AEPS Fraud: Lock Your Aadhaar Biometrics Before It's Too Late

Imagine checking your bank balance and finding a few thousand rupees gone — no OTP arrived, no payment was approved, no card was swiped. For a growing number of Indians, this is exactly how AEPS fraud works: a silent withdrawal authorised by a fingerprint they never gave. The good news is that a free, two-minute setting on your phone can shut this attack down completely. This guide explains how the scam works and how to lock your Aadhaar biometrics before someone else uses them.

What AEPS Is — and Why It's a Soft Target

AEPS stands for Aadhaar Enabled Payment System, run on the rails of the National Payments Corporation of India (NPCI). It was built for financial inclusion: a villager with no smartphone, card or even a remembered PIN can walk up to a banking agent, place a thumb on a small scanner, and withdraw cash from a government-linked account.

The convenience is also the weakness. To authorise an AEPS withdrawal, the system essentially needs only three things — your Aadhaar number, your bank's name, and a matching fingerprint. There is no one-time password, no UPI PIN, and no notification you must approve. If a criminal can supply those three inputs at a micro-ATM or through a corrupt agent, the money moves and you find out later.

This is what makes AEPS fundamentally different from the UPI scams most people fear. With UPI, you usually have to tap "approve" or type a PIN — a moment where an alert user can stop. With AEPS, the victim is entirely passive. That single design gap is why security researchers treat it as one of India's most underrated fraud surfaces.

How Criminals Get Your Fingerprint

The obvious question: how does a stranger get your thumbprint? The unsettling answer is that you may have handed it over years ago without knowing the risk.

• Property and land records. Sale deeds, registry documents and Encumbrance Certificates often carry thumb impressions and were, for years, downloadable in high resolution from state registration portals. Fraudsters scrape these, clean up the image, and print or mould a fingerprint clone on silicone, glue or butter paper.
• Old paperwork. Pension forms, ration records, employment and KYC documents that captured biometrics or inked thumb impressions.
• Skimming hardware. Tampered or rogue biometric scanners at agent points that quietly store the prints they read.

Once a usable clone exists, the criminal pairs it with your Aadhaar number — itself widely leaked through years of careless data handling — and visits an agent point in a different district. Because AEPS does not push you an alert, the theft can repeat across multiple small withdrawals before anyone notices.

The One Setting That Stops It: Locking Your Biometrics

Here is the part worth bookmarking. The Unique Identification Authority of India (UIDAI) lets every resident lock their biometrics so that fingerprints and iris data simply cannot be used for authentication — by anyone, including a fraudster with a perfect clone. When locked, the AEPS scanner returns a failure no matter how good the fake print is.

Locking is free, reversible, and does not touch your bank account, debit card, UPI or net banking, none of which rely on your biometrics. Think of it as keeping a door bolted and only sliding the bolt open in the rare moments you actually need fingerprint authentication.

There are two ways to do it:

1. The mAadhaar app. Download the official mAadhaar app, register your Aadhaar profile, open the services menu and choose to lock biometrics. It takes under two minutes.
2. The myAadhaar website. Go to UIDAI's myAadhaar portal, log in with your Aadhaar number and an OTP, and use the "Lock/Unlock Biometrics" option.

When you genuinely need biometric authentication — say, for a one-off Aadhaar-based verification — you simply unlock it temporarily; it locks itself again after a short window. For the overwhelming majority of people who never use AEPS, there is no reason to ever leave biometrics unlocked.

Use a Virtual ID Instead of Your Aadhaar Number

Locking biometrics removes the fingerprint half of the attack. You can also harden the other half — your Aadhaar number — by simply not handing it out.

UIDAI offers a Virtual ID (VID): a temporary, revocable 16-digit number you can generate on the mAadhaar app or myAadhaar portal. It works for verification wherever it's accepted but reveals nothing about your real Aadhaar number, and you can regenerate a fresh one anytime. Pair this with masked Aadhaar — a downloadable version that hides the first eight digits — when sharing copies for hotel check-ins, gas connections or rentals. The less your full number circulates, the harder it is for anyone to assemble a working AEPS attack.

A Quick Personal-Security Checklist

Do these once and you'll have closed most of the gap:

• Lock your Aadhaar biometrics today via mAadhaar or myAadhaar, and keep them locked by default.
• Generate a VID and use it instead of your real Aadhaar number wherever a portal or vendor will accept it.
• Share only masked Aadhaar copies, and always write the purpose and date across the photocopy.
• Turn on transaction alerts — SMS and email — for every bank account so a silent withdrawal isn't silent for long.
• Check your AEPS activity. Some banks let you disable or set limits on AEPS through net banking or by request; if you never use it, ask your bank to switch it off.
• Review where your prints already live. If you've registered property recently, assume that thumb impression may be retrievable, and treat the biometric lock as non-optional.

If Money Has Already Vanished

Speed matters, because the Reserve Bank of India's rules on unauthorised electronic transactions reward fast reporting. If you spot a withdrawal you didn't make:

1. Inform your bank immediately, ideally within three working days, in writing. Reporting promptly strengthens your claim to a refund of the unauthorised amount.
2. File a complaint on the national cybercrime helpline 1930 or the cybercrime reporting portal, and keep the acknowledgement number.
3. Freeze or flag the account and ask the bank to block further AEPS transactions on it.
4. Preserve evidence — SMS alerts, statements and timestamps — which the bank and police will need.

AEPS was a genuinely powerful idea for bringing banking to people the formal system had ignored. But a payment method that authorises cash withdrawals on a fingerprint alone demands that you treat your biometrics like a password — something to keep locked away and reveal only when you must. The lock is free, the VID is free, and the two minutes you spend now are far cheaper than the afternoon you'd otherwise spend at a bank counter trying to explain money that walked out the door on its own.