Your Stolen Phone Can Empty Your Bank Account: Here’s How the New SIM-Based UPI Fraud Works
A new digital fraud method is raising serious concerns among mobile and UPI users across India. An official awareness infographic shared by authorities explains how a stolen smartphone can become a direct gateway to your bank account, even without internet access.
The fraud exploits basic mobile services, stored personal data, and weak phone security. What makes it worrying is how quickly money can be drained once the phone falls into the wrong hands.
How the fraud works
The scam usually begins with a stolen or lost phone. If the SIM card remains active, fraudsters can misuse a lesser-known UPI feature to bypass common safety checks.
Step one involves exploiting the *99# service. This is a USSD-based UPI service that works without internet. Using the victim’s SIM, criminals dial *99# to access UPI functions directly.
In the second step, they reset the UPI PIN. This is often done using debit card details saved on the phone. Many users store card photos, screenshots, or SMS alerts containing card numbers and expiry dates. With this information, resetting the PIN becomes easy.
Once a new PIN is generated, the third step is instant fund transfer. The fraudster moves money to their own accounts within minutes, often before the victim even realises the phone is missing.
Why this fraud is dangerous
The biggest risk is speed. Because *99# works without internet, even phones with mobile data turned off can be misused. If the SIM is not blocked immediately, there is a small window where attackers can act fast and silently.
This scam does not rely on phishing links or fake calls. It uses legitimate banking systems against the user, making it harder to detect until money is already gone.
How to protect yourself
The infographic highlights a few simple but critical safety steps.
- The first and most important step is to immediately block your SIM card if your phone is lost or stolen. A quick call to your telecom provider can prevent misuse of UPI and SMS-based services.
- Avoid saving debit or credit card details on your phone. This includes photos, screenshots, notes, or wallet apps that store full card numbers and expiry dates.
- Secure your phone and SIM properly. Use a strong screen lock and always enable a SIM PIN. This adds an extra layer of protection even if someone removes the SIM and inserts it into another device.
What users should do right now
Cyber experts advise reviewing phone security settings today, not after an incident. Check what sensitive data is stored on your device and remove anything that could help a criminal reset banking credentials.
As UPI adoption continues to grow, awareness around offline and SIM-based risks is just as important as protection from online scams.
