How I Almost Called a Scammer
So last month my credit card statement had a charge I did not recognize. Rs 4,700 to some merchant name I had never seen before. I was sitting at my desk after dinner, scrolling through the Axis Bank app statement, and there it was between a Swiggy order and a petrol fill-up. My first reaction was irritation, then a quick flush of worry. Rs 4,700 is not a life-changing amount, but a charge you do not recognize is a charge you want explained, and you want it explained right now, not after a 48-hour email exchange.
I should have known better. I write about scams and digital safety. I have published articles warning people about exactly what I was about to do. But I was annoyed and impatient and I wanted a human being at the bank to tell me what was going on. So I picked up my phone, opened Google, and typed “Axis Bank credit card customer care number.”
The first result was a website. It was not axisbank.com. It was something like axis-bank-helpline.in, and it had the bank’s logo plastered across the top, the correct blue-and-maroon colour scheme, and a phone number displayed in large bold text with a “Call Now” button underneath. The layout was clean. The number looked real. I was one tap away from calling it.
Something stopped me. I cannot tell you it was expertise or training. It was just a flicker of doubt about the URL. I had typed axisbank.com enough times to know that the bank’s domain does not have hyphens in it, and this site had three. I closed the browser, opened the Axis Mobile app, tapped the “Contact Us” section at the bottom, found the official helpline number there, and called that instead. The charge turned out to be an annual subscription I had signed up for months ago and completely forgotten about. Mystery solved. No fraud. But if I had called the Google result, I would have been speaking to a scammer who would have walked me through “verifying my identity” by sharing an OTP, which would have authorized a transaction from my account to theirs.
I should have known better. I genuinely mean that, without any false modesty. I have warned my parents about this exact scenario. I have told friends to never Google a customer care number. And I nearly fell for it myself because I was mildly stressed about money and wanted a quick answer. That is all it takes. The scam does not need you to be ignorant or careless. It needs you to be in a hurry, and everyone is in a hurry when they think their bank account might have a problem.
The frustrating part is how preventable my near-miss was. If I had saved the bank’s number in my phone contacts months ago, I would never have opened Google. If the Axis Bank app had the helpline number on the main dashboard instead of buried in a submenu, I would have found it faster. If Google did not serve up scam websites as the first result for banking queries, none of this would be an issue. But none of those things were true, so there I was, one tap away from a scam call, and I write about this stuff for a living.
That evening, after the relief settled and the embarrassment kicked in, I decided to dig into how the scam actually works from the other side. Not just the “be careful what you Google” advice that everyone already knows and nobody follows when they are stressed. The actual mechanics. How do fake numbers end up on Google? What happens when you call one? Why is it still so easy to pull off in 2025? The answers made me angrier than the near-miss itself.
How Fake Numbers End Up on Google
The simplest method is a website. Scammers register a domain that looks like it belongs to a real company. SBI-customer-support.in. HDFC-helpline-number.com. PhonePe-care-India.in. These domains cost Rs 100 to Rs 500 per year. They build a one-page site, paste the company’s logo on it (downloaded from a Google image search in about four seconds), add a fake phone number in large font, and stuff the page with keywords: “SBI customer care toll free number,” “SBI helpline 24x7,” “SBI credit card complaint number.” Google’s crawler indexes the page. Within days, sometimes hours, it shows up in search results. If the scammer has done even basic search engine optimisation, it can land on the first page.
Some of them pay for Google Ads. This is the part that makes me genuinely angry. A scammer can buy a search ad targeting the keyword “HDFC bank customer care number,” and when someone searches for it, the scam website appears at the very top of the page with a small “Sponsored” label. Most people do not look at the “Sponsored” tag. They see the first result, they see a phone number, they call it. Google profits from every click. The scammer profits from every victim. And Google’s ad review process, which they claim catches fraudulent ads, clearly does not catch enough of them. I have personally reported fake customer care ads to Google on three separate occasions. Two of them were still running a week later when I checked.
Google Maps is another entry point, and in some ways a more dangerous one. Anyone can create a Google Business Profile. You fill in a business name (“State Bank of India Customer Care Centre”), add a phone number, pick a location on the map, and submit. Google sends a verification code to the address or phone number, but the verification process has gaps. Scammers use temporary addresses and disposable phones. Once verified, the fake listing appears in Google Maps results and in the Knowledge Panel that shows up on the right side of search results. That Knowledge Panel carries an implicit stamp of credibility. People trust it because it looks like Google has vetted the information. Google has not. They have only verified that someone with access to the listed address or phone number confirmed the listing, which is a very different thing from confirming it is legitimate.
I found fake Google Business listings for SBI, HDFC, ICICI, Flipkart, Amazon, and PhonePe within thirty minutes of looking. Some had reviews, including five-star reviews posted by the scammers themselves or their associates. One fake SBI listing had twenty-three reviews and a 4.2-star rating. It looked more legitimate than some actual bank branches on Maps.
Justdial and Sulekha are older platforms, but they are still a vector. Scammers create business listings on these directories with fraudulent contact numbers for real companies. Because Justdial and Sulekha allow businesses to pay for prominence, a scammer with a credit card can push their fake listing above the real one. These platforms show up in Google results too, so someone searching for “Flipkart customer care Bangalore” might click a Justdial link thinking it is reliable and find a scam number.
Social media is the fastest-moving channel. Whenever someone posts a complaint about a company on Twitter or Instagram, fake support accounts reply within minutes. I have watched this happen in real time. A friend tweeted about a failed Google Pay transaction. Within four minutes, three separate accounts responded. Two of them were fake. They had Google Pay logos as profile pictures, professional-sounding usernames like @GooglePay_Cares and @GPay_HelpDesk, and they asked him to DM his registered phone number so they could “check the transaction status.” The real Google Pay support account replied forty-five minutes later. By then, if he had engaged with the fakes, the damage would already have been done.
I tracked fake support accounts across Twitter for two weeks, covering ten major Indian companies: SBI, HDFC, ICICI, Paytm, PhonePe, Google Pay, Amazon, Flipkart, Swiggy, and Zomato. For every company, there were at least five active fake support accounts at any given time. Some used automated bots that scanned for mentions of the company name and replied with a template message within seconds. The speed is the weapon. When you are frustrated and someone responds immediately with a professional tone, you do not stop to verify the account. You just engage.
The frustrating part is that none of these methods are new. Scammers have been using every single one of these techniques for years. Google, Twitter, Justdial, and the other platforms are aware of it. They take down individual listings and accounts when they are reported, but the speed of removal does not match the speed of creation. A new fake listing or account replaces the old one within hours. It is a game of whack-a-mole, and the platforms do not have enough hammers, or do not want to invest in enough hammers, to win it.
After You Call: The Scam Playbook
I have spoken to eleven people who called a fake customer care number. Some lost money. Some caught on before the damage was done. What struck me was how similar their experiences were. The scammers follow a script, and the script barely changes from one victim to the next.
The call starts friendly. Professional. The person on the other end speaks Hindi or English fluently and with a call-centre cadence that sounds authentic. They greet you politely. If you have posted your complaint on social media and included your name, they greet you by name. “Hello Mr Sharma, thank you for calling. I can see your complaint in our system. Let me pull up your account.” These are phrases that real customer care agents use, and hearing them puts you at ease. You feel like you have reached the right person.
Then urgency enters the conversation. Something is wrong with your account. A suspicious transaction is pending. Your card will be blocked if you do not act immediately. Your KYC is expiring. A refund is being processed but requires verification. The specific trigger varies, but the intent is always the same: get you panicked, get you compliant, get you acting before you have time to think. A calm person asks questions. A panicked person follows instructions. The scammer needs you panicked.
What happens next follows one of a few scripts, and sometimes a combination of them.
The OTP script: They ask you to confirm the OTP that just arrived on your phone. They say it is for identity verification, or to confirm the complaint, or to process the refund. What has actually happened is that they have already initiated a transaction from your account, and the OTP is the authorization code for that transaction. When you read it out, the money moves. This takes about sixty seconds. Sometimes they ask for multiple OTPs in rapid succession, each one authorizing a separate transaction. One woman I spoke to in Pune read out four OTPs in under three minutes before she realized something was wrong. She lost Rs 72,000 across four transactions to four different accounts.
The remote access script: They tell you they need to “check your app settings” or “fix the error from their end” and ask you to download AnyDesk or TeamViewer. Once you install the app and share the access code, they can see your phone screen in real time. They open your banking app, initiate a transfer, and when the OTP arrives, they can see it on their screen before you even notice it. Some victims I spoke to said the scammer asked them to keep the phone face-down or not to look at the screen for a few minutes “while the system processes.” During those minutes, multiple transfers are executed.
The UPI reverse-request script: The scammer tells you a refund is incoming and asks you to “accept” it by entering your UPI PIN. What they have actually sent is a payment request disguised in the notification as a refund. When you enter your PIN to “accept,” you are authorizing a debit, not receiving a credit. This one catches even tech-literate people because the UPI notification can look ambiguous if you are not reading it carefully, and the scammer is deliberately rushing you.
The speed after the theft is what makes recovery so difficult. Once the scammer has your OTP or remote access, the money moves through multiple accounts and digital wallets within minutes. They use a chain of mule accounts to make the trail hard to follow. Rs 72,000 might land in one account, get split into three wallets, and be withdrawn from ATMs in three different cities before the victim has finished the phone call. Banks can freeze accounts if they are alerted quickly enough, but “quickly enough” often means within the first hour, and most victims do not realize they have been scammed that fast.
There is also a legal grey area that works against the victim. Because you gave the scammer your OTP or entered your UPI PIN yourself, the bank’s system recorded an “authorized” transaction. The bank did not fail you. The bank’s authentication worked exactly as designed. The scammer tricked you into authorizing the transaction, and that distinction matters when you ask the bank for a reversal. Under RBI circular guidelines, if you report unauthorized transactions within three working days, your liability is limited. But if the bank classifies the transaction as “authorized” because you shared the credentials yourself, the three-day rule gets murkier. Some banks push back. Some victims never get the money back.
Finding Real Customer Care Numbers (It Should Not Be This Hard)
After my near-miss, I sat down one evening and saved every customer care number I might ever need into my phone contacts. Took about twenty minutes. That twenty minutes might be the most valuable time I have ever spent on my phone.
The process was tedious but simple. For each bank, I opened the official app and went to the “Help” or “Contact Us” section. Axis Bank from the Axis Mobile app. SBI from YONO. HDFC from the HDFC Bank app. ICICI from iMobile. I cross-checked each number against the one printed on the back of my physical bank card. If both matched, I saved it. For credit card issues specifically, most cards have a separate helpline number printed below the card number on the back. That number is not on any website. It is physically embossed on a card that only you possess. It is probably the most trustworthy source of a customer care number that exists.
For PhonePe, Google Pay, and Paytm, I went to the help sections within each app and noted the support contact methods. PhonePe and Google Pay have shifted heavily toward in-app chat and callback requests rather than published phone numbers, which is actually safer because the entire interaction happens within an authenticated environment. You cannot accidentally end up talking to a scammer through an in-app support chat. Paytm still has a published helpline number and it is inside the app under Profile > Help & Support.
For Amazon and Flipkart, there is no published helpline number at all for general customers, and that is by design. Both companies route support through their apps and websites. You go to the order, tap “Get Help,” and the app connects you with a chat agent or schedules a callback. Any phone number you find on Google claiming to be Amazon or Flipkart customer care is almost certainly fake. The companies do not publish one. If you see one, it is a scam.
Swiggy and Zomato work the same way. Support is entirely in-app. You tap on the order, report an issue, and the app handles the communication. There is no Swiggy customer care phone number. There is no Zomato helpline. Scammers know that people expect a phone number and go looking for one, so they create fake listings to catch that search traffic. The correct answer is that these companies do not have publicly listed phone support. If you cannot resolve something through the app, you email them using the address listed in the app’s help section.
I wrote all of this down on a Google Doc and shared it with my parents, my in-laws, and two friends who I thought would find it useful. My father, who is 63 and relies on Google for everything, was surprised that half the companies on the list do not even have phone support. He had been Googling “Swiggy customer care number” every time he had a delivery issue. Every single time, he was one tap away from calling a scammer. He just happened to get lucky.
If you have already been scammed, speed is everything. Call your bank using the number on the back of your card or walk into the nearest branch. Tell them the transactions were fraudulent and request an immediate freeze on your account and any linked cards. Under RBI guidelines, reporting fraud within three working days limits your liability. File a complaint on cybercrime.gov.in, which is the government’s central portal for cybercrime reporting. Call 1930, which is the national financial fraud helpline. It operates around the clock and the operators can initiate the process of freezing the recipient accounts where your money was sent. The faster you call 1930, the higher the chance that the money can be intercepted before it gets withdrawn or moved further. File an FIR at your nearest police station. Bring screenshots of every transaction, every chat with the scammer, and the phone number you called.
If the scammer had you install AnyDesk, TeamViewer, or any remote access app, uninstall it immediately. Then change every password you have, but do it from a different device. If the scammer had access to your phone, they may have installed other monitoring tools or changed settings you are not aware of. Use a laptop or a family member’s phone to reset your email password, banking passwords, UPI PIN, and social media logins. Enable two-factor authentication on everything that supports it. If you are not sure whether your phone has been compromised, a factory reset is the safest path, but back up your photos and contacts first.
I keep coming back to the same frustration. Why is this still so easy for scammers to pull off? Google has the resources to verify business listings. Banks could publish their numbers more prominently. TRAI could crack down on the spoofed caller IDs. None of them do enough. So we are stuck Googling carefully and hoping we pick the right number. That should not be acceptable in 2025.
Comments (0)