BioCatch Blog Channel

Browse Topics

A scam type grows in India

photo of Edgar Zayas

Written by:

Edgar Zayas

A scam type grows in India featured image

Financial institutions have done much to combat the scourge of voice scams in recent years. Educational campaigns have been mostly successful in convincing consumers to never share their bank-provided one-time passwords (OTPs).

But scammers are nothing if not innovative and resourceful. As retail-banking customers have wizened up to scammers impersonating banks, businesses, and government agencies requesting their OTPs, these criminals have done more than shift strategies. In India, they’ve invented a brand-new scam type.

The call-merging scam:

According to National Payments Corporation India (NPCI), Indian scammers have started manipulating their victims into merging their original call with a call from the victim’s bank’s Interactive Voice Response (IVR) to steal the victim’s one-time passwords (OTP), allowing these bad actors to log in and make unauthorized transactions.

Here’s how one of these so-called call-merging scams might go down:

1. The scammer calls the victim, claiming to have obtained their number from a mutual friend.

2. The fraudster asks the victim to merge the call with another number, supposedly belonging to the caller’s friend.

3. If the victim agrees and the calls merge, the second call is actually a legitimate bank OTP verification call.

4. Scammers time the merge perfectly, so the victim unknowingly reveals their OTP.

5. With the OTP, scammers can then complete financial transactions and drain the victim's account.

Call-merging-scam-sequence

This scam is particularly dangerous because it bypasses traditional security measures by manipulating the victim into resulting in unauthorized transactions. Unfortunately for victims, banks often recognize these transactions as authorized because someone entered a legitimate OTP, giving the impression the victim either did the entering themselves or gave it away intentionally.

NPCI has warned users to be vigilant and never merge calls with unknown numbers

India for now, the region – and the world – to follow

While the call-merging scam has gained significant attention in India, evidence of its occurrence in other countries remains limited. Cases have been reported in Indian cities like Ludhiana and Noida, with victims losing amounts ranging from $10,000 to $114,000.

Although similar tactics involving voice phishing and OTP theft have been observed globally, the specific call-merging method as defined by NPCI has not been conclusively documented outside India based on available sources. The underlying principles, however, align with global cybercrime patterns, suggesting potential adaptability to other regions.

Fighting back

To protect against call-merging and similar call-based scams (investment scams, impersonation scams, etc.), financial institutions must look to behavior- and device-based solutions to detect whether customer banking sessions appear inconsistent with the historical behavioral patterns of the account holder: Is the specific device in question previously unknown to both the user and financial institution and not consistent with the associated accountholder's previous tech usage? Is the user interacting with their touchscreen as they normally do? Is their mouse and keystroke movement consistent? Are any of their registered mobile devices currently on active calls?

This intelligence allows banks to decide in real time whether any anomalies detected in a banking session warrant the holding or declining of a transaction.

Google recently announced it will move to a QR-based authentication method later this year. Banks should also be looking into replacing the use of SMS-based OTPs. It’s been more than a year now since the Reserve Bank of India (RBI) recommended all Indian financial institutions move away from SMS-based OTPs in favor of principle-based frameworks for authentication of transactions. As of this writing, we have yet to hear what this framework might look like (or how it might serve the visually impaired) – only that these new methods could potentially replace the need for both SMS and voice-based OTPs, rendering this new call-merging scam obsolete everywhere voice-based OTPs cease to exist.

Recent Posts

America is behind in the scam fight: Why this bank CEO wants a national strategy Mule Accounts
April 17, 2025 America is behind in the scam fight: Why this bank CEO wants a national strategy
Read article
The war is coming: Agentic AI and the next wave of attacks Social engineering scams
April 15, 2025 The war is coming: Agentic AI and the next wave of attacks
Read article
France: Western Europe’s top spot for organized crime Fraud Prevention
April 11, 2025 France: Western Europe’s top spot for organized crime
Read article