SBI Phishing Guide — Real vs Fake SBI Emails, SMS and Websites
How to spot SBI phishing: real vs fake SBI domains, sender IDs, common 'KYC' and 'debit-card block' traps, and how to report to SBI + cybercrime.gov.in.
Official SBI (State Bank of India) channels
- Retail net banking: https://retail.onlinesbi.sbi
- YONO: only from Play Store / App Store — the app publisher must be 'State Bank of India'
- Fraud helpline: 1800 11 1109 (24×7, toll-free)
- Report phishing URLs: report.phishing@sbi.co.in
- Cybercrime helpline: 1930
Phishing red flags specific to SBI (State Bank of India)
- URL is anything other than *.onlinesbi.sbi or *.sbi.co.in — lookalikes like sbi-yono.co.in, onlinesbi-verify.in, sbi-kyc.co are all fake.
- SMS sender ID isn't a 6-character TRAI-registered ID starting with your area's code (e.g. AX-SBIINB, JD-SBIYNO). Random IDs = scam.
- Email is from anything other than @sbi.co.in — check the actual sender, not just the display name.
- Any message asking for your INB password, ATM PIN, CVV, OTP, or Aadhaar OTP. SBI never asks.
- 'Debit card will be blocked in 24 hours' / 'PAN not linked, account frozen' — classic urgency traps.
How to verify a message is real
- For every 'SBI' link: paste into PhishGuard's URL scanner. It flags lookalike domains, checks the SSL issuer (real SBI uses DigiCert), and shows the domain age (fakes are almost always <30 days old).
- For SMS: check if the sender ID matches SBI's registered TRAI IDs. Unknown IDs get forwarded to 1909.
- For calls: hang up and dial 1800 11 1109 yourself. Real SBI officers are happy for you to call back on the official line.
Why SBI (State Bank of India) is a top phishing target in India
SBI (State Bank of India) has one of the largest digital-banking footprints in India. Every additional million users adds proportional phishing volume — attackers automate template generation, register hundreds of lookalike domains per week, and rotate them faster than the takedown process can keep up. The bank's official channels are stable and well-documented; the fake ones aren't. This guide focuses on the difference so you can decide in under 30 seconds whether a message deserves your PIN.
What to do in the first 60 seconds of a suspicious message
Stop. Don't click. Read the sender ID, the domain in the URL, and the ask. If any of the red flags below apply, screenshot the message and delete it. If money already moved, call 1930 immediately and file at cybercrime.gov.in within 24 hours — that is the RBI-mandated window where beneficiary accounts can still be frozen. Every hour after that reduces recovery odds sharply.
Frequently asked questions
What is the real SBI online banking URL?
https://retail.onlinesbi.sbi for retail customers, https://corp.onlinesbi.sbi for corporates. Nothing else is real, no matter how convincing the page looks.
Will SBI ever email me a link to reset my password?
No. Password reset always starts inside the app or the real onlinesbi.sbi portal — SBI does not send password-reset links by email or SMS.
How do I report an SBI phishing SMS?
Forward it to 1909 (TRAI spam) and email a screenshot to report.phishing@sbi.co.in. If you lost money, also call 1930 within 24 hours.
Are SBI YONO WhatsApp helpline messages real?
SBI does not offer support over WhatsApp. Any 'YONO helpline' WhatsApp number is a scam — always use 1800 11 1109 or the in-app help.
How can I test a suspicious SBI link before clicking?
Paste it into PhishGuard's scanner. 55+ checks including domain age, SSL certificate, redirect chain and ML classification return a verdict in under 3 seconds — no login needed.