He lost Rs 11 lakh after an e-SIM upgrade: Why OTPs and SIM-based security are no longer safe
A new cyber scam is fooling even the most cautious users. In this week’s The Safe Side, we break down how the e-SIM upgrade scam works, and how to stay protected.
The e-SIM upgrade scam shows how easily digital identities can be hijacked with just a phone call. (Image: FreePik)
A well-known South Mumbai doctor thought he was simply upgrading to a more convenient service. Instead, the move cost him nearly Rs 11 lakh.
In the second week of September, the doctor received a call from someone claiming to represent his telecom provider. The caller offered to upgrade his physical SIM to an e-SIM, listing benefits such as convenience and flexibility. Tempted, the doctor followed the instructions and opened his telecom provider’s official app to place an e-SIM request.
You’ve Read Your Free Stories For Now
Sign up and keep reading more stories that matter to you.
Soon after, he received an OTP — which he unknowingly shared with the caller. He was told that his physical SIM would be deactivated and the e-SIM activated within 24 hours. Two days later, his email password was changed and Rs 10.5 lakh had been siphoned from his bank account to multiple destinations.
The doctor immediately registered a complaint with the cyber cell of the Mumbai Police. Investigations led to the arrest of a hospital office boy in Pune, who had allegedly rented out his bank account to channel the stolen money.
This is an ‘e-SIM upgrade scam’.
What is an e-SIM?
A Subscriber Identity Module (SIM) is your phone’s unique digital ID that connects you to the mobile network. An embedded SIM (e-SIM) is its digital version, built directly into the phone or smartwatch. It eliminates the need for a physical SIM card or tray.
What is the e-SIM upgrade scam?
Deepender Singh, cyber expert, Betul Police (Madhya Pradesh), told indianexpress.com, “In this scam, fraudsters pose as telecom staff and claim there’s an issue with the victim’s SIM. They persuade the person to share an OTP or install an app, claiming it’s for an upgrade. Once they get the OTP, they deactivate the original SIM and activate a duplicate e-SIM on their own device. With control over the victim’s number, they can easily reset email and bank passwords and access accounts within minutes.”
Jyoti Singh, co-founder of Plus91Labs, said, “Verification should always begin with skepticism and independent validation. Avoid engaging with unsolicited calls or messages, no matter how genuine they sound. Always verify such requests directly through your service provider’s official app, website, or helpline.”
Story continues below this ad
Red flags to watch out for:
Jyoti Singh listed some red flags that people should watch out for:
📌Attackers often create a false sense of urgency, pressuring users to act quickly without proper verification. 📌Unexpected calls or messages urging immediate action should raise suspicion.
📌Requests for sensitive information such as PINs or OTPs via unofficial channels are a major warning sign.
📌Digital interfaces that mimic legitimate services may contain subtle inconsistencies, such as: Typos in text or URLs, altered domains, and unusual design elements or layouts.
Deepender Singh said, “To stay safe, keep the spam alert on in Truecaller application and any other calling app you use, and don’t be influenced by anyone talking about SIM upgrades.”
Why this scam exposes a deeper flaw
Vijender Yadav, CEO and co-founder, Accops, warned: “The e-SIM upgrade fraud shows how vulnerable mobile numbers are as a primary security factor. Any organisation still relying on SMS-based OTPs for critical access is operating on borrowed time. When identity can be hijacked through a simple phone call, the entire security chain collapses.”
“CIOs and CISOs must treat the e-SIM scam as a wake-up call to accelerate the shift to a robust Zero Trust Access architecture. It’s time to move beyond outdated methods like passwords or swappable SIMs, and focus on immutable context. Advanced access solutions should verify identity using phishing-resistant methods such as device-bound multi-factor authentication (MFA), biometric checks, and hardware security keys. Contextual signals like geolocation and device posture must also be used to ensure the endpoint is secure. This layered approach enables adaptive, context-aware access controls that automatically block or flag suspicious activity such as mismatched locations or compromised devices. True enterprise security now depends on this shift from static credentials to continuous, intelligent defense,” Yadav added.
Best practices
To stay safe, experts advise treating every unsolicited request as a potential security risk and verifying the source through official telecom channels before taking any action. Always double-check unusual prompts or upgrade offers, and never share sensitive information such as OTPs or PINs. Developing a ‘verification-first’ mindset is key to building resilient digital behaviour.
Jyoti Singh added, “The industry must move towards secure, app-based verification models rooted in zero-trust principles — where every request is authenticated through device identity, behavioural patterns, and geolocation before approval.” Vijender Yadav further said, “CIOs and CISOs should see the e-SIM scam as a wake-up call to adopt Zero Trust Access frameworks that go beyond passwords or SIMs and focus on immutable context.”
What to do if you’ve been scammed
Call your bank immediately: Block your card or UPI account and stop further transactions. Report on the National Cybercrime Portal:cybercrime.gov.in Preserve all evidence: Keep screenshots, messages, and emails related to the fraud. Call the helpline: Dial 1930 to report financial fraud.
Story continues below this ad
The e-SIM upgrade scam shows how easily digital identities can be hacked with a careless click or even a call. Staying safe requires a simple rule: trust nothing, verify everything and report as soon as possible.
Ankita Deshkar is a Deputy Copy Editor and a dedicated fact-checker at The Indian Express. Based in Maharashtra, she specializes in bridging the gap between technical complexity and public understanding. With a deep focus on Cyber Law, Information Technology, and Public Safety, she leads "The Safe Side" series, where she deconstructs emerging digital threats and financial scams. Ankita is also a certified trainer for the Google News Initiative (GNI) India Training Network, specializing in online verification and the fight against misinformation. She is also an AI trainer with ADiRA (AI for Digital Readiness and Advancement)
Professional Background & Expertise
Role: Fact-checker & Deputy Copy Editor, The Indian Express
Experience: Started working in 2016
Ankita brings a unique multidisciplinary background to her journalism, combining engineering logic with mass communication expertise. Her work often intersects regional governance, wildlife conservation, and digital rights, making her a leading voice on issues affecting Central India, particularly the Vidarbha region.
Key focus areas include:
Fact-Checking & Verification: As a GNI-certified trainer, she conducts workshops on debunking deepfakes, verifying viral claims, and using OSINT (Open Source Intelligence) tools.
Cyber Law & IT: With postgraduate specialization in Cyber Law, she decodes the legalities of data privacy, digital fraud, and the evolving landscape of intellectual property rights.
Public Safety & Health: Through her "The Safe Side" column, she provides actionable intelligence on avoiding "juice jacking," "e-SIM scams," and digital extortion.
Regional Reporting: She provides on-ground coverage of high-stakes issues in Maharashtra, from Maoist surrenders in Gadchiroli to critical healthcare updates and wildlife-human conflict in Nagpur.
Education & Credentials
Ankita is currently pursuing her PhD in Mass Communication and Journalism, focusing on the non-verbal communication through Indian classical dance forms. Her academic foundation includes:
MA in Mass Communication (RTM Nagpur University)
Bachelors in Electrical Engineering (RTM Nagpur University)
Post Graduate Diploma (PGTD) in Cyber Law and Information Technology
Specialization in Intellectual Property Rights
Recent Notable Coverage
Ankita’s reportage is recognized for its investigative depth and emphasis on accountability:
Cyber Security: "Lost money to a scam? Act within the 'golden hour' or risk losing it all" — A deep dive into the critical window for freezing fraudulent transactions.
Public Health: "From deep coma to recovery: First fully recovered Coldrif patient discharged" — Investigating the aftermath of pharmaceutical toxins and the healthcare response.
Governance & Conflict: "Gadchiroli now looks like any normal city: SP Neelotpal" — An analysis of the socio-political shift in Maoist-affected regions.
Signature Beat
Ankita is best known for her ability to translate "technical jargon into human stories." Whether she is explaining how AI tools like MahaCrimeOS assist the police or exposing the dire conditions of wildlife transit centres, her writing serves as a bridge between specialized knowledge and everyday safety.
Contact & Follow
X (Twitter): @ankita_deshkar
Email: ankita.deshkar@indianexpress.com
... Read More
