Earlier this week, one of my old friends Chaitanya sent me a video on WhatsApp. Before I could even watch it, he bombarded me with calls full of panic and questions. He was worried that fraudsters could drain his bank account just by merging phone calls on his device. I reassured him that this is not how digital fraud works—just merging calls would not be enough to steal money. For any digital transaction, you need basic details, not just an OTP (one-time passcode). After our conversation, he finally calmed down.
But then, more messages started pouring in. Other friends and family had seen the same video, asking the same question: "Can my money really disappear just because of a merged phone call?" Some people understood it right away, while others are still too scared to even join conference calls with loved ones.
"Scammers are using call merging to trick you into revealing OTPs. Don't fall for it! Stay alert and protect your money."
It described a scam where fraudsters, pretending to be a friend, tricked you into merging a call at the exact moment your bank sends you an OTP. The goal? To steal your money. (BTW… you don't need an OTP for UPI transactions of up to Rs1 lakh!)
Sounds scary, right? But let us break it down.
Understanding the reality behind the hype
The video and social media posts focus on one part of a transaction—receiving an OTP over a (merged) call instead of an SMS. But here is what they don't tell you: an OTP is just the final step in a chain of security measures before the transaction is made. Without knowing key details like your card number, card verification value (CVV), or UPI personal identification number (PIN), a fraudster cannot complete a transaction—even if they get your OTP.
In fact, the Reserve Bank of India (RBI) has strict security measures in place. Since 2021, banks and payment providers have been mandated to use multi-factor authentication (MFA) for electronic transactions. This includes using OTPs, mobile device verification, biometrics, or even hardware security tokens to keep your money safe.
How digital transactions actually work
Every digital transaction typically requires two or three security steps:
• Something you have: Your login credentials, card number, or UPI ID.
• Something you know: Your password, CVV, or PIN.
• Something dynamic and unique: An OTP, biometric verification, or device authentication.
For most online banking and card transactions, all three factors are required. However, no OTP is needed for UPI transactions of up to Rs1 lakh—just your UPI ID and PIN.
Can a fraudster really steal your money by merging a call?
Short answer: No.
Long answer: Unless a scammer already has your card number, CVV, or UPI PIN, they cannot trigger an OTP request in the first place. Even if they somehow get access to your OTP, banks and payment apps often use device binding, meaning transactions can only be authorised from your registered phone. (I am not talking about net banking here.)
For example, if you use an iPhone with a registered mobile number, your bank links that device to your account. If you switch to a new phone or insert the SIM in another device, you will have to re-register on the app. This extra security layer prevents fraudsters from completing unauthorised transactions.
Fearmongering is dangerous
No doubt, in today's digital age, cybersecurity has become a pressing concern for individuals, businesses and governments alike. With the increasing number of cyber threats, from phishing scams to ransomware attacks, there is a growing demand for cybersecurity experts who can guide people in safeguarding their digital assets. But half-truths, exaggerations, or outright false information about cyber scams can be harmful, such as:
• Anxiety and stress—People stop trusting online banking and digital payments out of fear.
• Wasted time and resources—Users take unnecessary actions like constantly changing passwords or avoiding digital transactions.
• Misplaced focus—People worry about low-risk threats while ignoring real cybersecurity risks like weak passwords and phishing scams.
• Desensitisation—When people hear too many exaggerated warnings, they may start ignoring real threats.
Remember, a legitimate cybersecurity warning should be backed by concrete evidence. If an article or social media post makes alarming claims, check whether it references credible sources such as peer-reviewed research, industry reports, or official advisories.
How to avoid falling for cybersecurity misinformation
Educate yourself: Knowing about the fundamental cybersecurity principles can help you recognise when claims are exaggerated. Basic knowledge of topics like password security, phishing prevention and software updates allows you to assess whether a cybersecurity warning is reasonable or overblown.
Verify the source: Check if the information comes from a trusted source like RBI, CERT-In, or established cybersecurity experts. Avoid unquestioningly trusting social media forwards or viral videos.
Look for context: A real cybersecurity warning should explain how an attack works and what you can do to stay safe.
Cross-check claims: If only one obscure source is spreading the claim, be sceptical. Look for multiple reputable reports confirming the information.
Be wary of absolute statements: If someone says, "No one is safe!" or "This attack is unstoppable!", they are likely exaggerating.
Avoid taking rushed, drastic steps: Not every cyber threat requires drastic action. If an advisory suggests that you must immediately change all your passwords, stop using certain websites, or invest in expensive software, take a step back and assess whether the response is proportionate to the risk.
Merging phone calls cannot drain your bank account. Digital fraud happens when users unknowingly share sensitive information. Rather than fearing every scam warning, focus on practising smart security habits—using strong passwords, enabling multi-factor authentication, and staying cautious of suspicious calls and messages.
Cyber threats are real, but so is misinformation. Stay informed, think critically, and don't fall for unnecessary panic.
Stay Alert, Stay Safe!
