Raast Payment Fraud via SIM Swap in Pakistan — How to Protect and Recover Your Money (2026)

Raast Payment Fraud via SIM Swap in Pakistan — How to Protect and Recover Your Money (2026)

by

Last Verified: May 2026 | By SimOwner.net.pk Editorial Team — Pakistan’s SIM fraud documentation specialists since 2015

Raast is Pakistan’s fastest-growing payment infrastructure — a real-time, interoperable digital payment system launched by the State Bank of Pakistan (SBP) in 2021 and now integrated into virtually every Pakistani bank’s mobile app, including HBL, MCB, UBL, Meezan, Bank Alfalah, Allied Bank, and dozens of others. As of 2025, Raast processes billions of rupees in daily transactions.

And it is being actively targeted by SIM swap fraudsters.

The mechanism is straightforward and devastating: your Raast ID is your phone number. When a criminal swaps your SIM and gains control of your number, they can initiate Raast transfers from your bank account using OTP authentication — or receive fraudulent transfers in your name. The speed that makes Raast valuable also makes fraud recovery extremely difficult: Raast transactions settle instantly and irreversibly in most cases.

This guide covers exactly how Raast fraud works, what specific vulnerabilities SIM swap creates for Raast users, how to protect your Raast ID before an attack, and what recovery options exist if fraud has already occurred. Your first action should be verifying that your SIM is still correctly registered at SimOwner.net.pk — because a fraudulent SIM swap is the gateway to Raast fraud in most documented cases.

What Is Raast and Why It Is Uniquely Vulnerable to SIM Fraud

How Raast Works

Raast (meaning “direct” in Urdu) is SBP’s Instant Payment System (IPS) — Pakistan’s first real-time retail payment system enabling instant fund transfers between any two bank accounts in Pakistan, 24/7, 365 days a year.

The key feature that creates fraud vulnerability: your Raast ID is your mobile phone number or CNIC number. Anyone who knows your phone number can send money to your Raast ID — and anyone who controls your phone number can receive money sent to that ID.

How Raast registration works:

  1. You open your bank’s mobile app
  2. You register your phone number as your Raast ID
  3. SBP’s Raast infrastructure links your phone number to your bank account
  4. Anyone with your phone number can now send you money instantly

How OTP authentication works in Raast transfers: For outgoing transfers (sending money), your bank sends an OTP to your registered phone number for authorization. You enter the OTP, the transfer executes instantly, and the funds leave your account in real time.

The fraud vector: If a criminal controls your phone number (via SIM swap), they:

  1. Receive any OTPs sent to your number
  2. Can authorize outgoing transfers from your bank account if they also have your banking app login credentials
  3. Can receive incoming Raast transfers sent to your number/Raast ID

How Raast SIM Swap Fraud Happens — Three Attack Patterns

Attack Pattern 1 — Complete Account Takeover

What is required: Your banking app login credentials + control of your phone number (via SIM swap)

How it executes:

  1. Criminal obtains your bank app username/password via phishing or credential breach
  2. Criminal executes SIM swap — your number is now on their device
  3. Criminal logs into your bank app from their device using your credentials
  4. Bank sends OTP to “your number” — which is now the criminal’s device
  5. Criminal enters OTP, authorizes large Raast transfer to their own account
  6. Transfer executes instantly — funds are gone within seconds

This is the most damaging pattern — complete account takeover with instant, irreversible transfer.

Attack Pattern 2 — Raast ID Misdirection

What is required: Only control of your phone number (SIM swap) — bank credentials not needed

How it executes:

  1. Criminal executes SIM swap
  2. Criminal contacts people who regularly send you money — family abroad sending remittances, business clients, customers — impersonating you
  3. They instruct senders to send money to your Raast ID (your phone number, which is now theirs)
  4. Senders transfer funds to what they believe is your account — it goes to the criminal’s account linked to that number

This pattern exploits the fact that Raast ID (phone number) is the same as the phone number criminals gain from SIM swap — no bank credential access required.

Attack Pattern 3 — CNIC-Based Raast ID Fraud

What is required: Your CNIC number + ability to register a new bank account

Some banks allow CNIC number as a Raast ID alternative to phone number. Criminals who have your CNIC number may attempt to open a fraudulent account (at a weaker KYC bank or fintech) and register your CNIC as a Raast ID — creating a duplicate Raast ID that receives transfers intended for you.

This is less common but increasingly documented as Raast adoption grows.

The Instant Settlement Problem — Why Recovery Is Harder Than JazzCash

JazzCash and Easypaisa transactions, while fast, operate within closed-loop systems where the operator has more direct control and can sometimes freeze or reverse transactions at platform level. Raast operates differently:

Raast settlement is final: Once a Raast transfer is settled (which happens in seconds), the transaction is completed in SBP’s central infrastructure. The sending bank’s obligation is fulfilled. The receiving bank has received the funds.

Recovery requires recipient bank cooperation: To recover Raast fraud funds, the victim’s bank must contact the receiving bank (where the criminal received the funds), request a freeze on those funds, and initiate a formal reversal process. This requires:

  • Documented fraud complaint
  • FIA complaint reference number
  • Court order in some cases
  • Receiving bank’s cooperation (which is not always forthcoming if the account holder denies fraud)

Time sensitivity is extreme: Criminals who receive Raast funds withdraw or transfer them further within minutes to hours. The window for freezing usable funds is very short — often closed before the victim even discovers the fraud.

This is why prevention is vastly more important for Raast than for traditional banking channels — recovery is genuinely difficult.

How to Protect Your Raast Account From SIM Swap Fraud

Protection 1 — Protect Your SIM First

All Raast SIM fraud begins with SIM compromise. The most effective Raast protection is SIM protection:

Protection 2 — Enable Additional Authentication in Your Bank App

Beyond OTP, most Pakistani bank apps offer additional security layers:

Transaction PIN: A separate PIN specifically for authorizing transactions — different from your app login PIN. Enable this if your bank offers it. Even if a criminal has your OTP, they need this separate PIN.

Biometric authorization: Many bank apps now support fingerprint or face recognition for transaction authorization — impossible to bypass remotely.

Login notification alerts: Enable notifications for every login to your banking app. If a criminal logs in from their device, you receive an alert — before they can execute a transaction.

Unusual transaction alerts: Set up alerts for any transaction above a certain amount (e.g., Rs. 5,000). You are notified instantly when a transfer occurs.

Protection 3 — Register a CNIC-Based Raast ID (Not Just Phone Number)

If your bank offers CNIC as a Raast ID option alongside phone number, register both. This does not eliminate phone-number-based risk but gives your senders an alternative way to reach your account that is not compromised if your SIM is swapped.

Protection 4 — Inform Regular Senders of Your Raast Verification Process

Establish a verbal verification protocol with people who regularly send you money via Raast — family abroad, business contacts. Example: “Before sending any large Raast payment to my number, call me on [a secondary contact] first to confirm.” This prevents Attack Pattern 2 (Raast ID misdirection) entirely.

Protection 5 — Set Transaction Limits

Most Pakistani banking apps allow you to set daily Raast transfer limits. Set your limit to the maximum amount you actually transfer in a day. A lower limit reduces the maximum loss even if fraud occurs.

To find your bank’s limit settings: Banking app → Settings → Transaction Limits (or Security Settings) → Raast/IBFT daily limit.

Protection 6 — Know How NADRA MBVS Protects You

Understanding how biometric verification protects your SIM — and where it can fail — helps you understand your overall risk. Our NADRA MBVS complete guide explains the biometric system that is your first line of defense against SIM swap — and what its limitations are.

If Raast Fraud Has Already Occurred — Recovery Steps

Act in this exact order — time is critical.

Minute 0–10: Freeze Everything

Call your bank’s 24/7 fraud line immediately:

BankFraud Helpline
HBL111-111-425
MCB111-000-622
UBL111-825-888
Meezan Bank111-331-331
Bank Alfalah111-777-786
Allied Bank111-225-225
NBP111-627-627

Tell the agent: “My SIM was fraudulently swapped and an unauthorized Raast transfer was made from my account. I need my account frozen immediately and a fraud investigation opened. The transaction reference is [number if visible in app].”

Request the agent to:

  1. Freeze your account for further transactions
  2. Note the unauthorized Raast transaction details
  3. Initiate a “transaction freeze request” to the receiving bank through SBP’s interbank channels
  4. Give you a fraud complaint reference number

Simultaneously — freeze your SIM. Call your network operator’s fraud line and report the SIM swap. Get the fraudulent SIM deactivated. This stops any further OTP interception.

Minute 10–30: Document Everything

Screenshot (on a different device if your phone has no service):

  • Your bank app showing the unauthorized transaction
  • Transaction reference number, amount, time, and recipient identifier
  • Your account balance before and after
  • Any SMS notifications received about the transaction

These screenshots are your evidence for every subsequent step.

Within 2 Hours: File FIA Complaint

File at complaint.fia.gov.pk with:

  • Your CNIC
  • Your bank name and account number
  • The unauthorized transaction reference and amount
  • Recipient Raast ID if visible
  • SIM swap details (your network, when service was lost)

FIA’s financial cybercrime team has authority to issue preservation orders to the receiving bank — freezing the criminal’s account before funds are withdrawn. This is most effective within the first few hours.

Within 24 Hours: Formal Bank Complaint

Visit your bank branch in person with:

  • Your original CNIC
  • FIA complaint reference number
  • Unauthorized transaction documentation
  • A written complaint requesting formal investigation and reversal

SBP’s consumer protection guidelines require banks to:

  • Acknowledge written fraud complaints within 3 working days
  • Investigate and provide initial response within 7 working days
  • Complete investigation within 45 working days

SBP Complaint: If your bank is unresponsive, file a complaint with SBP directly at sbp.org.pk/complaints — the Banking Mohtasib Pakistan (BMP) handles consumer banking complaints.

Within 48 Hours: File Police FIR

File an FIR at your local police station citing:

  • PECA 2016 Section 14 (unauthorized access)
  • PECA 2016 Section 16 (identity fraud)
  • PECA 2016 Section 21 (electronic fraud)

The FIR is required for formal bank reversal requests and gives FIA investigators additional legal tools.

SBP’s Consumer Protection Framework for Raast Fraud

SBP has established specific consumer protection provisions for digital payment fraud under its Payment Systems Operator (PSO/PSP) Regulations and the Consumer Protection Framework for Digital Financial Services:

Bank liability: Banks are liable for unauthorized Raast transactions when:

  • The unauthorized transaction resulted from the bank’s security failure
  • The consumer reported the fraud promptly
  • The consumer did not share credentials negligently

Consumer responsibility: Your liability may be increased if:

  • You shared OTP codes with the fraudster
  • You shared banking app credentials
  • You delayed reporting the fraud

The clean fraud scenario: If a criminal executed Raast fraud purely through SIM swap (without you sharing any credentials or OTPs), the bank’s liability position is stronger — because the SIM swap was an infrastructure failure (network operator) rather than consumer error.

Document your non-involvement: Make clear in all complaint documents that you did not share any OTP, PIN, or credentials — the fraud was executed entirely through SIM swap without your cooperation. This positions your claim most favorably under SBP’s framework.

Raast Fraud Prevention for Businesses

Pakistani businesses using Raast for collections (receiving payments from customers) face an additional risk: customers may send payments to a fraudulently redirected Raast ID, believing they are paying the legitimate business.

Business protection measures:

  1. Display your Raast QR code (not just your phone number) on invoices and at point of sale — QR codes cannot be as easily impersonated as phone numbers
  2. Confirm large payments via phone call — call the sender after receiving a large Raast payment to confirm it was intentional
  3. Use business account Raast ID registered to the company NTN rather than owner’s personal phone — separates personal SIM fraud risk from business collections
  4. Monitor daily Raast inflows — anomalies in payment patterns may indicate customers are being misdirected

Frequently Asked Questions

Q: Can Raast transactions be reversed after they settle? A: Raast transactions are designed to be final upon settlement. Reversal is not a standard system feature — it requires the receiving bank to voluntarily return funds or a court order compelling them to do so. This is why fraud prevention is critical: recovery is difficult and uncertain. In cases where FIA acts quickly and the receiving account is frozen before withdrawal, recovery is possible. After withdrawal, recovery becomes very unlikely.

Q: My bank says Raast fraud is not their responsibility because I should have protected my SIM. Is this correct? A: This is a disputed position. Under SBP’s consumer protection framework, banks share responsibility for ensuring their authentication systems are secure. A SIM swap that enabled fraud involves both network operator failure (verification breach) and potentially bank authentication design (sole reliance on SMS OTP). File a formal written complaint with your bank and escalate to SBP’s Banking Mohtasib if the bank refuses to investigate. Do not accept verbal rejection.

Q: Can a criminal use my Raast ID to register a fake account and intercept incoming transfers? A: In theory, the Raast ID system should prevent duplicate registration of the same phone number. However, if a criminal performs a SIM swap and re-registers a bank account using your now-controlled number, SBP’s system may link that new account to your Raast ID. This is a known risk that SBP’s Raast infrastructure is designed to prevent through bank-level KYC — but it represents an edge case that has been raised in fintech security discussions.

Q: Is Raast safer than JazzCash for large amounts? A: Both are vulnerable to SIM swap fraud. Raast operates across regulated banks with SBP oversight — the complaint and recovery framework is more structured than JazzCash’s. For large amounts, Raast through a bank with strong authentication (biometric transaction approval) is generally preferred over mobile wallet platforms. However, the speed and finality of Raast settlement means fraud recovery is if anything harder than JazzCash, which operates within a single operator’s controllable system.

Q: Does my bank’s Raast have a cooling period for new payees? A: Some Pakistani banks have implemented a “cooling period” for first-time Raast transfers to new recipients — where large transfers to a new payee are delayed by 4–24 hours. This is an excellent fraud prevention feature. Check if your bank offers this and enable it in your security settings. This cooling period gives you time to detect SIM swap before a fraudulent transfer completes.

Q: I received a Raast transfer I didn’t send. What does this mean? A: An unexpected incoming Raast transfer could indicate: (a) a legitimate sender made an error, (b) someone is testing your account, or (c) part of a fraud setup (some fraud schemes “warm up” target accounts with small incoming transfers before the actual fraud). Do not spend unexpected funds immediately. Contact your bank to understand the source.

Q: Can I deactivate my Raast ID temporarily? A: Raast ID management is handled through your bank’s app or branch. Some banks allow temporary deactivation — check your app’s security settings or contact your bank. If you are traveling internationally and not expecting any Raast activity, temporarily deactivating your Raast ID reduces your attack surface.

Summary: Raast Fraud Protection Priority List

Before any fraud (do today):

  • Enable biometric transaction authorization in your bank app
  • Set daily Raast transfer limit to your actual maximum
  • Enable all transaction notifications (every transaction, not just large ones)
  • Add fraud flag to your network account — operator customer service
  • Check SIMs on CNIC via 668 — monthly
  • Establish verbal verification protocol with regular senders

If fraud occurs — act in this order:

  • Call bank fraud line — account freeze (Minutes 0–10)
  • Call network fraud line — SIM deactivation (Minutes 0–15)
  • Screenshot all transaction evidence (Minutes 10–20)
  • File FIA complaint — complaint.fia.gov.pk (Within 2 hours)
  • Visit bank branch — written formal complaint (Within 24 hours)
  • File police FIR — PECA Sections 14, 16, 21 (Within 48 hours)
  • Escalate to SBP if bank unresponsive (After 7 working days)

Raast has transformed Pakistan’s payment infrastructure — enabling instant, 24/7 transfers that were impossible a decade ago. But every payment innovation creates new fraud vectors, and SIM swap is currently the primary gateway to Raast fraud. The same monthly SIM monitoring habit that protects your WhatsApp and bank accounts also protects your Raast ID.

For Pakistan’s most comprehensive SIM verification and fraud prevention resources, visit Sim Owner Details — independently tracking Pakistan’s telecom fraud landscape since 2015.

Raast operational details based on SBP public documentation and bank implementation guides as of May 2026. PECA 2016 references current. SimOwner.net.pk is not affiliated with SBP, PTA, NADRA, or any bank or network operator.

Related Guides on SimOwner.net.pk:

Leave a Comment