DoT’s SIM-binding directive: What it tries to fix, where experts say it falls short

Additionally, users of companion web instances (such as WhatsApp Web) will be logged out every six hours and made to re-link their accounts using QR codes. These requirements will have to be implemented within three months, and the platforms will have to submit compliance reports in 120 days. For users travelling abroad, the DoT has clarified that the new rule will not affect “cases where the SIM is present in the handset and the user is on roaming.”

But this is only one of the issues that has been flagged. The new SIM-binding rule leaves several questions unanswered, including whether SIM upgrades or replacements could lock users out of their accounts, whether the rule affects API customers, and how to use desktop or tablet apps that have no SIM slots.

Beyond these points of friction, will tying user accounts on messaging apps to SIM cards meaningfully tackle and curb the kind of scams driving this policy? Let’s take a closer look.

What type of scams have led to this policy?

Currently, WhatsApp verifies a user by sending an OTP to their phone number at the time of creating or signing into their account. Users who want to use their existing number on a new phone need to re-register, after which they will be logged out of their old phone. In this way, the platform ensures device-binding in a limited way.

However, being able to use online messaging apps like WhatsApp on devices with no SIM card has allowed scammers to commit fraud and avoid detection, especially in cross-border and impersonation scams, according to the DoT. One of the ways in which scammers hijack WhatsApp accounts is through ads on Meta’s platforms.

In October this year, the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs, said it has identified a transnational crime trend, where scammers use ads on Facebook and Instagram to trick victims into linking their WhatsApp accounts with their platform.

The modus operandi of such scams is as follows:

– Users see ads promising easy money on Facebook and Instagram.
– After clicking on it, they are redirected to fake websites or prompted to install malicious APKs [Android Package Kits].
– Victims are instructed to scan a QR code displayed in-app via WhatsApp.
– Once scanned, the scammers gain linked-device access to the victim’s WhatsApp account.
– These “mule WhatsApp accounts” are then used for other fraudulent activity such as phishing, payment fraud, dissemination of malicious content, and recruitment for further mule services.

However, the exact scale of the WhatsApp web-account renting scam is not known. In response to a parliamentary question dated February 4, 2025, the Home Ministry said that the I4C proactively identified and blocked 77,195 Whatsapp accounts used in digital arrest scams. But it is unclear if these were compromised accounts or scammers’ own profiles. WhatsApp has declined to comment.

What makes these fraud networks hard to detect and shut down?

Scam advertisers routinely use sophisticated techniques such as geo-blocking, URL switching, and fine-grained targeting to avoid being tracked, according to Suman Kar, the CEO of cybersecurity consulting firm Banbreach.

“They [ad-based scams] proliferate thanks to a combination of Meta’s algorithmic ad platform, multitude of affiliate ad platforms, and Meta’s lax scrutiny of advertisers, and no regulatory requirement on sharing ad views data (as EU, UK does),” Kar told The Indian Express.

The DoT has said that the tracing and takedown of such fraud networks has been complicated by long-lived web and desktop sessions of victims’ accounts on messaging apps, which are hijacked by scammers operating from distinct locations. “A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification,” it added.

What gap does SIM-binding aim to plug in the ‘fraud stack’?

To follow the DoT’s directive, messaging apps will have to start accessing the IMSI of users’ SIM cards. IMSI (International Mobile Subscriber Identity) is a unique number that identifies every mobile subscriber globally. It is stored on the SIM card, and is different from IMEI (International Mobile Equipment Identity) which identifies the physical mobile device itself.

State Bank of India (SBI) launched a SIM-binding feature for its mobile app users in 2021, and most banking apps in India now have SIM-binding enabled. The Securities and Exchange Board of India (SEBI) proposed to mandate a similar feature to reign in fraudulent trading earlier this year.

Based on its “multiple discussions” with messaging app providers, the DoT said, “Mandatory continuous SIM–device binding and periodic logout ensure that every active account and web session is anchored to a live, KYC‑verified SIM, restoring traceability of numbers used in phishing, investment, digital arrest and loan scams.”

Backing the move, telecom industry body COAI said, “Such continuous linkage ensures complete accountability and traceability for any activity undertaken by the SIM card and its associated Communication App, thereby closing long-persistent gaps that have enabled anonymity and misuse.”

Why do experts doubt SIM binding will be effective?

While its proponents claim that it makes traceability of scammers easier for the government and its agencies, experts have pointed out that SIM-binding could run into several technical hurdles in implementation.

True SIM-binding is not possible because mobile operating system providers (like Apple iOS and Google Android) do not share IMEI and IMSI identifiers with third-party apps such as WhatsApp as a privacy measure. This is also aligned with GSMA and 3GPP global standards.

Banking and UPI apps, which have enforced SIM-binding for years, actually send a silent, automated SMS string from the user’s phone number to serve as a “proxy IMSI”, according to Anand Venkatanarayanan, co-founder of cybersecurity consultancy firm DeepStrat. This is triggered once during setup or re-installation.

Despite SIM or device-binding, fraudulent transactions still take place via banking and UPI apps.

“SIM binding essentially reinforces KYC. In UPI, there are three levels of KYC: There is KYC when you get a bank account, KYC when you get your mobile number, and KYC is done when connecting the phone number stored with your bank to your phone [psuedo SIM-binding]. These three levels of KYC together have not prevented scams in the UPI ecosystem, how is it going to prevent scams when it comes to Telegram and WhatsApp,” Pranesh Prakash, co-founder of the Centre for Internet and Society, told The Indian Express.

Banbreach’s Suman Kar further highlighted that SIM-binding does not prevent scammers from switching to an MNO (mobile network operator) of a different country. Additionally, news reports suggest that several ‘digital arrest’ scams take place over video communication services like Zoom, which do not require SIM-based registration and may not currently fall in the directive’s scope.

What safeguards already exist, and are they stronger options?

Prakash argued that the DoT’s SIM-binding directive does not carry any concomitant benefits, noting that platforms like WhatsApp already have strong incentives to curb spam and scams. “So, there is no misalignment of incentives that needs to be corrected through government regulation,” he said.

In 2023, WhatsApp rolled out security features such as Account Protect, which asks users to verify if they want to switch their WhatsApp account to a new device, along with Device Verification and Automatic Security Codes. More recently, it upgraded the app to provide additional context on messages from unknown numbers, silence unknown callers, and give users the options to manage who adds them to groups. It also uses AI/ML tools to proactively identify fake accounts and fraudulent activity.

“No system can prevent fraud/crime entirely, so prevention is only one part of a holistic solution. It is worth talking about what happens once fraud has happened. In my experience working with victims, I see the same patterns of institutional apathy replayed over and over again,” Kar said.