Bank customers across India, particularly those with accounts at the State Bank of India (SBI), have been cautioned about a recurring cyber fraud that exploits unsuspecting users through deceptive messages and malicious app files. The scam, which continues to circulate on messaging platforms such as SMS and WhatsApp, involves fraudsters impersonating SBI and urging recipients to click on links or download Android Package Kit (APK) files to redeem non-existent rewards or update supposed account details.

Authorities and SBI officials have highlighted a worrying trend: cybercriminals are using fake notifications promising “reward points” or urgent account actions to lure customers into installing harmful software. These deceptive messages often claim that the customer’s “reward points will expire today” and instruct them to download an app to claim the benefits. In reality, the bank has made it clear that it never sends such links or APK files via SMS or WhatsApp under any legitimate scheme.

Once an unsuspecting user clicks on the link or installs the fraudulent APK, their device can become vulnerable to malware. These malicious applications are designed to harvest sensitive information such as banking credentials, One-Time Passwords (OTPs), personal identification details, and other financial data. The consequences can include unauthorized access to bank accounts and significant monetary loss, as observed in multiple reported incidents across different regions.

Cybersecurity experts describe this scam as a classic example of social engineering, where psychological manipulation is used to trick individuals into making security mistakes. By invoking the fear of losing reward points or facing account issues, fraudsters put pressure on victims to act quickly without verifying the authenticity of the message. Once malware is installed, it can give hackers remote access to the victim’s smartphone, enabling them to read messages, intercept OTPs, and initiate unauthorized transactions.

Authorities have emphasised that SBI’s official communication channels will never ask customers to download apps from third-party links or send files outside trusted app stores like Google Play or the Apple App Store. Customers are urged to avoid clicking on unsolicited links, decline any installation requests for unknown APK files, and immediately report suspicious messages to the bank or relevant cybercrime units.

The rise in cyber fraud incidents has prompted increased advisories from financial institutions, law enforcement agencies, and cybersecurity bodies. These advisories recommend that users regularly update their devices and banking applications, enable two-factor authentication where possible, and promptly report any suspicious communication. In addition, experts suggest that users verify any urgent account notifications directly with the bank via official customer service channels before taking action.

As digital banking becomes even more widespread in India, with millions relying on mobile apps and online transactions, the frequency and sophistication of such scams are expected to grow. Customers are advised to stay vigilant and to treat any unsolicited digital communication—especially those involving financial incentives or urgent warnings—with scepticism and caution.