He lost Rs 11 lakh after an e-SIM upgrade: Why OTPs and SIM-based security are no longer safe

A new cyber scam is fooling even the most cautious users. In this week’s The Safe Side, we break down how the e-SIM upgrade scam works, and how to stay protected.

The e-SIM upgrade scam shows how easily digital identities can be hijacked with just a phone call. (Image: FreePik)The e-SIM upgrade scam shows how easily digital identities can be hijacked with just a phone call. (Image: FreePik)

A well-known South Mumbai doctor thought he was simply upgrading to a more convenient service. Instead, the move cost him nearly Rs 11 lakh.

In the second week of September, the doctor received a call from someone claiming to represent his telecom provider. The caller offered to upgrade his physical SIM to an e-SIM, listing benefits such as convenience and flexibility. Tempted, the doctor followed the instructions and opened his telecom provider’s official app to place an e-SIM request.

Soon after, he received an OTP — which he unknowingly shared with the caller. He was told that his physical SIM would be deactivated and the e-SIM activated within 24 hours. Two days later, his email password was changed and Rs 10.5 lakh had been siphoned from his bank account to multiple destinations.

Story continues below this ad

The doctor immediately registered a complaint with the cyber cell of the Mumbai Police. Investigations led to the arrest of a hospital office boy in Pune, who had allegedly rented out his bank account to channel the stolen money.

This is an ‘e-SIM upgrade scam’.

What is an e-SIM?

A Subscriber Identity Module (SIM) is your phone’s unique digital ID that connects you to the mobile network. An embedded SIM (e-SIM) is its digital version, built directly into the phone or smartwatch. It eliminates the need for a physical SIM card or tray.

What is the e-SIM upgrade scam?

Deepender Singh, cyber expert, Betul Police (Madhya Pradesh), told indianexpress.com, “In this scam, fraudsters pose as telecom staff and claim there’s an issue with the victim’s SIM. They persuade the person to share an OTP or install an app, claiming it’s for an upgrade. Once they get the OTP, they deactivate the original SIM and activate a duplicate e-SIM on their own device. With control over the victim’s number, they can easily reset email and bank passwords and access accounts within minutes.”

How to verify e-SIM request calls

Jyoti Singh, co-founder of Plus91Labs, said, “Verification should always begin with skepticism and independent validation. Avoid engaging with unsolicited calls or messages, no matter how genuine they sound. Always verify such requests directly through your service provider’s official app, website, or helpline.”

Story continues below this ad

Red flags to watch out for:

Jyoti Singh listed some red flags that people should watch out for:

📌Attackers often create a false sense of urgency, pressuring users to act quickly without proper verification.
📌Unexpected calls or messages urging immediate action should raise suspicion.
📌
Requests for sensitive information such as PINs or OTPs via unofficial channels are a major warning sign.
📌
Digital interfaces that mimic legitimate services may contain subtle inconsistencies, such as: Typos in text or URLs, altered domains, and unusual design elements or layouts.

Deepender Singh said, “To stay safe, keep the spam alert on in Truecaller application and any other calling app you use, and don’t be influenced by anyone talking about SIM upgrades.”

Why this scam exposes a deeper flaw

Vijender Yadav, CEO and co-founder, Accops, warned: “The e-SIM upgrade fraud shows how vulnerable mobile numbers are as a primary security factor. Any organisation still relying on SMS-based OTPs for critical access is operating on borrowed time. When identity can be hijacked through a simple phone call, the entire security chain collapses.”

Story continues below this ad

“CIOs and CISOs must treat the e-SIM scam as a wake-up call to accelerate the shift to a robust Zero Trust Access architecture. It’s time to move beyond outdated methods like passwords or swappable SIMs, and focus on immutable context. Advanced access solutions should verify identity using phishing-resistant methods such as device-bound multi-factor authentication (MFA), biometric checks, and hardware security keys. Contextual signals like geolocation and device posture must also be used to ensure the endpoint is secure. This layered approach enables adaptive, context-aware access controls that automatically block or flag suspicious activity such as mismatched locations or compromised devices. True enterprise security now depends on this shift from static credentials to continuous, intelligent defense,” Yadav added.

Best practices:

To stay safe, experts advise treating every unsolicited request as a potential security risk and verifying the source through official telecom channels before taking any action. Always double-check unusual prompts or upgrade offers, and never share sensitive information such as OTPs or PINs. Developing a ‘verification-first’ mindset is key to building resilient digital behaviour.

Jyoti Singh added, “The industry must move towards secure, app-based verification models rooted in zero-trust principles — where every request is authenticated through device identity, behavioural patterns, and geolocation before approval.” Vijender Yadav further said, “CIOs and CISOs should see the e-SIM scam as a wake-up call to adopt Zero Trust Access frameworks that go beyond passwords or SIMs and focus on immutable context.”

What to do if you’ve been scammed

Call your bank immediately: Block your card or UPI account and stop further transactions.
Report on the National Cybercrime Portal: cybercrime.gov.in
Preserve all evidence: Keep screenshots, messages, and emails related to the fraud.
Call the helpline: Dial 1930 to report financial fraud.

Story continues below this ad

The e-SIM upgrade scam shows how easily digital identities can be hacked with a careless click or even a call. Staying safe requires a simple rule: trust nothing, verify everything and report as soon as possible.

Latest Comment
Post Comment
Read Comments
Advertisement
Loading Taboola...
Advertisement