A "bank" calls about credit card reward points and asks for an OTP
A caller claims to be from your credit card bank (HDFC, ICICI, SBI, Axis) offering to convert expiring reward points into cashback, gift vouchers, or a higher credit limit. To "process" it, they ask for the OTP that just arrived on your phone — that OTP authorizes a fraudulent transaction.
Also known as: credit card reward redemption scam, HDFC / ICICI / SBI rewards call, card-not-present OTP fraud
Already happened to you? Do this in the next few minutes
Call 1930 now- 1 Call 1930 — the national cyber-crime helpline — right now. The sooner you report, the better the chance of freezing the money before it moves.
- 2 Call your bank to freeze the account and block the card immediately. Use the number printed on your card, never a number from the message or caller.
- 3 File a report at cybercrime.gov.in and keep every message, screenshot, and transaction ID.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 Never share OTP, CVV, full card number, or PIN with anyone calling you, even if they sound official
- 2 Cut the call. Look up the bank's customer care number on the back of your card and call them directly if you want to check
- 3 Real reward redemption happens inside the bank's app or website — never over a cold call
- 4 If you shared an OTP, block the card immediately through your bank's app or by calling the back-of-card number
- 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 6 Report at https://cybercrime.gov.in or call 1930 (national cyber helpline).
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ Bank never asks for OTP, CVV, full card number, or PIN over a phone call. Ever
- ⚠ Caller knows your name and last 4 digits of card — easily bought from data leaks
- ⚠ Pressure: 'points expire today,' 'limited-time conversion'
- ⚠ OTP message text often says it's for a transaction or login — not for reward 'verification'
- ⚠ Call comes from a mobile number (+91 with random digits), not the bank's official contact center
The OTP-over-phone scam is one of the highest-volume card frauds in India. The trick works because banks have spent years training people to expect OTPs as legitimate verification — so people give them up without thinking.
The single rule that ends this category of scam: an OTP is never a verification code for someone else. It is always for an action you are about to authorize. If someone on the phone needs your OTP, they are about to do something to your account. Hang up.
Known variants
-
SMS/link-based card harvest (June 2026): instead of a phone call, fraudsters send an SMS or WhatsApp message with a fake bank-portal link. Entering card details + OTP on the cloned page hands over credentials. Durg architect lost ₹4.24 lakh; stolen card used to buy premium smartphones online.
Last seen: 6/14/2026
Sources
- RBI — Beware of phishing for OTP
- RBI Sachet — Card-related fraud advisory
- PIB Fact Check — Bank OTP scams
- HelloBanker — Gwalior bank employee loses ₹1.26 lakh after sharing OTP on fake reward redemption call (Jan 2026)
- The420.in — Agra Cyber Fraud Bust: ₹Crores Looted via Credit Card Reward Scam, 10 Arrested (April 2026)
- Amar Ujala — Agra: 10 arrested for credit card reward points redemption scam (April 2026)
- The420.in — Durg Cyber Theft: Architect Fleeced Of ₹4.24 Lakh Via Fake Reward-Points Link (June 2026)