Imagine losing your life savings in 30 seconds—all because of a seemingly harmless request to merge a call. All it starts with a call from someone posing as a friend or agent, asking you to merge in another caller—who is an automated bank line delivering an OTP. Once merged, the scammer hears the OTP and uses it to authorize transactions. This social-engineering scam has affected many in India and is now drawing global attention, with warnings from NPCI and international cybersecurity agencies.
How the Scam Works:
Cybercriminals use a carefully timed sequence of calls to intercept OTPs. Typical steps include:
This scam is especially dangerous because it abuses a normal phone feature—conference calling. As the scam doesn’t rely on malware or hacking but rather on manipulating human behaviour. By tricking you into merging calls, the scammer gains live access to your OTPs, effectively bypassing even strong two-factor authentication.
Even tech-savvy users can fall for it, which is why awareness is the most important defence.
Case Studies and News
-
- India: Call-Merging Scam Targeting Doctors
In early 2025, a series of call-merging scams targeted medical professionals in Gurgaon. Attackers compromised one doctor’s WhatsApp account using a merged call technique, then used that account to contact others in her network. This created a chain reaction, resulting in over 40 doctors falling victim before Diwali 2024. The scam involved merging a call between the victim and a fake OTP service or a third party, tricking them into revealing authentication codes.
Banks and payment authorities issued warnings to the public about the scam. Experts noted that scammers use the merge feature to create false credibility and extract sensitive information, particularly OTPs used for financial transactions.
Source: indianexpress.com
-
- Global: Voice-OTP Exploits via Merge Calls
Similar scams have been reported internationally, including in Southeast Asia. In Vietnam, authorities identified a fraud method involving attackers pretending to be mutual acquaintances, merging calls with victims and automated bank OTP services. Victims unknowingly gave away OTPs, believing they were part of a legitimate conversation.
Cybersecurity analysts highlight that the tactic is effective in regions where voice-based OTP delivery is common. The method’s simplicity—using call merging to eavesdrop or redirect sensitive calls—makes it adaptable to different contexts, even if it has not yet seen widespread media coverage in the West.
Source: thongtin.vietnam.vn
No major arrests for call-merging scams have been made yet. Scammers often operate from overseas or use disposable VoIP numbers, making them hard to trace. However, Indian police are cracking down on related cyberfraud rings and urge victims to report cases to aid investigations.
Identifying Red Flags & Prevention Tips
Cybersecurity experts stress the importance of caution. Here’s how to protect yourself:
-
- Never merge calls with unknown numbers. If you’re asked to merge a call unexpectedly, hang up and verify the caller through a trusted source. NPCI warns: “Never merge calls with unknown numbers.”
-
- Always verify the caller. Don’t trust caller IDs alone—scammers can spoof numbers and mimic voices. Use another method (e.g., message or official app) to confirm the caller’s identity.
-
- Don’t share OTPs or codes. If you receive an unexpected OTP, treat it as suspicious. Never read it out or share it with anyone, even if they sound official.
-
- Protect personal information. Never disclose account details, passwords, or verification codes on calls. Banks will never ask for this over the phone.
-
- Use spam filters and call blockers. Install apps like Truecaller or use your phone’s built-in spam detection to flag suspicious calls and report scam numbers.
-
- Secure your voicemail. Set a strong PIN and disable call forwarding. If unused, consider turning voicemail off to prevent OTP theft.
- Limit financial exposure. Keep daily bank and UPI limits low. Use separate phone numbers for banking and social media to reduce risk.
What To Do If You’ve Been Scammed
Quick action after a suspected scam can improve your chances of recovery. Experts recommend:
-
- Contact your bank immediately. Ask them to block or freeze any transactions and payment instruments. Change all relevant passwords and PINs right away (bank PIN, UPI PIN, internet-banking passwords, etc.) to secure your accounts. Under RBI guidelines, if you notify the bank of an unauthorized UPI or banking transaction within 3 days, you may be eligible for a refund.
-
- Report to cybercrime authorities. In India, dial the national cyber helpline 1930 or file a complaint at cybercrime.gov.in. Provide all details: the time of the call, phone numbers involved, and amounts stolen. You can also lodge an FIR with your local police cyber cell. Internationally, report to your country’s cyber or financial crime unit. Prompt reporting helps law enforcement track scam patterns and possibly trace the criminals.
-
- Document everything. Save call logs, SMS/WhatsApp messages, and any screenshots of transactions or OTPs. Keep records of bank statements showing the fraud. These will assist both the bank’s fraud team and investigators.
-
- Monitor your accounts. Over the next few weeks, watch for any further unauthorized activity. Notify the bank immediately of any new suspicious debits. Some victims also review their credit reports in case personal data was exposed.
-
- Warn your contacts. If the scam involved takeover of an account (e.g. WhatsApp or email), inform your friends and family so they aren’t targeted through you.
Staying calm and methodical is key. As advised, do not ignore the incident – act swiftly by calling the bank and cyber helpline, and then monitor your finances closely. Remember, under Indian law the scammer could face prosecution (e.g. up to three years imprisonment under the IT Act for fraud) once caught. Every report helps authorities build cases against these fraudsters.
Conclusion
The “merge call” scam is a reminder that even simple telecom features can be weaponized by clever criminals. The good news is that it relies entirely on social engineering – no advanced hacking is needed – so awareness is an effective defence. Spread the word to loved ones and employees: banks and officials will never ask you to merge calls or read out OTPs. By staying informed, verifying callers, and following the safety steps above, you can keep your accounts and identity secure against this emerging threat.
