TRAI "Free Recharge" WhatsApp Scam: how the fake telecom offer steals your bank OTP

What the scam looks like in WhatsApp

The typical message arrives as a forward from a contact - sometimes a relative, sometimes a colleague, sometimes a "broadcast" from an unknown number that has been added to a WhatsApp group. The format is consistent across variants. An eye-catching banner image sits at the top, usually featuring the TRAI logo or the logo of a major telecom operator (Jio, Airtel, VI). The text underneath claims a "Government of India approved free recharge scheme" with specific numbers attached - "3 months unlimited 5G calls + 200GB high-speed data for all Indian users." A festival or occasion is named to justify the giveaway - Navratri, Diwali, Independence Day, the anniversary of the TRAI advisory itself in a recursive twist. A countdown adds urgency: "Limited slots - claim before midnight today." At the bottom is a link, usually shortened or hosted on a domain like trai-recharge[.]in or jio-free-offer[.]xyz.

The visual presentation is good enough to fool casual readers. The TRAI emblem is copied at high resolution. The Devanagari script is correct. The grammar reads as "official Indian English" - the kind of slightly stilted phrasing actual government circulars use. The forward chain itself adds social proof: if your uncle who works in IT forwarded it, it must be legitimate.

It is not. TRAI - the Telecom Regulatory Authority of India - is a regulator. It writes telecom policy and adjudicates disputes. It does not own spectrum, does not operate a network, does not sell plans, and does not give away recharges. The public TRAI advisory issued in 2024 and re-circulated in 2026 says exactly this: "TRAI does not authorise any recharge offers. Beware of fraudsters sending fake messages using the TRAI name and logo."

The 6 variants in active rotation

The exact image, link, and dollar figures change. The underlying templates do not. If your incoming WhatsApp message matches one of these, treat it as a scam by default.

Variant 1: Festival-themed free recharge

The most common version. "Navratri Special - Free Recharge from Government of India." Diwali, Holi, Eid, Independence Day, Republic Day, Janmashtami, and Onam all rotate through the same template. Festival-themed offers exploit the cultural moment - real telecom operators do run festival promotions, so a "Diwali bonus" message lands in a context where the user already half-expects something from their carrier. The link goes to a phishing page that asks for the user's mobile number and then routes them through an OTP step.

Variant 2: Operator-specific impersonation

"Jio Free Recharge - 3 months unlimited" or "Airtel Diwali Bonus - 200GB free" or "VI Mahabachat - 90 days free 5G." The message drops the TRAI angle and impersonates a specific operator directly. The branding is precise - Jio blue, Airtel red, VI red-and-yellow. Some variants use exact screenshots of real MyJio or Airtel Thanks app banners with a fake CTA overlaid. The destination domain typically contains the operator name on a non-official TLD: jio-bonus[.]xyz, airtel-diwali[.]in, vi-recharge[.]top.

Variant 3: TRAI government scheme

"Telecom Regulatory Authority of India announces free recharge for all citizens under Digital India initiative." This variant is the boldest - it directly invokes the regulator. Sometimes it cites a fake "TRAI Notification No. 2026-XX" with a realistic-looking format. Some versions claim the scheme is funded by "spectrum auction surplus" or "USOF (Universal Service Obligation Fund) refunds." None of this exists. TRAI does not run consumer benefit programs and does not distribute money or telecom services directly to citizens.

Variant 4: 5G migration / upgrade offer

"Upgrade to 5G free - government-mandated migration. Claim your free 5G SIM and 3 months data here." Plays on the legitimate India-wide 5G rollout that Jio and Airtel completed in 2023-2024. The phishing site mimics an operator portal, asks for the existing SIM number, then triggers a "verification OTP" that is actually a bank or UPI OTP the attacker is initiating elsewhere. Some variants also ship a fake "5G activation APK" that, once installed, requests SMS permission and intercepts every banking OTP that arrives.

Variant 5: Lockdown / emergency relief recharge

"PM CARES Relief - Free Recharge for affected families." Recycled directly from the COVID-19 era and still in circulation in 2026. Newer versions retheme it around floods (Himachal, Assam, Chennai), heatwaves, or "economic relief" packages. The emotional framing is the lever: families that genuinely need help are most likely to click. The destination page often asks for Aadhaar number alongside mobile number, which is identity-theft gold combined with the bank OTP that follows.

Variant 6: Lottery winner / lucky draw recharge

"Congratulations! Your mobile number was selected in the TRAI lucky draw. Claim your free unlimited recharge." Uses the long-standing "you have won" template. Sometimes pairs with a fake video of a "winner" receiving the prize. The page may add a "small processing fee" (Rs 1, Rs 5, Rs 10) collected via UPI - which is the actual hook. The Rs 10 collection page is a real UPI request, often using a fake VPA (trai-payout@upi, jio-bonus@ybl), and approving it transfers money in the wrong direction.

What the destination page actually does

Every variant ends at a landing page that mimics a real telecom or government portal. The branding is exact - TRAI emblem rendered at full resolution, Jio or Airtel theme colors, Hindi and English bilingual labels, official-looking footer with privacy and terms links that go nowhere. The visual mimicry passes a 5-second eye test for almost everyone, especially on a phone screen.

The page asks the user to enter, in sequence:

1. Mobile number and operator selection (Jio, Airtel, VI, BSNL). This populates the attacker's database with phone-to-operator mapping for later targeting.
2. Plan selection from a list of fake "approved" plans - this step exists purely to build commitment. The user invests three taps choosing the "best" plan and feels less inclined to back out.
3. "Verification OTP" prompt. This is the heart of the scam. The user is asked to "enter the OTP sent to your mobile to verify and activate the recharge." What is actually happening: while the user sits on the phishing page, the attacker has initiated a transaction on the user's bank or UPI account elsewhere - a fund transfer, a UPI payment, or a new account setup. The OTP the bank sends is the authentication for that transaction. When the user types it into the phishing page, the attacker captures it and completes the transfer.
4. Optional Aadhaar / PAN field in some variants. Pure identity-theft harvest.
5. Optional UPI processing fee in lucky-draw variants. The Rs 10 fee is a live UPI request, which sometimes auto-approves if the user has UPI Lite enabled.

The most dangerous variants do not stop at OTP harvest. They also serve an Android APK file labeled "Recharge App" or "TRAI Verification App." Sideloading the APK installs an application that requests READ_SMS and RECEIVE_SMS permissions. Once granted, the app forwards every incoming SMS - including all subsequent banking OTPs - to an attacker-controlled server. This converts a one-time OTP theft into persistent access to every OTP the victim's phone receives. Banking, UPI, e-commerce, Aadhaar - all SMS-based authentication is compromised until the user factory-resets the device.

Why the URLs look almost convincing

The destination URLs follow a few predictable patterns. Recognizing the patterns is half the battle.

Pattern 1: TRAI / Jio / Airtel keyword on a non-official TLD

Real TRAI is at trai.gov.in. Real Jio is at jio.com and myjio.com. Real Airtel is at airtel.in. Real VI is at myvi.in. Any URL with these brand keywords on a different TLD is a scam. Examples in active rotation:

• trai-recharge[.]in
• trai-india-gov[.]in
• jio-free-offer[.]xyz
• jio-bonus-2026[.]com
• airtel-diwali[.]in
• vi-mahabachat[.]top

The hyphen-keyword construction is the easiest visual tell. Real telecom subdomains are www.jio.com, care.airtel.in, my.vi.in - the brand name is always the second-level domain, never appended with hyphens or stitched into compound names.

Pattern 2: Subdomain on free hosting

Examples:

• trai-bonus[.]vercel[.]app
• jio-free[.]netlify[.]app
• airtel-offer[.]pages[.]dev
• trai-india[.]github[.]io

Free hosting platforms like Vercel, Netlify, Cloudflare Pages, and GitHub Pages take minutes to set up and provide automatic HTTPS. Attackers spin up a fresh subdomain, push the fake page, and start sending WhatsApp blasts. The hosting providers shut down reported phishing within hours - but the attack happens in those hours.

Pattern 3: URL shortener hiding the destination

Examples:

• bit.ly/trai-bonus
• tinyurl.com/jio-free-recharge
• cutt.ly/airtel-diwali-2026
• rebrand.ly/trai-verify

Shorteners are appealing to scammers because the user cannot tell from the WhatsApp message where the link actually leads. WhatsApp's link preview does not always unwrap shorteners. The destination is hidden until you tap.

Pattern 4: Lookalike with Devanagari or extra letters

Examples:

• jiio-recharge[.]com (double "i")
• airtell-india[.]com (double "l")
• traii-gov[.]in (double "i")
• jio-comm[.]in (extra "m")
• trai[.]gov-india[.]in (deceptive subdomain - real second-level is gov-india[.]in)

Some variants also use Devanagari characters that resemble Latin letters in WhatsApp's default font, similar to the Cyrillic homograph trick used in Western phishing. Mobile fonts make these substitutions almost impossible to spot at a glance.

How real TRAI / telecom communications work

The simplest defense is knowing what a real telecom communication looks like. Memorize these facts:

• TRAI never offers recharges. TRAI is a regulator. It writes tariff orders, adjudicates spectrum disputes, and runs the National Do Not Call registry. It does not sell, gift, subsidise, or distribute telecom services. Any message from "TRAI" offering a recharge is a forgery.
• Real Jio / Airtel / VI offers come through their official apps. MyJio, Airtel Thanks, and the VI App are the only sources of authentic promotional offers from those carriers. The carriers also send promotional SMS from their registered short codes (JM-JIOOFR, AX-AIRTEL, VK-VFCARE pattern), but real promotional SMS does not ask for OTP or send links to non-official domains.
• No telecom operator asks for OTP for "verification" or "activation." OTPs are bank-side authentication. They authorize money movement, account changes, and high-risk operations. A telecom plan activation does not require a bank OTP - ever. If a "recharge page" asks for an OTP, the OTP belongs to a transaction the attacker just started.
• Sharing an OTP equals losing money. Indian banking regulation has hammered this point for a decade, but the OTP-culture habit of typing six-digit codes throughout the day defeats the warning. The rule is absolute: an OTP you did not initiate, going to a party you did not contact, equals immediate fund loss.
• Real government schemes are announced through PIB (Press Information Bureau) and reputable news outlets. They are never first surfaced through a WhatsApp forward. If a "government scheme" is too good to verify in a one-second news search, it does not exist.

The 10-second check that catches every variant

You do not need to memorize every URL pattern. Use this short routine instead:

1. Do not tap the link in the forwarded message. If a WhatsApp message claims a free recharge, the first action is to not tap. The link is the entire attack.
2. Open your operator's official app. MyJio, Airtel Thanks, or VI App. If a real offer exists for your number, it will appear on the home screen of that app. If the app shows nothing, no offer exists.
3. Remember: TRAI does not run promotional schemes. Anything claiming to be a "TRAI free recharge" is a scam by definition. No verification needed.
4. Forward suspicious messages to 1909 (TRAI's complaint number for unsolicited and fraudulent communication) and report on sancharsaathi.gov.in, the Department of Telecommunications fraud reporting portal. Block the sender on WhatsApp - long press the message, tap "Report" - which both blocks the sender and forwards the message to WhatsApp's spam team.
5. Tell the contact who forwarded it to stop forwarding. The message keeps spreading because every family WhatsApp group adds another thousand recipients. Breaking the chain at your family group does measurable damage to the attacker's distribution.

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps URL shorteners, checks domain age (most recharge scam domains are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

What to do if you already clicked or entered information

Speed matters. The fraud window between OTP entry and chargeback closure is often less than 30 minutes. Move through these steps in order:

• If you only entered your phone number: block the sender, report the message on WhatsApp, and forward to 1909. Watch for follow-up phishing calls over the next few weeks.
• If you entered an OTP: call your bank's 24/7 fraud helpline immediately. Every major Indian bank (SBI, HDFC, ICICI, Axis, Kotak, PNB) has a dedicated fraud line printed on the back of the debit card and in the bank's mobile app. Tell them an OTP was disclosed in a phishing attack. Most banks have a 30-minute to few-hour window during which they can reverse the transaction before the receiving account drains the funds. Speed is the only thing that matters here.
• File a complaint at cybercrime.gov.in, India's national cybercrime reporting portal. The portal handles financial fraud, social media fraud, and online harassment. You will need a screenshot of the WhatsApp message, the URL clicked, and the transaction reference if money was lost.
• Call 1930, the Indian government's dedicated cyber-financial-fraud helpline. 1930 operators can initiate a "transaction freeze request" to the receiving bank within minutes - often faster than waiting on your own bank's queue.
• Freeze the affected account via your bank's mobile app. Most apps now have a "Block debit card" and "Disable UPI" toggle accessible without a call. Pull both. Reactivate after the fraud team confirms no further attempts are pending.
• If you installed an APK from the phishing page: the device is compromised. Factory reset the phone (Settings -> System -> Reset). Before reset, change passwords from a different trusted device for: primary email, banking apps, UPI PIN, social media. After reset, do not restore from a Google Drive backup made while the APK was installed - reinstall apps fresh from Play Store. Re-enable banking apps last, after verifying with the bank that no rogue UPI handles have been added to your number.

Why this scam keeps working in India

The scam works because of three specific psychological and cultural levers, not because the victims are uneducated.

Lever 1: India has the world's cheapest mobile data, and offers are real and frequent. A user in the US sees a "free 200GB" claim and immediately discounts it. A user in India sees it and thinks "Jio did exactly that in 2016 with the free 4G launch, and Airtel matched it. A bonus drop during a festival is plausible." The base rate of telecom promotions in India is high enough that "too good to be true" is not the right filter. The right filter is "is this coming through the official app or a WhatsApp forward."

Lever 2: WhatsApp forwards inside family groups carry implicit trust. A forwarded message from "uncle who knows tech" feels safer than the same message arriving from a random number. Family group culture in India treats forwards as low-stakes information sharing - the same channel that delivers good-morning images, recipes, and election news also delivers phishing. The user does not switch into a critical reading mode just because the topic changes to telecom. Even when the original sender is unknown, every forward through a trusted contact launders the source.

Lever 3: OTP culture has trained Indians to type six-digit codes many times every day. Logging into Aadhaar, paying via UPI, ordering groceries, booking trains, signing into Google, confirming a Zomato order - all OTP-driven. The cognitive cost of evaluating each OTP request individually is too high, so the habit is "if a code arrived, type it in." The recharge scam exploits exactly this habit. The OTP request feels routine because OTP requests are routine. The defense - "never type an OTP into a page I did not initiate" - is a habit that has to be installed deliberately because the default has been trained the other way.

How SafeBrowz catches the destination page

SafeBrowz runs as a browser extension on Chrome, Firefox, and Edge. The moment a recharge scam link is opened in the browser, the three-layer detection model kicks in.

Layer 1 - Local checks (offline, instant). Bundled rules running inside the extension. They look for known recharge-scam URL patterns (trai, jio, airtel, vi, vodafone as keywords on non-official TLDs), suspicious TLDs (.xyz, .top, .live, .click, plus .in when not paired with a known government or telecom prefix), free-hosting destinations (*.vercel.app, *.netlify.app, *.pages.dev, *.github.io), and hyphen-stitched lookalikes (trai-recharge, jio-free-offer, airtel-diwali). The check completes in milliseconds without any network call.

Layer 2 - API checks (community + shortener unwrap + domain age). If the URL slips past local checks, SafeBrowz queries Google Safe Browsing, a community-reported scam URL list, and a domain age lookup. URL shorteners (bit.ly, tinyurl.com, cutt.ly, rebrand.ly, and any path-pattern-detected shortener) are unwrapped server-side so the verdict runs against the real destination instead of the shortener interstitial. Domain age under 30 days, registration through a privacy-shielded registrar, or a Google Safe Browsing hit pushes the verdict toward danger.

Layer 3 - AI deep scan (content + brand impersonation in 100+ languages). The fetched page content is analyzed by a content-aware model that detects brand impersonation across more than 100 languages, including Hindi, English, and Hindi-English code-mixed copy. If the page renders the TRAI emblem, the Jio "J" logomark, the Airtel red wordmark, or the VI red-and-yellow palette on a domain that is not trai.gov.in, jio.com, airtel.in, or myvi.in, the page is flagged as brand impersonation. The AI layer also catches the linguistic fingerprints of recharge scams - "Government of India approved," "free unlimited 5G," "claim before midnight," "verification OTP" phrasing - in both Hindi and English. APK download prompts on a non-Play-Store domain raise the verdict further.

For users who do not want to install an extension, the same engine is exposed at the free public URL checker. Paste any link from a suspicious WhatsApp forward, get a verdict in seconds, no login. For wallet and security apps that want to integrate, the same detection is available as an API at api.safebrowz.com/v1/detect at $0.001 USDC per call.

For carriers and operators: how to protect your customers

If you operate Jio, Airtel, VI, BSNL, or a smaller regional carrier, the recharge scam is your problem because your customers receive forgeries of your messages and lose money believing the forgeries came from you. Mitigations you control:

• Publish your real promotional channels prominently. "Real offers appear only inside the MyJio / Airtel Thanks / VI App. We never send recharge offers through WhatsApp forwards. We never ask for OTP to activate a plan." A short, repeated public message displaces the scammer's narrative.
• Use your official SMS sender IDs consistently. Frequent or unfamiliar sender IDs train customers to accept random senders as legitimate. Keep promotional SMS on the registered DLT short codes and reinforce in customer onboarding what the real sender ID looks like.
• Set DMARC, DKIM, and SPF on your sending domains. Email auth limits the attacker's ability to spoof your real email address, pushing them toward lookalike domains that customers can spot more easily.
• Run customer education campaigns proactively. A one-paragraph reminder appended to every recharge confirmation SMS ("Your real recharges are confirmed inside the MyJio app. Ignore WhatsApp forwards offering bonus recharge - these are scams.") costs nothing and saves customer support volume.
• Train your customer service team on the most common scam patterns. Customers calling in after losing money to a recharge scam need a clear playbook (1930 helpline, bank fraud line, sancharsaathi.gov.in), not boilerplate "check your account."

The bigger picture

TRAI recharge scams are one specific case of a broader WhatsApp phishing surge in India. The same delivery channel - forwarded messages inside family groups - carries fake KYC update demands from banks ("your account will be frozen unless you re-KYC at this link"), fake government scheme links ("PM Kisan Yojana refund pending - claim here"), fake delivery notifications for Amazon and Flipkart ("your package could not be delivered - reschedule here"), and fake job offers ("Reliance is hiring at home - register here"). The visual and operational template is identical across all of these. The brand and pretext change. The damage shape - OTP harvest, identity theft, UPI fund drain - stays the same.

WhatsApp does run anti-spam infrastructure, but the same end-to-end encryption that protects user privacy also prevents centralized message filtering. Carrier-level SMS authentication (DLT registration) covers SMS but not WhatsApp. Until messaging platforms implement universal sender authentication and link-reputation checks at delivery time - which has been discussed for years and remains incomplete - the defense burden falls on individuals, family-group elders who can break the forward chain early, and on the third-party tools users install. The 10-second check (do not tap, open the official app, verify there) is reliable but only if used every single time. Tools like the SafeBrowz extension and URL checker exist because human discipline is not actually consistent enough to defend against a daily, year-round, multi-billion-message attack volume.

Block recharge scam destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects TRAI, Jio, Airtel, VI, and other telecom phishing destinations the moment they load. The core protection is free forever. Premium adds drainer JavaScript detection and unlimited daily AI scans for $14.99 per year - or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link - the free public URL checker handles one-off cases.