Online safety & scamsBeginner · 10 min read

OTP and banking fraud: protect your eSewa, Khalti and bank account

OTP and PIN theft is the fastest way fraudsters empty Nepali accounts. Learn exactly how these scams work, the one rule that stops them, and what to do in the first minutes if you have shared a code.

An OTP (One-Time Password) is the temporary code sent to your phone to approve a payment, login or money transfer. It is the last lock on your money — and the entire goal of a huge share of scams in Nepal is to trick you into handing that lock over yourself.

The reason is simple: if a fraudster has your card number or mobile-banking login but not the OTP, they usually cannot complete a transaction. So instead of hacking, they call, message or pressure you into reading the code aloud or typing it into a fake page. The moment you do, your money can be gone.

This guide focuses on the most common money-theft methods in Nepal — fake bank or wallet calls, KYC and 'account blocked' scams, reward and refund tricks, and QR/payment-request fraud — and the simple, unbreakable rules that defeat all of them.

The one rule that stops almost all banking fraud

Memorise this and you have closed the biggest door: no genuine bank, no eSewa, no Khalti, no ConnectIPS, no IME Pay, no telecom (NTC/Ncell) and no government office will ever ask you for your OTP, MPIN, mobile-banking password, card PIN or card CVV — by call, SMS, email or chat. Ever.

These codes are secret by design. Staff at your own bank do not need them and cannot ask for them. So the instant anyone asks for one — however official they sound, whatever ID they quote — you know with certainty it is a scam. There are no exceptions to this rule.

How the common scams work

Knowing the script makes the trick obvious. Most banking fraud in Nepal follows one of these patterns:

'KYC expired / account will be blocked' — a call or SMS says you must update KYC or reactivate your account immediately, then asks for an OTP or a link to 'verify'.
Fake reward, cashback or refund — 'You won a Dashain bonus / cashback; share the code to claim it' or 'we sent a refund by mistake, return it.'
Reverse-payment trick — the scammer sends a 'collect' or 'payment request' (not a payment) on a wallet and tells you to approve it or enter your PIN to 'receive' money; approving actually sends money out.
Fake customer-support number — you search for a helpline online, call a scammer's number ranked high in results, and they walk you into sharing codes or installing remote-access apps.
Card-detail phishing — a fake shopping or 'prize' site asks for your full card number, expiry, CVV and then the OTP to 'confirm'.
SIM-swap / number issues — fraudsters try to take control of your number to receive your OTPs; protect your SIM PIN and report a sudden loss of signal.

Lock down your accounts (do this today)

A few minutes of setup makes you far harder to target. Work through this list now rather than after an incident.

Set a strong, unique MPIN/password for each wallet and mobile bank — never your birth year, '1234' or your phone number.
Turn on transaction alerts (SMS/app notifications) so you see any debit instantly.
Keep daily transaction and transfer limits as low as you realistically need.
Lock your SIM with a SIM PIN and use a screen lock on your phone.
Save the real helpline numbers from your card and the official app — so you never have to search for them in a panic.
Keep your wallet/bank app updated and download apps only from the official Play Store or App Store.
Use a different password for your email, because your email can reset everything else.

Spotting a fake call, SMS or link

Fraudsters spoof names, numbers and message templates very convincingly, so judge the request, not the appearance. A real notification informs you; a scam pressures you to act and to share something secret.

Be especially wary of links. Open your banking or wallet app directly rather than tapping a link in a message, and check website addresses carefully for look-alikes (extra letters, wrong domain endings, or '.xyz'-style addresses pretending to be a bank). When a 'helpline' tells you to install AnyDesk, TeamViewer or any screen-sharing app, stop immediately — that lets them watch and control your phone.

If you already shared a code or paid: act in the first 10 minutes

Speed matters enormously. The faster you act, the better the chance of freezing or recovering money.

Call your bank/wallet helpline immediately and ask them to block the card or freeze the account and reverse any pending transaction.
Change your MPIN, mobile-banking password and email password right away.
Note everything — the number that called, screenshots, transaction IDs, amounts and times.
Report to the Nepal Police Cyber Bureau (cyberbureau.nepalpolice.gov.np) and, if needed, file at your nearest police office.
Tell your bank in writing as well, so there is a formal record for any dispute or investigation.

Key takeaways

✓No bank, eSewa, Khalti, ConnectIPS, telecom or office will ever ask for your OTP, PIN, MPIN or CVV.
✓An OTP is the final lock on your money — sharing it is like handing over the key.
✓Open your official app directly; never act on links sent in messages or calls.
✓Never install screen-sharing apps (AnyDesk/TeamViewer) on a stranger's instruction.
✓If you are tricked, call your bank/wallet helpline within minutes and report to the Cyber Bureau.

Questions

OTP & Banking Fraud in Nepal — FAQ

The caller said they are from my bank's head office and even read my account number. Should I trust them?+

No. Account numbers and personal details are often leaked or guessed, and caller ID is easily faked. The fact that they then ask for an OTP or PIN proves it is a scam, because real bank staff never need those. Hang up and call the number printed on your own card.

Someone sent me a 'payment request' on a wallet to give me money. Is that safe?+

Be very careful. To receive money you do not approve anything or enter your PIN. A request that asks you to confirm or enter your PIN is usually a 'collect' request that sends money out of your account. Only approve PIN prompts for payments you are deliberately making.

Is mobile banking and eSewa/Khalti safe to use at all?+

Yes, when used correctly they are safe and convenient. The weak point is almost never the app itself — it is the user being tricked into sharing a secret code. Follow the lockdown steps, never share OTP/PIN, and you remove the main risk.

I clicked a suspicious link but did not enter anything. Am I at risk?+

Likely low risk if you entered nothing and did not install anything, but to be safe: close the page, do not enter any details, run a scan if it tried to download a file, and change your passwords as a precaution. Watch your account for any unusual activity.

Sources & data note

These guides explain widely-accepted SEO, AEO and GEO practice as documented by Google Search Central, schema.org and current industry research. Search and AI systems evolve continually — treat specific thresholds (e.g. Core Web Vitals targets) as current guidance and verify against the latest official documentation. Examples are tailored to Nepal's market.