How common is online financial fraud in Nepal?

Very, and rising fast. Nepal Police Cyber Bureau registered 18,926 cybercrime cases in FY 2024/25, about 52 a day. Financial scams alone were 7,723 of those, around 41% of all cybercrime and up nearly 88% from the year before. NRB's financial intelligence unit separately reported cyber-enabled fraud reports rising 63% in early 2024, with about 70% of suspects aged 19–30.

If a scammer empties my account after I shared an OTP, will my bank refund me?

Probably not. Nepal has no RBI-style rule forcing banks to refund victims of unauthorized electronic transactions. NRB amended its payment-system directives in March 2025 to tighten provider security and let banks freeze suspicious accounts, but it set no customer refund right, liability cap, or reporting deadline. In practice, if you handed over your OTP, PIN, or password, the loss usually falls on you. This is exactly why prevention matters more here than in countries with a refund safety net.

Will a real bank or wallet ever ask for my OTP or PIN?

Never. eSewa states plainly that it never asks for your password or OTP over calls, SMS, or email, and banks say the same about PINs, passwords, and card CVV. An OTP exists to prove it is you, so anyone asking you to read one out is, by definition, trying to act as you. Treat any call, SMS, or message requesting an OTP, PIN, CVV, or password as fraud, full stop, no matter how official it sounds or what number shows on the screen.

What should I do immediately if I've been scammed in Nepal?

Move fast, because criminals drain and move money within minutes. First, call your bank or wallet helpline to freeze the account and report the unauthorized transaction. Then file a complaint with the Nepal Police Cyber Bureau (online at cyberbureau.nepalpolice.gov.np, toll-free 16600141516, or email cyberbureau@nepalpolice.gov.np with a copy of your ID). You can also lodge a grievance with NRB at gunaso.nrb.org.np. Speed is the single biggest factor in whether any money is recovered.

Can scammed money actually be recovered in Nepal?

Sometimes, and only if you report quickly. NRB now lets banks freeze suspect accounts of any amount, and the Cyber Bureau has reported recovering and returning money to victims, but recovery is never guaranteed. Fraudsters test frozen accounts with tiny transfers and move funds onward within minutes, so the reporting window is short. The realistic expectation is that prevention protects you and fast reporting gives you a chance, not a certainty, of getting money back.

OTP & Phishing Fraud in Nepal: How Bank Scams Work

The call comes from a number that looks like your bank's. The person on the line knows your name and your date of birth, sounds calm and slightly bored, and tells you there has been a suspicious transaction on your account. To block it, they just need to confirm the code that was sent to your phone a moment ago. You are flustered, they are reassuring, and the code is right there in your messages.

That single moment, reading out six digits to a stranger, is how most Nepali bank-account fraud actually happens. Not hacking in the movie sense. A phone call, a fabricated emergency, and a victim who hands over the key.

How big the problem is

The numbers are no longer small. Nepal Police Cyber Bureau registered 18,926 cybercrime cases in FY 2024/25, roughly 52 a day, per the Kathmandu Post. Financial scams were 7,723 of those, about 41%, and that category jumped nearly 88% from 4,112 the year before. The total cybercrime count actually dipped slightly, but the money-stealing share climbed sharply, which tells you where the criminals are concentrating.

NRB's own Financial Information Unit gives a sharper picture in its 2024 Strategic Analysis Report. Cyber-enabled-fraud reports rose 63% in the first five months of 2024 against the same period a year earlier. About 70% of the suspects were aged 19–30, and roughly half the accounts used to receive stolen money were flagged within three months of being opened, three-quarters within nine. Mule accounts opened quickly, drained quickly, abandoned.

The anatomy of the scam

NRB's FIU lays out the playbook in plain language. Fraudsters "call or approach customers via phone or social media, posing as bankers, company executives, insurance agents, government officials," then "share a few customer details such as the customer's name or date of birth, to gain trust," and finally pressure the victim into sharing "passwords/OTP/PIN codes of cards/Card Verification Value (CVV)" by "citing an urgency/emergency such as the need to block an unauthorized transaction."

Read that back. Every step is psychology, not technology:

Impersonation. They claim to be someone you already trust: your bank, your wallet, the police, a telecom.
A seed of truth. A real name, a real date of birth, sometimes the last digits of a card. Enough to sound legitimate. Most of it is scraped from leaks or social media.
Manufactured urgency. Your account will be blocked, your KYC has expired, a fraudulent transaction is in progress. Panic shrinks judgment.
The ask. Read out the OTP. Confirm the PIN. Click this link. Install this app to "verify."

A second, nastier variant skips the OTP and takes your whole phone. The FIU describes scams using "unknown/unverified mobile apps" and "screen sharing apps and remote access," where the victim is talked into installing something that gives the fraudster "complete control of the customer's device" and the messages and OTPs arriving on it. Once a remote-access app is running, they do not need you to read anything out. They are you.

The variants Nepalis are seeing right now

The same skeleton wears different costumes. The ones documented in Nepal:

The fake "KYC update" SMS. A message warns your account or wallet will be suspended unless you verify, with a link. The eSewa impersonation often dangles a reward for "completing KYC," such as raising your wallet limit to Rs 1 lakh.
The reward or cashback bait. eSewa's own fraud advisory names fakes like an "exclusive offer reserved for our top customers" and a "Rs. 5000 cashback on your latest purchase," all designed to get you to share an OTP. It also warns that "fraudsters can mask legitimate eSewa customer care numbers as caller ID," so the number on your screen proves nothing.
The suspended-account link. A June 2025 Cyber Bureau advisory flagged bulk-SMS messages from shortcodes like "AT_Alert," with text such as "Your connectIPS linked accounts have been suspended... complete the self-verify process" followed by a shortened link to a fake page that harvests your login.
The malware in disguise. The same advisory warned of malicious apps dressed up as "loan calculators, trading apps, or security verification tools" that, once installed, hand over remote access.
The prize, the visa, the inheritance. The FIU lists fake lottery or iPhone gifts, fake IELTS and foreign-job offers, and even "inheritance claims from wealthy individuals whose last names resemble the victim's." Different story, same ask for money or credentials.

These are cousins of the QR-payment scams that hit shopkeepers, covered in the Fonepay fraud post; the OTP and phishing versions just target the account holder directly instead of the merchant.

Where the stolen money goes (and why young accounts get recruited)

Once a fraudster has your money, it does not sit still. It moves through a chain of "mule" accounts, freshly opened bank or wallet accounts whose only job is to receive stolen funds and forward them before anyone can freeze them. The FIU data shows the pattern clearly: roughly half of the accounts used to receive fraud proceeds were flagged within three months of being opened, and three-quarters within nine. New accounts, drained, abandoned.

This is also why about 70% of the suspects were aged 19–30. Young people are recruited to "lend" their account or open one for a small fee, sometimes told it is for a harmless reason, sometimes knowing exactly what it is for. Either way, the law does not care about intent much: letting your account be used to launder fraud proceeds is a crime, not a favour. If someone offers you a few thousand rupees to receive money and pass it on, or to open an account in your name for them, that is a mule-account pitch, and the BOID and KYC trail leads straight back to you when the victim reports it.

The practical lesson runs both ways. Never let anyone use your account or wallet to move money you cannot explain, and treat any "easy money for using your account" offer as recruitment into a crime.

The hard truth about who pays

Here is the part people learn too late. In Nepal, if you shared the code, the money is usually gone for good.

Unlike India, which has an RBI framework giving customers near-zero liability when they report unauthorized transactions promptly, Nepal has no equivalent rule. NRB amended its online payment-system directives in March 2025 to push providers toward AI-based risk monitoring, tech audits, and settlement guarantees, and it has removed the old transaction thresholds so banks can now freeze a suspicious account of any size. But none of that creates a customer refund right, a liability cap, or a deadline by which a bank must make you whole. The directives police the providers, not the question of who eats the loss.

So the practical position is blunt: if you handed over your OTP, PIN, or password, the bank's stance is that you authorized the transaction, and there is no Nepali rule that overrides this. The contrast with a bank deposit is stark. Your balance is insured up to Rs 5 lakh against the bank failing, as the deposit insurance post explains, but nothing insures you against being tricked into sending it away yourself. That asymmetry is the whole reason this post leans so hard on prevention.

The four habits that stop nearly all of it

You do not need to understand malware to be safe. Four rules cover the overwhelming majority of cases:

Never share an OTP, PIN, CVV, or password. Ever. Not with a caller, not over SMS, not on a website you reached from a link. eSewa says it "never asks for your Password/OTP," and banks say the same. An OTP's only job is to prove you are you, so sharing it is handing over your identity.
A real bank never calls asking you to confirm secrets. If a call claims to be your bank and asks for any code, hang up and call the number printed on your card or the bank's official site. Caller ID can be faked, so the number you see means nothing.
Never install an app or click a link sent to you. No legitimate KYC, prize, or "verification" needs you to download something from an SMS or sideload an .apk. Screen-sharing and remote-access apps installed at a stranger's request are how accounts get drained without a single OTP being read aloud.
Slow down when someone creates urgency. "Your account will be blocked in ten minutes" is the tell. Real institutions do not work that way. The panic is the weapon; removing it defeats the scam.

Nepal Bank's own cyber-security advisory says the same in its list: never share online-banking passwords, OTPs, wallet PINs, or card CVV, and avoid banking on public Wi-Fi.

The first hour if you've been hit

If you realize you have been scammed, the clock is everything. The FIU notes fraudsters test whether an account is frozen by pushing through tiny transfers, as small as Re. 1, before moving the real money onward, so minutes matter.

Freeze it. Call your bank or wallet helpline immediately and report the unauthorized transaction. Ask them to block the account and the destination if they can. For eSewa, that is 1660-01-02121 or csd@esewa.com.np.
Report to the Cyber Bureau. File with the Nepal Police Cyber Bureau: online complaint portal at cyberbureau.nepalpolice.gov.np, toll-free 16600141516, or email cyberbureau@nepalpolice.gov.np with a copy of your citizenship, licence, or passport. The office is at Police Headquarters, Bhotahity.
Lodge an NRB grievance. For complaints against a bank or payment provider, NRB runs an online grievance system at gunaso.nrb.org.np.
Keep evidence. Screenshots of the messages, the caller number, transaction references, timestamps. The reversal-of-wrong-transfers post covers how disputed amounts can sometimes be held, and evidence is what makes that possible.

Recovery is possible but never promised. The Cyber Bureau has reported returning money to victims, NRB now allows fast freezes, but funds move within minutes and mule accounts are abandoned just as fast. Reporting in the first hour gives you a real chance; reporting the next day usually does not. For the record, electronic fraud and unauthorized access are crimes under the Electronic Transactions Act 2063, carrying fines and jail terms that double on repeat offences, but a conviction does not automatically return your money.

What you actually need to know

The scam is social, not technical. It runs on impersonation, a seeded detail, fake urgency, and one request: your OTP, PIN, CVV, password, or an app install. Recognize the shape and you defeat almost all of it.
No one is coming to refund you. Nepal has no rule forcing banks to repay victims of authorized-looking fraud, so prevention is your real protection. Never share a code; a genuine bank never asks.
If hit, the first hour decides everything. Freeze the account, report to the Cyber Bureau and NRB immediately, and keep every screenshot. Speed, not the size of the loss, is what determines whether any of it comes back.

Got a suspicious message or call you want a second opinion on before you act? Email parjanya57@gmail.com.

This post is part of the Nepal Money Basics guide — the protect-what-you've-saved section.