SBI Alerts Customers Over YONO Phishing Arabian Post

SBI has clarified that it does not ask customers to download APK files for Aadhaar updates or account verification. Banking updates are carried out through official channels, branches, internet banking portals or verified applications downloaded from trusted app stores. Customers who receive such messages have been asked to report them to the bank's phishing reporting channel and to the national cybercrime helpline if money has been lost.

The campaign has gained attention because YONO is central to SBI's digital banking strategy. The platform has more than 8.7 crore registered customers and is used for savings accounts, fund transfers, loans, cards, insurance, investments and cash withdrawal services. SBI has also been expanding its digital infrastructure through YONO 2.0, aiming to increase mobile banking adoption and reduce dependence on branch-based transactions.

Fraudsters are exploiting that shift. As more customers move to mobile banking, attackers are increasingly using fake app updates, Know Your Customer warnings, Aadhaar-linked messages and account-freeze threats to trigger hurried responses. The technique relies less on sophisticated hacking and more on social engineering, where fear of losing access to banking services pushes victims to click first and verify later.

The use of APK files has become a particular concern. APKs are installation packages for Android apps and can bypass the protections offered by official app stores when users install them from unknown sources. Once installed, malicious software can seek permissions to read SMS messages, intercept OTPs, access contacts, overlay fake login screens or monitor device activity. This gives criminals a route to both credentials and transaction authentication codes.

Digital payment growth has widened the attack surface. More than 18,000 crore digital payment transactions were recorded during 2024-25, with UPI and mobile banking playing a central role in everyday financial activity. That expansion has improved access and convenience, but it has also made banks, payment apps and telecom-linked authentication systems attractive targets for organised fraud networks.

Banking fraud data points to the same risk environment. Card and internet-related frauds account for a large share of reported fraud cases by number, even though higher-value frauds are often linked to loans and advances. Cyber fraud complaints have also grown sharply through the national reporting system, with victims reporting losses running into tens of thousands of crore rupees across online investment scams, payment fraud, remote-access app misuse, courier impersonation and fake customer-care operations.

Regulators have responded by strengthening authentication norms, encouraging risk-based checks and pushing banks to improve fraud monitoring. The Reserve Bank of India's updated digital payment security framework gives regulated entities room to deploy additional verification where transaction risk appears high. Banks have also stepped up customer-awareness campaigns, warning users that OTPs, passwords and card details must never be shared, even with callers claiming to represent official institutions.