplicate your SIM card. This alert can save you from silent fraud.
• Check Phone Settings Regularly
  Check SMS Forwarding Rules; some harmful apps can secretly forward your SMS, including bank messages. Take two minutes once a month to check your phone’s SMS and call forwarding settings. If you see any unknown rule, remove it immediately.
• Remove Old or Unknown Devices
  Many banking and UPI apps allow multiple devices to stay logged in. Open your app settings and check the list of linked devices. If you see an old phone or an unfamiliar device, remove it. Keep only your current phone active.
• Turn On Both SMS and Email Alerts
  Sometimes SMS messages get delayed or blocked. If you also get alerts by email, you have a backup. The quicker you know about a transaction, the faster you can react if it’s not yours.
• Never Approve Anything on a Call
  Fraudsters may call pretending to be from the bank and ask you to press “1,” “No,” or any other button to cancel a transaction. Banks never use this method. If you receive such a call, hang up immediately — it’s a scam.

These steps may sound simple, but they close the hidden gaps that fraudsters often exploit. Most people don’t follow them, which is why scams keep succeeding. By adding these extra habits, you put yourself several steps ahead of cybercriminals.

What Customers, Banks, and Regulators Can Do

For Customers:

• Report suspicious activity immediately to the 1930 cybercrime helpline.
• File complaints at cybercrime.gov.in.
• Use only official banking helplines and apps.

For Banks:

• Strengthen monitoring for OTP-free transactions.
• Audit insider access and vendors.
• Provide faster, transparent redressal to customers.

For Regulators:

• Update policies for new fraud techniques.
• Enforce stricter timelines for handling complaints.
• Educate customers on SIM swap and device security.

What RBI Rules Say – With Caution

RBI’s “Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” framework states:

• If customers report unauthorized electronic transactions within 3 working days, and they were not negligent, they generally have zero liability.
• Banks are expected to provide a provisional credit (“shadow reversal”) within 10 working days after receiving such a complaint.
• If customers delay reporting (for example, beyond 7 days), their liability may increase, depending on the bank’s board-approved policy.

⚠️ Important: These rules apply to unauthorized electronic transactions as defined by RBI. New fraud patterns — such as OTP-bypass or transactions without internet/OTP prompts — may still be under legal and technical review, and outcomes can differ case by case.

📖 For detailed official rules, see RBI’s circular “Limiting Liability of Customers in Unauthorized Electronic Banking Transactions” (July 6, 2017) → Read here on RBI website.

Looking Ahead: The Future of Cybercrime

• AI deepfake voices pretending to be bank officers.
• Quantum risks breaking older encryption.
• Cross-border fraud networks growing in scale.

Cyber safety will depend on customers, banks, and regulators working together.

Key Lessons

• A new fraud pattern can steal money without OTP or internet.
• Causes may include insider leaks, SIM swaps, or backend loopholes.
• Safety means going beyond “don’t share OTP” — check telecom, SMS, device, and alert settings.

The Shirdi fraud is a wake-up call: even when you follow the rules, fraud can still happen.

Would you know how to respond if money left your account without OTP?
Save 1930, bookmark cybercrime.gov.in, and share these less-known safety tips with family and colleagues.

Explore More

• AI-Powered Threat Intelligence: The Ultimate Double-Edged Sword in Cybersecurity
• 5 Ways Zero Trust Stops Hackers Cold
• Cybersecurity’s Fastest War: The Ultimate Battle When AI Fights AI Beyond 2025
• The Ransomware Epidemic: Why SMEs Are The New Primary Target
• What Is Vibe Hacking and How Is AI Using It? 5 Shocking Facts About the Threat to Our Trust

FAQ

Q1. What is the new fraud pattern in Shirdi?
A professor lost ₹1.61 lakh after pressing “No” on a call — without OTP, internet, or card use.

Q2. How could this happen?
Possible reasons include backend loopholes, insider leaks, SIM swaps, or call-based tricks.

Q3. What hidden precautions should people take?
SIM swap protection, SMS rule checks, device reviews, and dual alerts.

Q4. What should victims do immediately?
Call 1930, file at cybercrime.gov.in, and inform the bank.

Q5. What do RBI rules say about refunds?
Customers reporting quickly (within 3 working days) to demonstrate zero liability, and banks must give all the support within 10 working days, but applicability may vary for new fraud patterns.

Source Credits

This article references open reporting from:

• India Today
• Times of India
• Indian Express
• Lokmat

Disclaimer:

This article is provided for informational and educational purposes only. It does not promote or encourage unlawful activities. Readers are encouraged to stay informed, practice safe digital habits, and rely on ethical, legal resources for decision-making. Technical causes described are possible scenarios based on cybersecurity best practices and may not represent confirmed findings of any ongoing investigation.