If you’re seeing SMS like “Pending toll fee—pay now to avoid penalty” or “Your parcel is on hold—verify address”, you’re staring at one of India’s most common smishing (SMS phishing) tricks. Attackers impersonate FASTag/NHAI, couriers (India Post, Blue Dart, Delhivery, etc.), or even banks to make you tap a link, enter UPI/card details, or share OTPs. This guide shows you how to spot, verify, and stop these scams—and exactly what to do if you already clicked.
What is smishing?
Smishing is phishing via SMS/WhatsApp. In India, it often exploits:
- FASTag/Highway toll anxiety: “tag blocked”, “KYC expired”.
- Courier delivery urgency: “address mismatch”, “pay small fee to release parcel”.
- Banking/UPI alerts: “account locked”, “update KYC now”.
The hook is urgency + authority. The goal is to push you from the message to a look-alike website or a call they control, where they harvest credentials, OTPs, UPI PINs, or card details.
Why toll & delivery texts work so well here
- Relevance: Most drivers use FASTag; most shoppers use e-commerce.
- Micro-payments: ₹10–₹50 “verification fees” feel harmless but test your card/UPI and can trigger OTP sharing.
- Mobile-first: Everything—text → link → fake page → OTP—happens on your phone, where you react quickly.
Red flags to spot in seconds
- Links that don’t match the real domain (e.g., odd hyphens, random subdomains, link shorteners).
- Generic greetings (“Dear customer”) and poor spelling/formatting.
- Unusual ask: tiny fees (₹23.50/₹49), KYC via a non-official page, QR codes sent in SMS.
- Demands for sensitive data: UPI PIN, OTP, CVV, full card number—legitimate entities never ask these on SMS/WhatsApp.
- Pressure language: “complete in 5 minutes” / “avoid penalty now”.
Verify safely (without touching the scam link)
- Do not tap the SMS link.
- Go direct: open the official app/website of your FASTag issuer, bank, or courier from your own bookmark or a fresh Google result—not from the message.
- Check activity: FASTag balance/history, courier tracking in the official app, and recent bank/UPI transactions.
- Call only official numbers listed inside the app/site—not the number in the SMS.
- Search the exact SMS text in quotes; known scams show up quickly.
- Look up the domain: a brand-new or look-alike domain is a red flag.
If you clicked or shared info—do this in the first 60 minutes
Minute 0–10
- Close the page; don’t enter more details or OTPs.
- If you installed any APK from a link, switch to airplane mode and uninstall it immediately.
- Take screenshots of the SMS, URL, and any pages (evidence for your bank/police).
Minute 10–30
- If you entered card/UPI details: Block the card in your banking app or call your bank; request a replacement card. Lower UPI limits and turn on SMS/app alerts for every transaction.
- If you typed a password: Change it on the real site/app and enable 2-step verification. Log out of other devices/sessions inside the app’s security settings.
Minute 30–60
- Scan your phone with a reputable mobile security app; check for unknown apps and risky permissions.
- Review transactions in all banking/UPI apps and report anything suspicious.
- Report the fraud (see next section). Fast action helps banks try to trace/hold funds.
How to report in India (official routes)
- Call 1930 immediately (the national cyber-fraud helpline).
- File a complaint at cybercrime.gov.in (National Cyber Crime Reporting Portal).
- Inform your bank’s official support via numbers/email listed in-app or on the bank site.
- If malware was installed, get your device professionally cleaned; back up, factory reset if necessary, and restore only trusted apps.
Prevention checklist for Indian users (10-minute hardening)
- Use a password manager and strong passphrases (unique for each site).
- Enable 2-Step Verification on email, banking, and shopping apps (Authenticator app preferred over SMS where possible).
- Lock down your phone: strong screen lock, Find My Device/iPhone enabled, OS & app updates automatic.
- Review app permissions; remove what you don’t use.
- Set UPI/card limits and instant alerts (SMS + app notifications).
- Disable international transactions on cards until needed.
- Never side-load APKs; stick to official app stores.
- Bookmark official sites of banks, FASTag issuer, and top couriers—use these, not links from messages.
- Teach family a simple rule: Never pay from a link/text; always open the official app/site yourself.
Real Indian examples (and why they’re fake)
- “FASTag blocked—complete KYC now”: KYC updates are handled through your issuer’s official app/portal, not via random links.
- “Pay ₹29 to release parcel”: Couriers collect dues at delivery or inside the official app; tiny “verification” fees are classic scam bait.
- “Account locked—verify UPI”: Banks/UPI apps never ask for UPI PIN/OTP by SMS/WhatsApp.
FAQs (India)
Q1: I paid a small “verification fee”. Am I safe now?
Not guaranteed. Small payments often test your card/UPI and set up bigger fraud. Call your bank, block/reissue the card if needed, lower limits, and monitor closely.
Q2: The site looked identical to my bank. How do I avoid this next time?
Ignore links in messages. Type the bank URL yourself or use the official app. Check the domain carefully (no extra hyphens/words).
Q3: I shared an OTP on a phone call. What should I do?
Call your bank immediately to freeze/secure accounts, then report via 1930 and cybercrime.gov.in. Change passwords and enable 2-step verification.
Q4: Are QR codes in SMS safe to scan?
Treat them like links—don’t scan codes sent by SMS/WhatsApp. If you must pay, open your UPI app and pay to a verified beneficiary from inside the app.
Q5: Should I install antivirus on my phone?
A reputable mobile security app can catch known malware and risky links. It helps—but won’t replace good habits (no side-loading, careful permissions, regular updates).
Call to action
- Turn on 2-Step Verification for your email and banking apps.
- Set transaction alerts and daily UPI/card limits.
- Save 1930 and cybercrime.gov.in to your contacts.
