PRIMER

Hacking is not breaking the lock. It is tricking you into opening the door.

Most hacking never touches your computer. The thief does not break the lock. He convinces you, and you open the door yourself. OTP fraud, digital arrest, the UPI trap. One rule.

No coding needed 12 minutes
01 · Cold Open

11:43 AM. Phone buzzes.

An older woman's hand, wearing thin gold bangles, holds a smartphone. On the screen is a single scam SMS: your KYC is about to expire, share the OTP. The word OTP is visible.
11:43 AM. Phone buzzes. No narration, no music. Just the screen.

A phone in an older woman's hand. One SMS on the screen. The name is correct. The bank logo is correct.

SMS on the screen

"SBI ALERT: Your KYC will expire in 2 hours. Share the OTP sent to your number to keep your account active."

02 · Hook & Reframe

When you hear the word hacking, what do you picture?

Kani, the Tamil baby robot, in register 6 (explaining), wide round eyes, points at a phone with one finger and holds a filter coffee tumbler in the other hand.
Kani points at the phone. The hack already happened, right there.

Black hoodie. Green code. Someone typing fast in a dark room. Is that what comes to mind?

"If I got hacked, it means some skilled person cracked my password and broke into my account."That is what most people picture. Getting hacked means someone broke through your defences.

The truth? Most hacking does not touch your computer at all. That SMS that reached your mother, the one about KYC expiring, that is the hack. It already happened.

This is the centre of the article

The thief did not break the lock. He rang the bell. He wore a uniform. You opened the door yourself.

"By the time this episode ends, you and everyone in your home need to know just one rule."Once you know it, you will never forget it.

03 · The Anchor

The thief who rang the bell

An apartment door, lock unbroken. Outside stands a figure in a delivery uniform holding a parcel, ringing the bell. The lock is intact and secure.
He did not break anything. He needed one thing only, your trust.

Your apartment has a good door. A strong lock. A watchman downstairs. A thief has only two ways in.

Way 1: Break the lock, force the door, push inside. Hard. Takes time. Makes noise. The watchman will see him.

Way 2: Put on a delivery uniform, ring the bell, say "Parcel delivery, sir, please sign here." You open the door yourself.

He did not break anything. He needed one thing only. Your trust. Your panic.

There is a name for that second way

Social Engineering. "Social" = it works through people. "Engineering" = it was deliberately designed.

Someone sat down, thought it through, and built a system to make you trust them. That is social engineering. They hack the human, not the machine.

04 · Scam 1

OTP Fraud

A Tamil home kitchen with steel vessels and a mixer. On the counter a phone is on speaker, the screen labelled Bank. A worried person leans toward it.
This scam has run for years. Because it still works.

The phone rings. A calm, professional voice.

"Naan State Bank of India-la irunthu pesaren. Ungal account-oda KYC update pending. Inniki 6 PM-ku account freeze aagidum."I am calling from State Bank of India. Your account's KYC is pending. Your account will freeze by 6 PM today.

"It will freeze." Just hearing those words, what happens in our heads? Panic. Salary will not come, bills will not clear, no cash from the ATM.

Now the voice says: "Don't worry. I will update it for you right now. Just tell me the OTP that comes to your phone." The OTP arrives. Because the bank system really did send it. That part is true.

On screen

The OTP arrived. It really came from the bank. But the person asking for it is not from the bank.

Say this to the whole family

A real bank will never ask for your OTP. Not now. Not ever.

The OTP is the lock. The bank already has the key. They do not need to ask you for it. If anyone asks for an OTP, the call is over. Put the phone down. No explanation needed.

Kani in register 4 (skeptical), narrowed eyes, arms folded, watching the uniformed figure. No panic, just calm suspicion. A filter coffee tumbler in hand.
Kani does not panic. Kani watches. This is what you should become.
05 · Scam 2

Digital Arrest

A video call on a laptop. On screen, a figure in a khaki shirt (face blurred), an official-looking background, files. Cold blue light. At the desk, a person watches in fear.
Hours. Sometimes days. The victim sits in front of the camera, terrified.

In 2024 a new scam spread across India. "Digital arrest."

A WhatsApp or Skype video call. A khaki shirt on the screen. A police-station-style background. Documents on the desk.

"You are involved in a money laundering case. Your Aadhaar was used in an illegal transaction. The CBI is investigating. You are now under digital arrest. Keep the camera on. Do not move."A fake officer, a fake case, a real victim frozen in fear.

Rs 1,935 crore
Lost in India to digital arrest and related scams in 2024 (MHA + I4C)
0
Real arrests the police make over a video call
The one truth that kills this scam

Real police never arrest anyone over a video call. Not the CBI. Not the ED. No one.

If the police need to take you somewhere, they come to your door. With a warrant. In person. "Cut the call. Block the number. Call 1930."

06 · Mid-Recap

Is that all? No.

Here comes the important part.

We saw two scams. Both use the same weapon. Panic.

Make someone feel that something terrible will happen in the next five minutes, and the brain stops asking questions. Let us look at one more scam. Then we will build your defence.

07 · Scam 3

The Jumped Deposit (UPI trap)

A hand holds a smartphone showing a green UPI credit notification: Rs 5,000 credited to your account. Below it a second pop-up starts to appear: Authorize payment request.
This one is new. The TN Cyber Crime Wing flagged it in December 2024.

This one is clever. Because the scammer starts by giving you money.

Rs 5,000 lands in your account. Unexpected. You did not sell anything. Nobody said they were sending money. Curiosity kicks in. You open your UPI app to check the balance.

Here is what actually happened. The scammer sent you Rs 5,000. At the same time, he sent you a payment request asking you to approve Rs 48,000 back to him. When you enter your PIN to check the balance, UPI processes that pending request. You approved it without even reading it.

TN Police say: if you see an unexpected deposit, wait 15 to 30 minutes. The UPI request will expire. Or report it to the bank.The deposit is bait. The real move is the request riding behind it.

Kani in register 2 (confused), wobbly eyes, scratching its head with one hand, looking at the deposit notification on the phone. The coffee tumbler in the other hand, held away from the phone.
Bait was curiosity, not fear. But the same principle.
08 · Scam 4

The Call Forwarding Trap. Very few people know about this one.

This one is smarter than the other three. Because this time they do not ask for your OTP at all. You open the door for them yourself, without knowing it.

The phone rings. A calm, helpful-sounding voice.

"Sir, ungal SIM-la oru technical problem. Inniki raathiri ungal number permanent-ah deactivate aagidum. Fix panna romba easy. Naan sollra code-ah mattum dial pannunga. Star, four, zero, one, star, then a number."Sir, there is a technical problem with your SIM. Tonight your number will be permanently deactivated. Fixing it is very easy. Just dial the code I give you. Star, four, zero, one, star, then a number.

Who would not be scared of their number getting deactivated? You dial the code they gave you. A small beep. The call cuts. On the surface, nothing seems to have happened.

What happened in that one second

That code (star 401 star, then their number) silently turned on call forwarding on your phone. From now on, every call that comes to your phone goes straight to the scammer.

Why is this so dangerous? Not every OTP comes by SMS, some come as a call. The bank calls to verify your account. They call for account recovery. None of those calls ring on your phone. They ring on his. Even with the phone in your hand, your number is already in his.

DoT + I4C
The Department of Telecommunications and the Indian Cyber Crime Coordination Centre have both issued public warnings about this call forwarding scam
##002#
If you suspect forwarding is already on, dial this code. It cancels all forwarding
Say this to the whole family

If anyone on a call says "dial this code," that itself is the scam.
Neither the bank nor the SIM company will ever ask you to dial a code, at any time.

09 · The Defence

The one rule you must never forget

Kani in register 3 (realization), star-bright eyes, both hands raised. A pause symbol glows faintly inside its eyes. The coffee tumbler set down on the ground.
Panic is the scammer's only tool. That feeling is not a signal to act. It is a signal to stop.

Four scams. Four different emotions. But one foundation.

Fear of an account freeze. Fear of arrest. Curiosity about unexpected money. Fear of the SIM being deactivated. Each one manufactures an emergency, to push you into a hurried action. But the defence is the same for all of them.

Say this to the whole family

When panic comes, do not trust it.
If it is real, put the phone down.
Call back the official number yourself.
Never dial a code anyone tells you to dial.

Put the phone down. Find the official number yourself. The SBI number is on the back of your ATM card. The cyber crime helpline is 1930. You call them. Not the number the scammer gave you.

The SBI scam spread through WhatsApp groups, hijacked accounts of people your family already trusts. Your brother's WhatsApp sent that link. He had no idea. His phone was already compromised.

This is the centre of this episode

In a family, it is not enough for one person to know. Everyone has to know.

10 · The Mental Model

One single mental model

Every social engineering attack has the same structure.

What is the defence? Stop step 2. Slow down. That is the difference between a trained engineer and a first-time victim. Not intelligence. Not technology. Just one habit.

This one habit

When something feels urgent and high-stakes, slow down precisely because it feels urgent.

A real emergency, your actual bank, the EB, the government, will still be there in the 10 minutes it takes you to call back. A scam cannot survive a 10-minute pause.

11 · Why this goes beyond family

This is for anyone who works in IT too

On screen

India lost over Rs 11,000 crore to online fraud in 2024. Most of it. Not weak passwords. Someone panicked.

This matters for anyone who thinks they are careful and security-aware.

Your mother is not less intelligent than you. This scam attacks emotion. Not IQ. The most senior security engineer at any company can get this same call on a bad day and feel that same panic.

This is the reason

Not a technology problem. A human problem. That is why we call it social engineering. The machine is fine. The target is the human.

12 · Author + Close

Let me talk to you for a minute

Avinash Srinivasan, the author of this article, standing at the entrance of a Tamil temple in a veshti and shirt.
Avinash. The one who wrote all of this, talking to you.

I am Avinash. I work in cloud infrastructure and security.

For years I have built systems to protect data for companies. And I have watched those same companies get social-engineered. Because we do not train people the way we train machines.

I started Unnal Mudiyum because most tech content either talks down to you, or goes over your head. This channel does neither.

Channel mission

Cloud, AI, security, leadership, the real stuff of working in IT. Explained for a ten-year-old, useful for a senior engineer.

If this episode makes one thing click for you, and you share it with your father or mother, that is the whole reason this channel exists. Subscribe.

Which scene was unclear? What surprised you?

Next episode

The other half of hacking, the technical side. How does software actually get broken?

Same burglar-at-the-door frame. But now we open the door and look at the machine inside.