← All awareness guides

SBI YONO Phishing — How Fake YONO Login Pages Trap Customers

Fake SBI YONO login pages are the #1 banking phishing scam in India. Learn how to spot the fake URLs, what SBI will never ask, and how to report to cybercrime.gov.in.

India edition · Updated 2026-07-09

SBI's YONO app has 60+ crore users — which makes it the fattest phishing target in India. Scammers clone the login page pixel-perfect, host it on lookalike domains (yono-sbi-login.in, sbi-yono-verify.co), and drive traffic through SMS and WhatsApp forwards.

How the scam actually works

  1. The victim gets a message: 'Your SBI YONO account will be deactivated. Verify now: sbi-yono-verify.co/login'.
  2. The page looks identical to the real YONO web login — same colours, same logo, same input fields.
  3. Victim types Customer ID + password. Behind the scenes, the scammer relays those to the real yonosbi.com and captures the OTP the bank sends.
  4. Within 90 seconds, the scammer is inside the real account and initiates a beneficiary transfer.

Red flags — what to look for

How to report in India

  1. Call 1930 (cybercrime helpline) and SBI's fraud line at 1800 11 1109 within 24 hours.
  2. File at https://cybercrime.gov.in with the fake URL, SMS screenshot and any transaction alerts.
  3. Report the phishing URL to SBI at report.phishing@sbi.co.in — SBI's security team takes down cloned pages via hosting providers.
  4. Reset your Customer ID password and internet-banking password from the real app immediately.

How to protect yourself going forward

Prevention is boring but works. Enable UPI transaction alerts on SMS + email (both, not just one). Set a daily UPI cap of ₹10,000 unless you actively need more — you can raise it back in 30 seconds when required. Add a separate low-balance current account for online payments and keep the salary account off UPI entirely. Lock your Aadhaar biometric at resident.uidai.gov.in — that alone stops most eKYC-based downstream fraud even if your OTP is leaked. Finally, tell one family member every time you get a suspicious message. Fraud thrives on isolation.

What actually helps recovery

Time. The single strongest recovery factor is reporting to 1930 within the first hour. RBI's Turnaround-Time framework requires banks to freeze beneficiary accounts within specific windows and the 1930 number is plugged directly into that flow. After 24 hours, freeze probability drops sharply. After 72 hours, recovery is rare. Screenshot everything: the SMS, the caller number, the UPI ID, and the debit alerts. All of these become evidence on cybercrime.gov.in.

Frequently asked questions

What's the real SBI YONO web URL?

https://retail.onlinesbi.sbi (retail internet banking) or the YONO app from the official Play Store / App Store. Anything else is a clone.

Will SBI ever ask for my OTP over a link?

No. SBI never asks for OTP, PIN, CVV or password over SMS, email, WhatsApp, phone call, or any link. The OTP is meant to be entered inside the real app only.

I entered my details on a fake page — what now?

Immediately: (1) call 1930, (2) call SBI at 1800 11 1109, (3) reset your INB password from the real app, (4) file on cybercrime.gov.in. Time matters — first 24 hours gives the best recovery odds.

Are these fake sites hosted in India?

Most are hosted on cheap offshore servers (Russia, China, some in Ukraine) with Indian-looking domains bought via GoDaddy or Namecheap. The domain often lives less than 7 days before takedown.

How do I test a suspicious SBI link before clicking?

Paste it into PhishGuard's URL scanner. The scanner runs 55+ checks including domain age, SSL certificate issuer, redirect chain and ML classification — and tells you in 3 seconds if the URL looks like a phishing clone.