Dual SIM fraud exploits deactivated phone numbers to steal money from bank accounts. When a SIM card is not recharged for 90 days, TRAI rules allow telecom companies to reissue the number to a new subscriber. Cybercriminals deliberately target these deactivated numbers, knowing they are still registered with the victim’s bank account — enabling OTP interception and full account takeover.
What Is Dual SIM Fraud?
Dual SIM fraud is a form of SIM-based financial crime in which a criminal acquires a recently deactivated phone number — often using forged documentation or through collusion with SIM vendors — and uses it to bypass OTP authentication on the victim’s bank accounts, UPI apps, and email.
This fraud is closely related to SIM swapping attacks but specifically exploits the TRAI regulation that allows deactivated numbers to be reissued after three months of non-recharge.
How Does Dual SIM Fraud Work?
Step 1: Identifying the Deactivated Number
Fraudsters target old mobile numbers that have not been recharged, knowing these are commonly registered with bank accounts and UPI apps. They often obtain their targets through data leaks, inside information, or purchasing databases of numbers due for deactivation.
Step 2: Acquiring the Number
Once a number is deactivated, the criminal visits a telecom retailer and obtains the SIM using forged identity documents. In documented cases, criminals have collaborated directly with SIM card vendors to accelerate this process.
Step 3: Accessing Bank Accounts
With the number active in their hands, the criminal opens the victim’s bank’s internet banking portal and clicks “Forgot User ID”. The bank sends a verification OTP to the registered number, which is now controlled by the fraudster. They enter the OTP, retrieve the User ID, then use “Forgot Password” to generate a new password and gain full access to the account.
Step 4: Funds Transfer
Once inside the account via internet banking or UPI apps linked to the number, the criminal transfers the entire balance. The victim does not receive any alert because the SIM is no longer in their possession.
Why Is Dual SIM Fraud Increasing?
Prior to 2022, many Indian telecom companies offered lifetime validity SIM cards. A 2022 TRAI regulation ended this and mandated that SIM cards require a recharge at least once every three months to remain active. Numbers that lapse can be reissued. Many Indians who used a secondary SIM for UPI or banking forgot to recharge it, creating a significant pool of vulnerable numbers attached to live bank accounts.
How to Protect Yourself from Dual SIM Fraud?
- Recharge all SIM cards monthly — Do not allow any SIM registered with your bank or UPI apps to lapse. A minimum recharge prevents deactivation and reissue.
- Close unused SIM cards formally — If you no longer need a SIM, visit your telecom provider and formally cancel the number. Also update all linked bank accounts and financial apps to remove the deactivated number.
- Update your registered mobile number — Ensure your bank has your active, currently-used phone number for OTP delivery. Call your bank’s helpline or visit a branch to update it.
- Enable email OTP or authenticator app options — Where banks allow it, add an email address or authenticator app as a secondary verification factor, reducing dependence on SMS alone.
- Set transaction alerts on all numbers — Ensure you receive SMS and email alerts for all account transactions so any unauthorised activity is immediately visible.
How to Report Dual SIM Fraud in India?
- Call the National Cyber Crime Helpline 1930 immediately to report the fraud and request a hold on account transactions.
- File a complaint at cybercrime.gov.in with the fraudulent transaction details, your bank account information, and the telecom number involved.
- Contact your bank’s fraud department immediately to freeze the account and initiate a chargeback process.
- File a police complaint at your nearest cyber crime police station for formal investigation.
For professional guidance and digital investigation support in dual SIM fraud cases, contact cyber expert Anuraag Singh.
