New Delhi, July 17 -- It started like any regular post-delivery routine.

Abhishek Walia had just received his new credit card when he got a call from someone claiming to be from the card issuer. The voice was calm, courteous, and well-spoken. "Sir, we're helping customers activate their cards quickly to avoid deactivation," the caller said.

What followed was a script that felt disturbingly legitimate.

The caller confirmed Abhishek's name, his bank, and the last four digits of the credit card-details that would make anyone believe the call was real. Slowly, the caller asked for the card expiry date, the CVV, and eventually, an OTP that had just landed on Abhishek's phone.

Something didn't feel right.

"I asked why they needed my OTP fo...