Digital wallet scam: Rs 2.4 million disappeared after victim fell for the Rs 9K 'bonus' trap
KATHMANDU: In the last week of February 2025.
Solukhumbu-5 (symbolic name) received a phone call—”Hello! I am calling from the eSewa Service Center.”
Solukhumbu-5 replied, “Yes! How can I help you? Please tell me.”
The caller explained, “You have won a reward of Rs 9,000!”
Solukhumbu-5 asked with a tone mixed with curiosity, “Oh, really?”
The voice from the phone came again, “You will receive an OTP (One Time Password) number on your mobile. Send it to me. The money will be deposited instantly.”
Solukhumbu-5 quickly said, “Okay, I will send it right away.”
True enough, an OTP arrived on his mobile within 10 seconds. He sent it without any thought. After a while, a call came again from the same number: “Sir, the reward amount needs to be transferred to your bank account. Please provide the bank account number.”
He immediately provided the account number.
The caller suggested, “You will receive an OTP code. Please tell me what it is!”
Sure enough, the OTP code arrived. He relayed it as well.
The caller had said that an OTP code would come one more time. He gave that one too.
After that, neither did an OTP arrive, nor did the phone ring. He was relieved, thinking he had won a reward. He kept checking eSewa from time to time. He refreshed it many times. The reward money didn’t arrive. Instead, a message arrived shortly after, which left him utterly shocked.
The message read, “Rs 2.4 million has just been withdrawn from your bank account.” He immediately checked his bank account. It was confirmed that Rs 2.4 million had vanished.
That same day, he went to the Nepal Police Cyber Bureau in Bhotahity to file a complaint about the lost money.
“It appears that Solukhumbu-5 was delighted without properly verifying whether the incoming number belonged to the eSewa Service Center. Why would any company send a reward without a reason? This incident occurred because such a simple thing was ignored. We are investigating,” says Superintendent of Police Deepak Raj Awasthi, spokesperson for the Nepal Police Cyber Bureau.
The last OTP code requested from Solukhumbu-5 turned out to be for Connect IPS. The OTP enabled the fraudster to gain access to the bank account, allowing them to easily transfer the funds.
The police have not yet been able to figure out who withdrew the Rs 2.4 million from eSewa and where it was routed. The investigation has shown that the money was withdrawn in stages through many accounts, but the whereabouts of the person who initially withdrew the money from the account remain unknown.
The sudden loss of millions has disrupted Solukhumbu-5’s business. He is under immense stress.
He has only shared the fact that he was defrauded with a few close individuals and the police investigation officers. When Nepal News tried to inquire about the incident, he did not want to reveal much. “I was defrauded of money. What can I say?” he said only this, clearly uncomfortable.
The role of ‘Truecaller’ as a fraud assistant
Surprisingly, the story of an employee of Nepal Rastra Bank (NRB), located in Baluwatar, which regulates all banks and financial institutions in the country, is similar to that of Solukhumbu-5. In digital wallet transactions, it’s a pattern of a phone call, OTP sharing, and ultimately, fraud.
The victim himself is someone who understands banking and financial transactions well. Yet, he was excited as soon as he heard the word “reward.” By sharing the OTP, he lost Rs 150,000 from his bank account. Even with this complaint, the police have not been able to arrest anyone yet.
“I trusted them when they said I won a reward. It turned out to be a call from a scammer,” he wrote in his complaint.
All wallets, including eSewa, use the technology of passing through an OTP during transactions. This technology is kept to make transactions secure. The increase in fraud is due to telling others the main key to opening the security door—the OTP password.
Based on the complaints filed with the police, it is evident that among those perpetrating wallet fraud, many set their mobile number’s Truecaller ID as “eSewa Service Center.”
Truecaller is a smartphone application that provides services including caller ID. It is popular among Nepali smartphone users.
Many instances have been found where Truecaller does not show the genuine identity of the person or company making the call. A Truecaller ID can be created by setting any name as the mobile number holder; there is no compulsion to use the real name.
For example, let’s say a person with the actual name ‘A’ and mobile number 9851…7 uses the Truecaller app. They can set their public Truecaller ID to something misleading, like ‘B’ (e.g., ‘eSewa Service Center’). When ‘B’ calls a victim (‘C’), the victim’s phone displays the false ID ‘B,’ not the caller’s real name ‘A.’
This deception is highly effective because most people do not have a fraudster’s number saved in their contacts; if they did, the saved name would override the fake Truecaller ID, but for an unknown caller, the fake name is displayed, establishing false trust.
When a call comes from a smartphone with a changed name on Truecaller, and the receiving mobile shows “Khalti Service Center” or “eSewa Service Center,” how can one be suspicious? Many people are being defrauded because fraud planners create a fake Truecaller ID to call, and those who receive such calls, driven by temptation, share their OTP.
“Firstly, there is a tendency for people to share their password due to the greed for a reward. This is about temptation. Complaints also come in about fraud occurring because people do not take the necessary precautions while using a wallet,” says Cyber Bureau Spokesperson SP Awasthi.
According to him, the number of people coming in with complaints of wallet fraud is increasing daily. Complainants have registered reports of fraud ranging from Rs 150,000, 200,000, and 300,000 to Rs 2.4 million.
Since the last fiscal year, 223 complaints related to OTP misuse have been filed at the Bureau. The reported amount of fraud in these cases is Rs 5.50 billion.
Currently, 27 digital wallets are in use in Nepal. This is the number of companies licensed by the Nepal Rastra Bank (NRB) until 2080 B.S. Among these, eSewa, Khalti, IME Pay, and Prabhu Pay are actively used. The majority of fraud incidents are also seen involving these wallets.
To make digital wallets secure, NRB has recently set transaction limits. One can only transact Rs 200,000 daily and Rs 1 million monthly from a bank to a wallet. From a wallet to a bank (via QR), a maximum of Rs 200,000 daily and Rs 1 million monthly, and from one wallet to another, Rs 50,000 daily and Rs 500,000 monthly can be paid. A maximum balance of Rs 50,000 can be kept in a wallet.
According to NRB Spokesperson Ramu Paudel, there are consolidated directives and circulars to make digital banking transactions transparent. The central bank periodically inspects whether these are being followed. “If non-compliance with the directives is found, the concerned companies fall under risk classification. Action is taken according to the Payment System and Nepal Rastra Bank Act,” he says. “Complaints about fraud through wallets have increased.”
Currently, KYC (Know Your Customer) verification is mandatory for digital wallets. Following the strict enforcement by NRB, accounts without KYC verification have been recently frozen. Such accounts only become operational again after completing the KYC process.
The KYC process is an essential measure to verify the identity of digital wallet users. It helps prevent the misuse of wallets for criminal activities such as money laundering, online fraud, crypto mining, and online betting. The police conclude that the main reasons for fraud are weaknesses in cybersecurity and the use of weak passwords, excessive use of technology but a lack of caution, and the tendency to easily trust strangers on social media. Digital fraud can decrease if users understand the risks of the internet and take precautions.
Public awareness is the challenge
Subash Sharma
Rapid changes in information technology are normal. India is a world leader in IT, but comparatively, a larger percentage of the population in Nepal engages in digital transactions than in India.
Products from F1Soft hold a large share of transactions. The higher number of users has led to more incidents of fraud using eSewa. The challenge of how to work safely by keeping up with rapidly changing technology is the same for us as it is for Google Pay in America and Paytm in India. As transactions increase, eSewa has now introduced provisions for filling out KYC and updating accounts. The provision for Face ID has also been added to strengthen security.
Individuals or companies can operate an eSewa account by fulfilling KYC, app updates, Face ID, and other standards. The responsibility for the cybersecurity of the products is ours. If users adopt security precautions for their accounts, the incidents of fraud currently being seen will significantly decrease. Users must not share their OTP and password.
Public awareness is the main challenge in digital transactions. Lately, we are working on how to increase public awareness. We are also increasing posts related to this on social media.
(Sharma is the Chief Executive Officer of F1Soft, the operating company of eSewa.)