SBI Warns of Smishing Campaign Targeting YONO App Users with Fake Aadhaar Update Lures
State Bank of India has issued an urgent fraud alert warning customers of a social engineering campaign that uses fake SMS, WhatsApp, and email messages claiming the YONO app will be deactivated unless victims update their Aadhaar number via a malicious link or APK file.
State Bank of India (SBI) has publicly warned customers about a widespread social engineering campaign targeting users of its YONO mobile banking app. Fraudsters are sending fake messages via SMS, WhatsApp, and email that claim the app will be deactivated unless the recipient immediately updates their Aadhaar number. The messages create a false sense of urgency, urging victims to click a malicious link or download an unauthorized APK file. SBI confirmed in an official fraud alert shared with Cyber Security News that the bank never asks customers to update Aadhaar details through APK files or unofficial links.
The scam relies on a technique known as smishing—SMS-based phishing—and has been circulating widely across India. The fake messages mimic official SBI communications, using language that sounds urgent and authoritative. Once a victim clicks the link or installs the APK, the malicious app can gain full control over the device. Attackers can then intercept OTPs, monitor banking sessions, and remotely access the device to steal credentials and drain funds. The fake apps are designed to look nearly identical to the legitimate YONO interface, making detection difficult for average users.
India's Press Information Bureau fact-checking unit, PIB Fact Check, has also stepped in to formally debunk the claims. In a public advisory, PIB called the messages deliberate fraud attempts designed to steal personal and financial information. The campaign is part of a broader rise in mobile-based phishing attacks across India, where cybercriminals have grown increasingly sophisticated in mimicking legitimate banking communications. The use of Aadhaar as a lure is particularly calculated, since linking Aadhaar to bank accounts is a well-known regulatory requirement that many customers are still completing.
SBI has urged customers to only download the official YONO app from the Google Play Store or Apple App Store. The bank emphasized that customers should never download any app through a link sent via SMS, email, or WhatsApp, regardless of how official the message appears. SBI also reminded customers that the bank will never ask for passwords, PINs, CVV numbers, or OTPs over a call, SMS, or any messaging platform. Anyone who receives a suspicious message should delete it immediately and report it to the bank's official email at report.phishing@sbi.co.in.
Customers can also report financial cybercrime through the National Cyber Crime Reporting Portal at www.cybercrime.gov.in or by calling the national helpline at 1930. SBI's fraud alert reached nearly one million people within hours of being posted on the bank's official social media channels. The bank continues to advise customers to stay vigilant and to run a full antivirus scan if they suspect their device may have been compromised. Changing all account passwords immediately from a separate, trusted device is also recommended.
This campaign underscores the growing threat of smishing attacks targeting Indian banking customers. As mobile banking adoption surges, cybercriminals are increasingly exploiting the trust users place in official-looking communications. The combination of social engineering, fake APK distribution, and Aadhaar-themed lures makes this a particularly dangerous threat. SBI's swift public response and coordination with PIB Fact Check highlight the importance of rapid, clear communication to help customers recognize and avoid such scams.