One call could let hackers hijack your life: How call merging scams work | Technology News

A few days ago, a man answered an unexpected call from an unknown number. The urgent, familiar voice on the line caught him off guard. Before he could react, the caller urged him to merge the call, claiming it was for a verification process.Trusting but confused, the man complied. Moments later, an OTP was requested—and his Gmail account was breached. What ensued was a digital nightmare. The hacker accessed everything––emails, saved passwords, photos, even location hory. In one swift strike, his entire digital footprint was laid bare.
This wasn’t a lone case.
Before Diwali, a wave of similar scams hit Gurgaon, targeting doctors. It started with one victim, but soon, the scam spread like wildfire. The modus operandi was the same: a call merge trick that granted hackers access to WhatsApp accounts. Once one doctor fell for it, the attackers used their compromised account to target others in their contact l.
Story continues below this ad

Over 40 doctors reached out to cybercrime expert Amit Dubey before Diwali, all sharing the same horrifying experience. Their WhatsApp accounts were compromised, jeopardising personal and professional data. The scale of the attacks exposed the chilling sophication of modern cybercriminals.
The lesson? A single phone call can open the doors to a digital disaster. In an age where our lives are connected to our phones, one wrong move can cost us everything.
How call merging scams work
Cybercriminals are always finding new ways to trick people, and the call merging scam is one of the latest threats. Fraudsters manipulate phone calls to intercept voice OTPs, allowing them to hijack accounts and even gain control of devices. This tactic has been used to hack Gmail and WhatsApp accounts, exposing sensitive personal information like passwords, locations, and stored media.
The National Payments Corporation of India (NPCI) has also issued warnings to UPI users, urging them to be cautious of unknown callers requesting call merges.Story continues below this ad
The step–step process
Gaining trust: Scammers introduce themselves using a familiar name or a credible reference. They may claim to offer an exciting opportunity or an exclusive event invitation, making the target feel at ease.
The call merge trick: The scammer then asks the victim to merge a call, saying that a trusted person is also on the line and wants to join the conversation. This makes the request seem legitimate.
Stealing the OTP: Once the call is merged, an OTP (one-time password) is generated and played aloud. Since the scammer is already on the call, they hear the OTP in real-time and use it to gain access to the victim’s account.
Locking the victim out: In cases of WhatsApp hacking, fraudsters immediately enable two-factor authentication, locking the victim out of their account for at least seven days. During this time, they misuse the hijacked identity to carry out further scams, tricking more people in the victim’s name.Story continues below this ad
Dubey warned that high-ranking officials, professionals, and those holding positions of power are particularly at risk. “The common link among recent victims is that they are individuals in influential roles. That makes this scam even more dangerous,” he said.
How to stay safe
Avoid merging calls: No matter how familiar the caller ID looks, scammers can spoof numbers to appear trustworthy. If someone asks you to merge a call, be cautious. If a caller inss on merging another person into the conversation, offer to call both contacts yourself but separately.
Watch out for fake calls: Scammers can mimic phone numbers and even use AI to copy voices. If something feels off, hang up and verify independently.
Secure your voicemail: Fraudsters can redirect OTPs to voicemail and retrieve them later. Set a strong voicemail PIN to prevent unauthorised access.Story continues below this ad
Keep OTPs private: Use a separate phone number for social media and banking OTPs. This reduces the risk of exposure if one account is compromised.
Limit financial transactions: Set transaction limits on UPI, international transfers, and withdrawals to minimise potential financial loss in case of fraud.
Here’s what to do in case you are scammed 
Act fast: Call 1930 and report the incident to the cyber fraud helpline. Do this within hours to increase chances of recovery.
Alert your bank: Per RBI rules, notifying within three days boosts refund chances. Freeze suspicious transactions.Story continues below this ad
Pursue legal action: Under Section 66 of the IT Act, scammers face up to three years in jail. Additional charges may apply for financial loss or dress.
Dubey noted that middle-aged users often miss these advanced tricks. “Younger folks are tech-savvy, but many overlook voicemail or e-SIM risks,” he said. Telecom operators are bolstering security, but awareness is key. Simple safety habits and vigilance can slash your risk. Call merging scams are an emerging menace. Though victim numbers are low now, their potential looms large.
The Safe Side: As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophicated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.