That Customer Support Number You Googled Might Be the Scam
Your food order is late. Your bank app is frozen. Your gas booking did not go through. You do what anyone would do: type the company name plus "customer care number" into Google and pick the first result. Forty minutes later, ₹80,000 is gone and the polite man on the call has hung up. The number was never the company's.
This is one of the oldest tricks on the Indian internet and one of the most under-reported, because losing money to a number you found yourself feels embarrassing in a way that getting deepfaked does not. Cybercrime units in Mumbai, Bengaluru and Delhi have been flagging it for years. The Reserve Bank of India put out a fresh advisory on it again this year. The numbers keep going up.
The premise is simple. You search for a helpline. The result that shows up is not the helpline. Whoever answers knows enough about the company to sound right, and within ten minutes they have you installing something, sharing an OTP, or scanning a QR code that quietly authorises a payment out of your account.
The one rule that fixes most of this: never get a customer care number from a search engine, a comment section, a Justdial listing, or a WhatsApp forward. Go to the company's own app or its official website typed by hand. If the number is not there, it is not the number.
How the fake number ends up on top of your search
Scammers do not need to hack Google. They use the rest of the web. A planted Quora answer. A blog post on a free WordPress domain titled "Swiggy refund helpline 24x7". A pinned YouTube comment. A Facebook page with the brand's logo and a customer care number in the bio. A business listing on a low-trust local directory. By the time you search at 11pm with a cold dinner in your hand, four of the top ten results carry the same fake number and your brain treats the repetition as proof.
The companies most often impersonated are the ones people get genuinely stressed about: banks, UPI apps, food delivery, airline and hotel cancellations, LPG gas booking, electricity boards, courier tracking, and crypto exchanges. Anything where you are already mildly anxious and want a human voice fast.
What happens on the call
The voice on the other end is calm, courteous, often more polished than a real support agent. They ask for your registered mobile number, then your order ID or account last four digits, and they read it back to you correctly. That is the moment your guard drops. From here, one of three things tends to happen.
First, they tell you they need to "verify" the refund and ask you to install AnyDesk, TeamViewer, or "RustDesk Quick Support" so they can guide you through it. The moment that app is running, they can see your screen, your SMS, and any banking app you open. An OTP shows up, they read it off your screen, and the money moves. Second, they ask you to scan a QR code "to receive the refund." Every UPI QR code authorises a payment out of your account, never into it. Third, they ask you to make a tiny test payment of ₹1 or ₹5 "to verify the account", which on a manipulated payment page becomes ₹50,000 once you enter your UPI PIN. The PIN authorises the actual amount on the page, not the figure they spoke out loud.
The signals are pretty consistent
A real support agent will never ask you to install a remote-access app. A real support agent will never ask for your UPI PIN, your card CVV, your full card number, your net-banking password, or an OTP, ever. A real support agent will not need you to scan a QR code to get a refund credited. A real support agent will not push you to do everything in one call before "the system times out." If any of these show up, the call is the fraud. It does not matter how legitimate the helpline number looked when you found it.
Where to actually find the right number
For your bank, open the bank's own app and look under Help or Contact Us. The number printed on the back of your debit card is also fine. For UPI apps like PhonePe, Google Pay, or Paytm, the support flow lives inside the app itself, usually attached to the specific transaction. For Swiggy, Zomato, Blinkit, Zepto, Amazon, Flipkart, IRCTC and similar, every order has a Help button. Use that. For airlines and hotels, go to the booking confirmation email and use the number printed there. None of these require a Google search.
If you must use a search engine, type the brand's own domain by hand and look for a /contact or /help page on it. Ignore everything that is not the company's own site, even if it looks helpful.
If you have already been hit
Speed is the only thing that helps. Call 1930, the national cyber helpline, and file at cybercrime.gov.in immediately. There is a short window, sometimes only an hour, in which the receiving bank can hold or reverse the transfer. Uninstall any remote-access app the scammer made you install, then change every password you used on that phone, especially banking and email. Report the fake number on Sanchar Saathi Chakshu so the telecom side has a record. Keep the call log, the chat history, and the UPI references safe.
Why this matters for FakeOut
There is no AI in this scam. No deepfake, no cloned voice, nothing for a media detector to catch. The whole con is built out of a Google result, a confident voice, and a moment of stress. That is exactly the kind of situation a regular person needs a second opinion on before they act.
That is the direction FakeOut keeps moving in. The detection side keeps improving, but the bigger goal is to be the app you open before you dial, click, or pay. A phone number forwarded on WhatsApp. A "customer care" link from a Google result. A QR code a stranger on a call asked you to scan. Drop it in. If it is clean, you are back to your day in thirty seconds. If it is not, you have just saved yourself a very bad evening.