The Rise of Digital Banking in Pakistan — and How Fraudsters Are Exploiting It

Pakistan’s baking system is digitizing at break-neck speed. "Raast" — the State Bank of Pakistan’s (SBP) instant payment system — processed 296 million transactions worth PKR 6.4 trillion in just Q2-FY25, taking lifetime volumes past 1.14 billion. Mobile and internet banking keep setting records, and fully digital banks have begun pilot operations. That growth is great for inclusion and efficiency — but it also expands the attack surface for scammers. State Bank of Pakistan

This article breaks down how fraudsters actually operate in Pakistan’s context, the new protections regulators and banks have rolled out, and the exact steps you (and your readers) can take to stay safe.

What’s changed in Pakistan’s digital finance

• Raast everywhere (P2P, Bulk, P2M). After launching P2P and bulk payments, SBP rolled out Raast Person-to-Merchant (P2M) with QR, aliases, IBAN and Request-to-Pay. Banks and other regulated entities were told to enable P2M and push adoption across merchants. State Bank of Pakistan

• Digital banks are real now. SBP issued the Licensing & Regulatory Framework for Digital Banks in 2022 and, in February 2025, granted the first pilot digital bank license to Mashreq Bank Pakistan. More entrants are in the pipeline. State Bank of Pakistan

• Stronger consumer security rules. To fight SIM-swap/SMS interception, SBP directed banks to replace SMS OTPs with in-app PINs (TPIN/FPIN) starting Jan 1, 2025, and laid out a customer liability framework for unauthorized digital transactions. State Bank of Pakistan

How fraudsters actually steal in Pakistan

1) Impersonation + social engineering

Scammers pose as bank staff, SBP, law enforcement (FIA/NCCIA) or even “Raast support,” pushing you to share OTPs, install remote-access apps, or approve a Request-to-Pay. Pakistan’s cybercrime authorities and DRF have repeatedly warned about phishing/vishing waves and fake “account verification” messages. Dawn
The fraudster creates an urgency (“your account will be blocked”), mentioning authority (“SBP inspection”), and novelty (new Raast/P2M features many users don’t fully understand) raising a concern in people.

2) SIM-swap & SMS interception

Fraudsters fraudulently obtain a replacement SIM, then intercept OTP/SMS alerts to take over mobile/online banking and wallets. SBP’s move away from SMS OTP to app-bound TPIN/FPIN directly targets this risk. Separately, authorities continue crackdowns on illegally issued SIMs that enable such fraud. State Bank of Pakistan

3) Raast “Request-to-Pay” and fake confirmations

With P2M live, criminals send unexpected Request-to-Pay (RTP) prompts (“Pay PKR 4,999 for parcel clearance”) or circulate doctored screenshots of Raast transfers. SBP’s P2M rules require real-time confirmations in customer apps — don’t rely on screenshots or SMS forwards. State Bank of Pakistan

4) Remote-access apps (AnyDesk/TeamViewer) on phones

Victims are tricked to install “support” apps; the scammer then watches/controls the device, reading OTPs and authorizing payments. FIA has flagged this pattern in recent advisories. No legitimate bank or SBP official will ever ask you to install such tools. Dawn

5) Wallet & agent-assisted fraud

Branchless wallets (BB/e-money) surged, and with them social engineering to move funds into mule wallets, plus QR code tampering at small merchants (replacing the shop’s QR with the fraudster’s). Growth is documented in SBP’s Payment Systems Reviews; risk follows adoption. State Bank of Pakistan

6) Loan-app & investment traps

SBP asked banks/PSPs/EMIs not to serve unauthorized digital lending apps. Many “investment” channels promise impossible returns, then vanish after collecting deposits or KYC data. Verify the entity’s regulatory status before engaging. State Bank of Pakistan

What SBP and banks have changed (and why it matters)

• TPIN/FPIN instead of SMS OTP. This makes the second factor device-bound and far harder to intercept via SIM-swap or SS7/SMS attacks. State Bank of Pakistan

• Customer liability & redress. SBP has set expectations for compensation on unauthorized electronic transactions when banks haven’t implemented required controls — pushing institutions to strengthen authentication, alerts, and dispute handling. State Bank of Pakistan

• Mandatory Raast P2M enablement. Banks must support QR/RTP, real-time confirmations, and user-friendly flows, reducing reliance on screenshots and manual checks that scammers exploit. State Bank of Pakistan

Playbooks: How to stay safe (The Awareness Playbook)

For consumers

1. Lock down your banking app

• Enable biometric login, app-level PIN (TPIN/FPIN), and transaction alerts.

• Bind your device in-app if your bank offers it; avoid accessing banking from rooted/jailbroken phones.

• Update the app from official stores only. (SBP’s move away from SMS OTP means your app is the security anchor.) State Bank of Pakistan

1. Defend your number

• Never Share OTP/TPIN and Card PIN - No Bank or Authority person will ever ask for this information. 

• If your phone loses network unexpectedly, please immediately contact you service provider help line, it could be a SIM-swap. 
  

1. Treat “Request-to-Pay” like a debit

• Decline unfamiliar Raast RTP prompts. Confirm billers inside your banking app (not via screenshots/links). State Bank of Pakistan

1. Never install remote-access tools for banking help

• If a caller asks you to install AnyDesk/TeamViewer, hang up and call your bank’s official helpline. Dawn

1. Verify merchant QRs

• Check that the shop name in your app matches the merchant. If the name looks off, ask for another acceptance method. State Bank of Pakistan

If money is stolen — respond in this order

1. Call your bank immediately to block the app/account/cards and dispute the transaction. (Speed matters for reversals and liability.)

2. Lodge a formal complaint and note the ticket number.

3. Escalate to SBP’s Consumer Protection Department if unresolved: via the Sunwai portal/app or CPD contacts (UAN 111-727-273, email cpd.helpdesk@sbp.org.pk). hbfc.com.pkState Bank of PakistanApple

4. File a cybercrime report with the competent agency (FIA/NCCIA; check the latest jurisdiction). Use the online complaint channel or helpline listed by the agency at the time you report. (Authorities have been re-organizing; confirm current contact points.) Dawn

5. If a scheduled bank rejects your claim unfairly, approach the Banking Mohtasib Pakistan (online complaint form available). bankingmohtasib.gov.pk

Controls Pakistani banks/fintechs have implemented 

Authentication & session security

• Enforce app-based TPIN/FPIN with device binding and biometric step-up for risky actions (new payee, first-time RTP, large Raast transfers). (Aligns with SBP guidance replacing SMS OTP.) State Bank of Pakistan
• Rotate credentials automatically after SIM change or device re-provisioning; require re-verification.

Transaction risk controls

• Cooling-off periods and lower limits for first transfers to new beneficiaries and first Raast P2M payments.
• Behavioral analytics for RTP: flag “pushy” high-value requests or bursts of RTP from newly created merchant aliases.
• Real-time confirmations inside the app and clear merchant naming to defeat fake screenshots. (SBP requires instant confirmations for P2M.) State Bank of Pakistan

Customer comms

• Replace SMS with in-app, signed push for sensitive events (PIN change, new device, high-risk login).
• Plain-language warnings before a user approves RTP or installs third-party APKs.

Merchant/agent hygiene

• Verify merchants under P2M rules; audit QR placement and provide tamper-evident stands. (SBP assigns due-diligence duties to Merchant Service Providers.) State Bank of Pakistan

Fraud operations

• One-tap reporting in-app (“Report suspicious RTP” / “I didn’t do this”).
• 24/7 dispute desk tied to Raast instant refund options where applicable.
• Participate in industry data-sharing on mule accounts (subject to privacy laws).

Pakistan-specific fraud myths one should be aware of:

• “If I got a confirmation SMS, the payment is final.” Screenshots and SMS are forgeable; trust only the in-app transaction history and payee name. State Bank of Pakistan
• “Only card transactions are risky.” In Pakistan, a lot of fraud is account-to-account via Raast and app banking — protect your app, not just your card. State Bank of Pakistan
• “Banks can’t do anything after instant payments.” SBP’s liability and dispute frameworks exist; report immediately and follow the formal complaint path (bank → SBP CPD/Sunwai → Banking Mohtasib). State Bank of Pakistanhbfc.com.pkbankingmohtasib.gov.pk

Pakistan’s shift to digital finance is real — Raast volumes, P2M rollout, and the first digital bank license prove it. The same rails that make payments instant also make mistakes and manipulations instant. The best defense is device-bound authentication (TPIN/FPIN), in-app verification, and zero tolerance for sharing codes or installing remote-access tools. On the system side, risk-based limits, clean merchant labeling, and fast redress are now table stakes — and mandated by SBP in several cases.

Following is the list of all the sources from which this information has been collected. 

• SBP press release on Q2-FY25 Payment Systems Review (Raast stats, digital usage). State Bank of Pakistan
• SBP PSP&OD Circular No. 04 of 2023 — Raast P2M launch & requirements. State Bank of Pakistan
• SBP PSP&OD Circular Letter No. 01 of 2024 — P2M enablement deadlines. State Bank of Pakistan
• SBP Customer Notifications & Liability (replacement of SMS OTP with TPIN/FPIN; liability framework reference). State Bank of Pakistan
• SBP Digital Bank framework (2022) and first pilot license (Feb 2025). State Bank of Pakistan
• FIA advisories on phishing/impersonation; DRF warnings on scams. Dawn
• PTA/LEA crackdowns on illegal SIM issuance. App
• Sunwai complaint portal/app and SBP CPD contacts (for redress). hbfc.com.pk, State Bank of Pakistan

If you have been a victim of financial fraud or impersonation, then please share your story in the comment section. This would help our readers to be aware of how the fraudsters operate.