Your credit card OTP is your last line of defence. Why sharing it can empty your account

Representative image

Credit card fraud in India has become more sophisticated, but most successful scams still rely on one simple mistake: persuading the cardholder to share a one-time password, or OTP, over the phone. Despite repeated warnings from banks and regulators, cases of unauthorised transactions continue to rise because scammers know that an OTP is the final lock between them and your money.

An OTP is not a formality. It is the transaction itself When you enter an OTP, you are not “verifying” a transaction in the abstract. You are authorising it. The OTP is designed as a second factor of authentication, meaning the bank treats it as your explicit consent to debit your card. Once an OTP is entered, the transaction is considered customer-approved, which makes recovery extremely difficult.

This is why banks repeatedly state that OTPs must never be shared, even with someone who appears knowledgeable, polite, or urgent.

Most OTP frauds follow a predictable pattern. The scammer creates urgency and authority at the same time. You may be told that your card will be blocked, a suspicious transaction must be reversed, a delivery cannot be completed, or a refund is being processed. In many cases, the scammer already has partial information such as your name, phone number, or last four digits of the card, which lowers your guard.

The moment you receive an OTP, the scammer asks you to read it out “for verification.” In reality, they are initiating a transaction in parallel. Once you share the code, the money is gone.

OTP-based fraud This is the part many victims find shocking. If a transaction was completed using the correct OTP, banks often classify it as authorised, even if it was obtained through deception. While complaints can be filed and investigations may follow, reversals are not guaranteed.

From the bank’s perspective, the security system worked as designed. From the customer’s perspective, the social engineering worked better than expected. This gap is exactly why prevention matters more than post-fraud action.

One common belief is that fraud only happens if you click a suspicious link. In reality, many victims never click anything. Another myth is that scammers can “see” your OTP anyway, so sharing it does not matter. This is false. The OTP is generated specifically for your device and session. If you do not share it, the transaction usually fails.

Some people also assume that calls from numbers showing a bank name are safe. Caller ID spoofing makes this unreliable. A phone number alone proves nothing.

If someone claims to be calling from your bank, end the call. Use the official number on the back of your card or the bank’s app to check. If you receive an OTP you did not initiate, do nothing. Do not share it. Do not press any keys. Simply ignore it and alert the bank through official channels.

It also helps to keep transaction alerts active and set lower spending limits for online transactions, especially if you rarely use your card digitally.

As digital payments expand, fraudsters are shifting from technical hacks to psychological tricks. OTP scams work because they exploit trust, fear, and urgency, not technology gaps. Treating your OTP like your card PIN, private and never spoken aloud, is one of the simplest and strongest protections you have.

No. Banks do not ask for OTPs over calls, messages, or emails. Anyone who does is attempting fraud.

Immediately contact your bank, block the card, and raise a fraud complaint. Speed matters. Even then, recovery is not guaranteed, which is why prevention is critical.

No. OTPs are meant only for you to enter on a secure payment page or app. Merchants, agents, and service staff never need to know it.

If there is one rule to remember with credit cards, this is it: if you did not initiate the transaction yourself, never share the OTP, no matter who is asking or how urgent it sounds.