Introduction

The Call Merger Scam is a new form of mobile fraud rapidly rising in India, where scammers exploit the call conference feature on phones to steal one-time passwords (OTPs) and bank details. In recent months, authorities like the National Payments Corporation of India (NPCI) have issued warnings on social media about this scam’s surge. Cases of unsuspecting people losing money have been reported across the country, underscoring the need for public awareness.

This introduction sets the stage for understanding how the scam works, its legal ramifications, and, most importantly, how to prevent falling victim to such mobile fraud. In this blog, we’ll explain the scam step-by-step, discuss a real-life example, outline relevant Indian laws (under the Bhartiya Nyay Sanhita, IT Act 2000, and Indian Telegraph Act), and provide practical tips on prevention and how to report cyber fraud in India.

How the Scam Works

Call Merger Scam fraudsters use social engineering and timing to trick victims. Here is a step-by-step breakdown of how these scammers execute the con using call merging:

1. Initial Contact: The victim receives an unexpected call from a stranger posing as a friend or an acquaintance. The caller often claims they got the number from a mutual friend and might offer an exclusive event invitation or urgent request to build trust. For example, the scammer might say a friend is trying to reach you urgently from another number.
2. Request to Merge Calls: During the call, the scammer asks the victim to merge another incoming call, supposedly from that mutual friend or a VIP. They insist on using the phone’s “conference” feature, which links the calls together. The victim, believing the story, agrees to the call merge.
3. Connecting to an OTP Call: In reality, the second call is not from a friend or VIP. It is actually an automated OTP verification call from the victim’s bank or a payment service. The scammer (or an accomplice) had simultaneously initiated a transaction or reset request that triggers the bank to call the victim with an OTP. Once the calls are merged, the victim is unknowingly connected to the bank’s OTP system.
4. OTP Revelation: With the call merged, the one-time password is announced by the bank’s system or heard by the scammer. In some cases, the victim might hear a voice or see a message and share the OTP aloud, not realizing the scammer is listening. Often, the victim believes this OTP is part of the legitimate process (for example, a verification for the supposed event or offer) and doesn’t suspect foul play.
5. Financial Loss: As soon as the OTP is obtained, the fraudster uses it to complete an unauthorized transaction. The victim’s bank account is drained within moments. By the time the call ends, the money is gone. The entire scam relies on precise timing and the victim’s trust, allowing criminals to bypass security without the victim directly sharing account details.

This scam is dangerous because it exploits a basic phone feature (call merging) that many people use without a second thought. Unlike typical phishing emails or texts, a phone call feels personal, and the well-timed OTP request catches even tech-savvy users off guard.

Real-Life Case Study

To illustrate the scam, consider a real-life scenario reported in India. In one case, scammers posed as media professionals inviting a journalist to cover an event. During the call, the scammer said a VIP guest would join from another number and convinced the journalist to merge the incoming call. Once merged, the “VIP” call was actually an OTP verification from the journalist’s bank, triggered by the fraudsters. The scammer silently listened in and captured the OTP, then immediately used it to siphon money from the victim’s account. The journalist, thinking the OTP was part of the event coordination, unknowingly facilitated the fraud. By the time the call ended, a significant sum had been withdrawn, leaving the victim stunned and helpless.

This case mirrors many others where victims are tricked into believing a friend, colleague, or important person is on the line. In another reported incident, a scammer pretended to be a friend who urgently needed help. He asked the victim to merge calls to speak with a “bank official,” but in fact merged in the bank’s automated OTP call. The victim heard the bank’s call and shared the OTP, allowing the fraudsters to empty his account within minutes. These examples highlight how convincing and creative scammers can be in orchestrating the Call Merger Scam India incidents.

The rising frequency of such cases prompted banks and payment authorities to alert users. NPCI’s warning on X (Twitter) came after multiple complaints of this modus operandi. It’s a stark reminder that even a seemingly harmless action—merging a phone call—can lead to major financial loss if one isn’t vigilant.

Legal Implications

Falling prey to a call merger scam is not just a personal loss; it’s a serious crime under Indian law. Both the scammers and any accomplices are liable for multiple offenses. Key legal provisions that cover the Call Merger Scam include:

Bhartiya Nyay Sanhita (Indian Penal Code replacement): The new Bharatiya Nyaya Sanhita, 2023 (which replaces the Indian Penal Code) has provisions similar to IPC for cheating and impersonation. Cheating is defined and punished under Section 420 of the IPC (now Section 318 of BNS). This applies when a person is deceived and induced to part with property or security—in this case, the victim is deceived into revealing an OTP or approving a transaction, leading to monetary loss. Cheating by personation (pretending to be someone else) is also an offense (IPC Section 419, mirrored in BNS)—here scammers impersonate a friend or official on the call. If caught, perpetrators can face imprisonment and fines. For instance, Section 420 IPC (Section 318 BNS) allows for up to 7 years imprisonment and fine for cheating and dishonestly inducing the delivery of property. Organizing such a scam could also invoke charges of criminal conspiracy under the code.

Information Technology Act, 2000: The IT Act specifically addresses cyber fraud and identity theft. Section 66D of the IT Act deals with “cheating by personation using computer resources or communication devices.” This directly covers scams conducted over phone calls or the internet. Under Section 66D, anyone who cheats by impersonating someone else through a communication device (like a mobile phone call) can be punished with up to three years imprisonment and a fine up to ₹1 lakh. This provision is often applied in phishing cases and would certainly cover call merging scams where the fraudster pretended to be a friend/bank officer. Additionally, Section 66C of the IT Act (identity theft) could apply if the scammer fraudulently uses the victim’s OTP or digital identity to authenticate a transaction. Section 66C also carries up to three years jail and fines for using another person’s unique identification (such as OTP or password) dishonestly. These sections in the IT Act bolster the conventional penal provisions and specifically target cyber crimes.

Indian Telegraph Act, 1885: Although an older law, the Indian Telegraph Act governs the use of telephone networks and can be invoked for telephone-related fraud. Notably, Section 25(b) of the Telegraph Act makes it an offense to intercept or acquaint oneself with the contents of any message or call without authority. A scammer who uses call merging to secretly listen to an OTP phone call is essentially intercepting a communication. This is punishable by up to three years imprisonment, or fine, or both under the Telegraph Act. In essence, the fraudster is misusing the telecom network to commit theft, which violates this law. While primary charges in a call merger scam case would stem from the BNS/IPC and IT Act (for fraud and impersonation), the Telegraph Act provides additional scope to penalize the technical act of call interception. Law enforcement agencies may cite this Act to emphasize the illegality of tampering with telephone communications.

In summary, Indian law has robust provisions to deal with such scams. Cheating and fraud offenses (Section 418, 419, 420 IPC / Section 318 BNS) and cyber-fraud laws (Sections 66C, 66D IT Act) can be applied together. Offenders, if convicted, could face multiple years behind bars. From a cyber crime legal advice perspective, victims should know that they have strong legal grounds to pursue action. It’s important to file a complaint so that police can invoke these laws and possibly trace and charge the culprits. The combination of traditional criminal law and cyber law ensures that a call merger scam is treated as a serious crime, with consequences ranging from imprisonment to hefty fines.

Preventive Measures

Preventing a call merger scam is largely about awareness and caution. Since this fraud preys on our trust and quick reactions, the best defense is to stay vigilant and follow good mobile fraud prevention practices. Here are some actionable steps to protect yourself from call merging scams:

1. Never Merge Calls from Unknown Numbers: Be extremely cautious if anyone you don’t personally know asks you to add or merge a call. Scammers often create a sense of urgency or curiosity (“your friend is on another line” or “urgent bank verification”) to make you use the conference feature. If you receive such a request out of the blue, it’s a red flag. Politely refuse and end the call. Remember, legitimate organizations or true friends will not insist you merge calls unexpectedly.
2. Verify Caller Identity: If someone claims to be from your bank, a company, or even a friend of a friend, verify before acting. You can ask probing questions or simply tell them you will call back. For instance, if a caller says, “I’m your friend’s colleague, please merge our call,” pause and verify by contacting your friend directly. Impersonation is a key tactic in this scam, so always double-check claims. Do not trust caller ID alone, as numbers can be spoofed.
3. Be Wary of Odd Timing for OTPs: A crucial sign of the call merge scam is receiving an OTP (via SMS or call) that you didn’t expect. If during any call (even with someone you know) you suddenly get an OTP notification for no reason, do not share it or merge the call. Banks never ask for OTPs over phone calls. An unsolicited OTP often means someone initiated a transaction in your name. Treat this as suspicious and do not divulge the OTP under any circumstances.
4. Do Not Share Personal Info on Calls: Beyond OTPs, never share sensitive data like PINs, passwords, card numbers, or account details on phone calls. Scammers may try to extract information by gaining your confidence during a merged call. Maintain the rule that any personal banking info or login credential is off-limits on calls. Legitimate authorities will not ask for full confidential details over the phone, especially not via a third-party call.
5. Keep Your Phone Secure: While the call merge scam relies on social engineering, it’s wise to keep your phone’s security tight. Use strong screen locks and do not install unknown apps that could grant remote call control. Though not directly part of this scam, malware could facilitate call interception. Regularly update your phone’s OS for security patches.
6. Educate Family and Friends: Share this knowledge. Often, scammers target those who may be less aware of new fraud techniques (elderly or less tech-savvy individuals). Explain how call merging scams work to your family, friends, or colleagues so they too can spot the signs. Spreading awareness is one of the best preventive measures – the more people know about the scam, the less effective it becomes for fraudsters.
7. Be Skeptical of Unusual Scenarios: Finally, maintain a healthy skepticism. If someone creates an elaborate scenario requiring unusual actions (like merging calls or urgently handling someone else’s bank issue), question it. Scammers often create too good to be true opportunities or urgent problems to cloud your judgment. Trust your instincts – it’s better to be overly cautious than to fall victim.

By following these measures, you can significantly reduce the risk of being duped by a call merger scam or similar phone-based fraud. In fact, NPCI and cybersecurity experts advise all users to “stay alert and protect your money” when dealing with unexpected calls. A few seconds of prudence can save you from major financial trouble.

What to Do if You Are a Victim

Despite precautions, scams can happen to anyone. If you realize that you have fallen victim to a call merger scam or suspect an attempt, it’s crucial to act quickly and follow proper reporting channels. Here’s how to report cyber fraud in India and mitigate the damage:

1. Immediately Call the Cyber Crime Helpline (1930): The Government of India operates a toll-free all-India helpline 1930 for cyber crime incidents. As soon as you discover the fraud (for example, you shared an OTP or see unauthorized transactions), dial 1930. This helpline is managed by the Cyber Crime Coordination Center and connects you to a support system that can guide you. When you call, explain that you’ve been a victim of an online financial scam and provide details. Prompt reporting can sometimes enable authorities to coordinate with banks to freeze the stolen funds before they disappear.
2. Inform Your Bank or Financial Institution: Parallel to calling 1930, contact your bank’s customer care or fraud reporting line. Most banks have 24/7 helplines for reporting unauthorized transactions. Inform them of the fraudulent transaction and ask them to block your account or card (if relevant) to prevent further misuse. They can also initiate a dispute or chargeback for the transaction if possible. Quick reporting to the bank is vital in initiating the recovery process or preventing additional losses.
3. File a Complaint on the National Cyber Crime Reporting Portal: The Ministry of Home Affairs maintains the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) where victims can file online complaints. On this portal, you can lodge a detailed complaint about the scam, including the phone numbers involved, transaction details, and any evidence (screenshots, call recordings if available). Filing on the portal ensures there is an official record and your case is forwarded to the concerned state cyber police department. It is user-friendly and allows you to track the status of your complaint using the provided reference number.
4. Visit the Nearest Cyber Crime Police Station or File an FIR: In addition to the online portal, it’s often a good idea to file a formal First Information Report (FIR) at your local police station, especially if a significant amount of money is involved. Many cities have a dedicated cyber crime police station or cell. Provide them with all details: call logs, bank statements showing fraudulent debits, and the sequence of events. Under Indian law, police are required to register an FIR for cognizable offenses like fraud. Having an FIR can help in insurance claims (if any) and shows you took due legal action.
5. Preserve Evidence: Do not delete call logs, SMS, or any communication related to the scam. Take screenshots of your call history showing the time of calls, any SMS/OTP messages, and transaction alerts. These will be useful for investigators. If the scammers communicated via any messaging app or email at any point, save those as well. The more evidence you have, the easier it will be for law enforcement to trace the culprits.
6. Follow Up: After reporting, regularly follow up with the bank and police. Ask your bank for an update on the investigation or if they managed to hold the funds. Banks sometimes coordinate with the receiving bank to freeze the beneficiary account. Also, follow up on your cybercrime.gov.in complaint by checking its status online or contacting the cyber cell. Persistence can help keep your case active.
7. Legal Assistance: If needed, seek legal advice from a cyber crime attorney. They can guide you on your rights, help draft police complaints, or even approach the courts if the response is inadequate. Since the question of legal action is complex, an advocate (like those associated with Advocate Adarsh’s platform) can provide personalized guidance (cyber crime legal advice) on next steps, including sending legal notices or filing private complaints if required.

Remember, being a victim of a scam is nothing to be embarrassed about—these fraudsters are professionals at deception. What’s important is the quick action you take afterward. Indian authorities are actively encouraging victims to come forward and report. The sooner you report, the higher the chance to recover funds or catch the scammers. The government’s initiatives like the 1930 helpline and the cybercrime portal are there to assist you, so utilize them without delay.

Conclusion

The Call Merger Scam is a sophisticated and dangerous form of mobile fraud that has been rising in India. It exploits the trust and quick reactions of victims, leading to significant financial losses. By understanding how this scam works and taking preventive measures, individuals can protect themselves and their loved ones from falling prey to such deceitful tactics.

Awareness and caution are the best defenses against the Call Merger Scam. By never merging calls from unknown numbers, verifying caller identities, being wary of unexpected OTPs, not sharing personal information over the phone, keeping your phone secure, and educating others, you can significantly reduce the risk of being scammed.

If you do find yourself a victim, it is crucial to act quickly by reporting the incident to the Cyber Crime Helpline (1930), informing your bank, filing a complaint on the National Cyber Crime Reporting Portal, preserving evidence, and seeking legal assistance if necessary.

By staying vigilant and spreading awareness, we can collectively combat the threat of the Call Merger Scam and safeguard our financial well-being. Remember, a few seconds of prudence can save you from major financial trouble. Stay alert and protect your money!