Is This SBI or HDFC KYC SMS Real or Fake?

· Anuranjan Vikas · 5 min read
bankingkycphishingscams

If a bank KYC SMS tells you to click a link urgently, assume it is unsafe until proven otherwise. Do not tap the link, do not enter your net banking password, do not share OTPs, and do not install any app from the message. Open your bank app manually or call the bank using the official number from its website.

Fake SBI, HDFC, ICICI, Axis, and Kotak KYC messages all follow a similar script. The bank name changes. The pressure tactic stays the same.

Your account will be blocked today. Complete KYC immediately.

That sentence is built to make you move before you think.

What a fake KYC SMS usually looks like

Common versions include:

  • “Your SBI account has been suspended due to incomplete KYC”
  • “HDFC KYC expired. Update now to avoid account block”
  • “Dear customer, PAN not linked. Complete bank verification”
  • “Your net banking will be disabled in 2 hours”
  • “Download this app for video KYC”

The message may include a link that looks close to the real bank name:

  • sbi-kyc-update.in
  • hdfcverify.net
  • sbionline-secure.com
  • hdfc-bank-kyc.co

Those are not official bank domains. A scammer only needs the domain to look familiar at a glance.

The simple rule

Real KYC updates should be checked through the official bank app, website, branch, or customer care number.

Do not trust:

  • Links inside SMS messages
  • WhatsApp links claiming to be from a bank
  • APK files for “KYC update”
  • Screen sharing requests
  • Calls asking for OTP or PIN
  • Forms asking for card number, CVV, net banking password, or UPI PIN

The Reserve Bank of India has warned the public about KYC fraud. RBI says these scams often use unsolicited calls, SMS, or emails, create false urgency, and push people to reveal login details, card information, PINs, OTPs, or install unverified apps. RBI also says people should contact their bank directly through official sources.

How to check the message safely

Do this before touching the link.

1. Read the sender name carefully

Scam sender IDs can look official. A sender name like SBIKYC, HDFCBK, or BANKKYC is not proof. Sender IDs can be abused or made to look convincing.

Use the sender as a clue, not proof.

On many phones, you can long press or preview the link to see the real domain. You are looking for the root domain, not just the words around it.

For example:

  • onlinesbi.sbi is very different from onlinesbi-safety.com
  • hdfcbank.com is very different from hdfc-bank-verification.in

If you are not sure, do not open it.

3. Open the bank app manually

Open the bank app from your phone. Do not use the SMS link.

Check:

  • App notifications
  • Profile or KYC section
  • Secure inbox
  • Account status

If the bank really needs something, it should show up there.

4. Call the bank from the official source

Get the number from:

  • The back of your debit or credit card
  • The bank’s official website
  • The bank’s official mobile app
  • A branch

Never call the number in the suspicious SMS.

5. Send it to Kaval

Forward the SMS or screenshot to Kaval on WhatsApp. Kaval can check the wording, link, domain, redirects, and risk signals, then tell you what to do next.

What Kaval might say

If the SMS is fake, a useful answer should be direct.

Unsafe. Do not tap this link. The domain is not owned by SBI and the page is asking for net banking details. Open the SBI app manually or call the number on your card.

If it cannot confirm:

I cannot verify this as official. Do not use the link. Check inside your bank app or call the bank from its official website.

That is better than a long explanation when the user is worried.

What if you already entered details?

Move quickly.

If you entered only your phone number or name

The risk is mostly follow-up scams. Expect more calls and messages.

Do this:

  • Do not answer unknown “bank support” calls
  • Do not share OTPs
  • Save the message as evidence
  • Report and block the sender

If you entered net banking password, card details, OTP, UPI PIN, or CVV

Treat it as financial fraud risk.

Do this:

  • Call your bank immediately
  • Ask them to block net banking or card access if needed
  • Change your password from the official app or website
  • Check recent transactions
  • Report on cybercrime.gov.in or call 1930

If you installed an app

Uninstall it. Then check permissions.

Look for:

  • Accessibility access
  • SMS access
  • Notification access
  • Screen recording
  • Device admin access

If you granted these permissions, use a clean device to change passwords and call the bank.

What not to do

  • Do not reply “STOP”
  • Do not call the number in the SMS
  • Do not forward the link to family without warning
  • Do not enter fake data to “test” the page
  • Do not assume it is safe because the bank name is spelled correctly

Scam pages are often built from real bank logos and copied layouts. Visual design alone means very little.

Final answer

If an SBI, HDFC, or other bank KYC SMS contains a link and threatens account blocking, treat it as suspicious. Check from the official app or bank website. If you entered sensitive details, call your bank and report financial cyber fraud through 1930 or cybercrime.gov.in.

When in doubt, forward the message to Kaval before anyone in the family taps it.