Cyber Fraud in India: How to File a Complaint, Report UPI Fraud, and Recover Your Money

India is among the fastest-growing digital economies in the world, with over 900 million internet users and UPI transactions crossing 100 billion annually. This explosion of digital adoption has been accompanied by an equally alarming surge in cybercrime. From UPI and OTP fraud to investment scams, fake loan apps, online job fraud, and sextortion, cybercriminals have become sophisticated, organised, and relentless. According to the Indian Cyber Crime Coordination Centre (I4C), financial cyber fraud alone costs Indian citizens thousands of crores of rupees every year, yet a significant proportion of victims never file a complaint — either because they do not know where to go, or because they assume the money is irrecoverably lost. This article explains your legal rights as a cyber fraud victim in India and provides a comprehensive, step-by-step guide to reporting cyber fraud and initiating recovery proceedings.

I. The Legal Framework Governing Cybercrime in India

Cybercrime in India is primarily governed by the following legislation:

Information Technology Act, 2000 (IT Act) — the primary legislation governing computer-related offences, data protection, and digital transactions. Key provisions relevant to cyber fraud include Section 43 (compensation for unauthorised access), Section 66 (computer-related offences), Section 66C (identity theft), Section 66D (cheating by impersonation using a computer), and Section 67 (publication of obscene material).
Bharatiya Nyaya Sanhita, 2023 (BNS) — which replaced the IPC and continues to penalise fraud, cheating, forgery, and criminal breach of trust — all of which are routinely committed in cyber crimes.
Digital Personal Data Protection Act, 2023 (DPDP Act) — India’s first comprehensive data protection law, which imposes obligations on entities processing personal data and provides for compensation to data principals in cases of data breaches.
RBI Guidelines on Unauthorised Electronic Transactions — which establish the framework for liability in cases of unauthorised bank transactions, including obligations on banks to reimburse customers in certain circumstances.
Prevention of Money Laundering Act, 2002 (PMLA) — relevant in large-scale cyber fraud cases where the proceeds of crime are laundered through shell companies and cryptocurrency.

II. Common Types of Cyber Fraud in India

Understanding the type of fraud you have suffered is important for identifying the correct legal remedy. The most prevalent categories include:

UPI/Banking Fraud: Fraudsters impersonate bank officials, RBI representatives, or customer care executives to obtain OTPs, PINs, or UPI credentials and effect unauthorised transfers.
Investment and Trading Fraud: Victims are lured into fake stock market advisory groups (often on Telegram or WhatsApp), asked to invest on fraudulent platforms, and prevented from withdrawing returns.
KYC Update Fraud: Fraudsters pose as bank or insurance company executives claiming your KYC is expired, obtain sensitive credentials, and drain your account.
Online Job and Work-From-Home Scams: Victims are offered high-paying remote jobs, asked to pay a registration or training fee, and then cut off after payment.
Fake Loan App Fraud: Predatory apps offer instant loans, demand excessive processing fees, and then engage in aggressive recovery tactics including harassment and publication of morphed images.
Sextortion: Victims are befriended online, induced to share intimate images or engage in video calls, and then blackmailed under threat of sharing the content with family members.
QR Code Fraud: Victims are told they will receive a payment by scanning a QR code — in reality, the code debits from their account rather than crediting it.
SIM Swap Fraud: Fraudsters obtain a duplicate SIM in your name through a mobile operator by submitting forged documents, gaining control of your OTPs and accessing your bank account.
Phishing and Vishing: Fraudulent emails, SMS messages, or phone calls designed to extract financial credentials or personal information.

III. Immediate Steps to Take After Cyber Fraud

Speed is absolutely critical in cyber fraud cases. The sooner you act, the higher the probability of freezing fraudulent accounts and recovering funds. Upon discovering that you have been defrauded:

Call 1930 immediately. The National Cyber Crime Reporting Portal’s dedicated helpline — 1930 — is a 24/7 financial fraud helpline operated by the Ministry of Home Affairs. Reporting here triggers a lien on the fraudulent accounts, freezing the money before it can be withdrawn by the fraudster. This is the single most time-sensitive step.
Block your debit/credit card and internet banking access by calling your bank’s 24-hour helpline immediately.
Save all evidence: Take screenshots of all transactions, messages, emails, call records, and any websites or social media profiles involved in the fraud. Do not delete any messages — they are evidence.
Collect the transaction reference numbers (UTR/IMPS/NEFT reference) from your bank statement for all fraudulent transactions.

IV. How to File a Cyber Crime Complaint: Step by Step

Option 1: Online — National Cyber Crime Reporting Portal (cybercrime.gov.in)

The National Cyber Crime Reporting Portal (NCCRP) at cybercrime.gov.in is the official government platform for reporting all forms of cybercrime online. It is operated by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs.

Step 1: Visit cybercrime.gov.in and click “File a Complaint.” You may report anonymously for certain categories of crimes, but for financial fraud and identity theft, registration with your mobile number is advisable to track progress.
Step 2: Select the appropriate category. For financial cyber fraud, select “Financial Fraud.” For sextortion or sexual harassment online, use the “Report & Track” option.
Step 3: Fill in all details — the date, time, and amount of fraud; the fraudster’s phone number, UPI ID, bank account number, or email address; and a narrative description of what happened.
Step 4: Upload supporting documents — bank statements, screenshots of messages, transaction IDs, and any other evidence.
Step 5: Submit the complaint and note the acknowledgement number for follow-up. The complaint is forwarded to the relevant state cybercrime cell.

Option 2: File an FIR at the Police Station

In addition to the online complaint, you should file a First Information Report (FIR) at your nearest police station or cybercrime police station. Under the BNSS, the concept of Zero FIR applies — any police station must register your FIR regardless of where the offence was committed. The FIR converts your complaint into a formal criminal case, enabling the police to make arrests and initiate investigation.

The FIR should be registered under relevant sections of the BNS (cheating, fraud, criminal breach of trust) and the IT Act (Section 66C, 66D). If your bank refuses to cooperate with the investigation or freezing of accounts, the FIR enables the police to compel their cooperation.

Option 3: Complaint to the Bank’s Nodal Officer and RBI Ombudsman

Simultaneously file a formal complaint with your bank’s nodal grievance officer. If the bank does not respond within 30 days or declines to reimburse you, escalate the complaint to the RBI Integrated Ombudsman at cms.rbi.org.in. In cases of unauthorised electronic transactions, RBI guidelines impose a limited but real liability on banks, particularly where the fraud resulted from negligence on the bank’s side (e.g., failure of two-factor authentication).

V. RBI Guidelines on Liability for Unauthorised Transactions

The Reserve Bank of India’s Master Direction on Customer Protection (2017, as amended) establishes a clear framework for bank customer liability in cases of unauthorised electronic transactions. The key principles are:

Zero liability for the customer where the fraud was due to negligence on the part of the bank or a third party (not the customer).
Limited liability for the customer where the fraud is a result of a third party’s breach but the customer reported it to the bank within 3 working days (liability limited to Rs. 5,000 to Rs. 10,000 depending on account type).
Full liability for the customer where the fraud occurred due to the customer’s own negligence — for example, sharing OTPs or PINs. However, even in such cases, banks must investigate the complaint.

Banks are required to resolve complaints regarding unauthorised transactions within 10 working days of reporting. If the bank credits a provisional amount pending investigation, the credit must not be reversed until the investigation is completed.

VI. Recovery of Fraudulently Transferred Money: Legal Avenues

1. Account Freeze Orders Through Police

Once an FIR is registered, the cybercrime police can apply to the bank holding the fraudulent account for a freeze order, preventing the fraudster from withdrawing the funds. If the money is still in the fraudster’s account, the police can initiate proceedings before the court for its restitution to the victim. The NCCRP’s 1930 helpline specifically enables rapid account freezing — one of the most effective tools currently available.

2. Civil Suit for Recovery

In addition to criminal proceedings, a victim may file a civil suit for recovery of the defrauded amount before the appropriate civil court. While civil litigation is typically slower, it can be pursued concurrently with criminal proceedings and becomes particularly relevant where the identity of the fraudster is known or where the bank is involved in the dispute.

3. Compensation Under the IT Act

Section 43A of the IT Act provides for compensation by a body corporate that fails to implement reasonable security practices and thereby causes wrongful loss to a person. If your bank’s security systems were inadequate and enabled the fraud, you may have a claim under Section 43A in addition to RBI ombudsman proceedings.

4. Consumer Forum

Cyber fraud victims can also approach the Consumer Disputes Redressal Commission where the fraud involved a service deficiency — for example, where a bank failed to detect or prevent a SIM swap fraud, or where a payment platform processed an unauthorised transaction despite red flags.

VII. Special Categories: What to Do in Sextortion Cases

Sextortion — the use of intimate images or recordings to blackmail a person — is a rapidly growing crime in India. Victims are often reluctant to report due to fear of social stigma. However, the law offers strong protection:

Sextortion is punishable under Section 67A of the IT Act (publishing sexually explicit material in electronic form) and under the BNS (criminal intimidation, extortion, cheating).
Do not pay the blackmailer — payment invariably leads to escalating demands and does not guarantee removal of the content.
File a complaint on the National Cyber Crime Reporting Portal under the “Women/Child Related Crimes” category — your identity is kept confidential.
Report the account to the relevant social media platform (Instagram, WhatsApp, Facebook) and request content removal.
Contact the cybercrime police, who have dedicated investigation units for such cases.

VIII. Conclusion

Cybercrime is not a technical problem reserved for IT experts — it is a legal problem that requires a legal response. Every cyber fraud victim in India has a clear pathway to report, investigate, and recover — through the 1930 helpline, the National Cyber Crime Reporting Portal, the cybercrime FIR mechanism, the RBI Ombudsman, and the Consumer Forums. The critical elements are speed, documentation, and persistence.

At the Law Chamber of Amit K Pateria, our team regularly advises individuals and businesses affected by UPI fraud, investment scams, data breaches, online defamation, and other forms of cybercrime. If you or your business has been targeted, reach out immediately — time is of the essence.

References & Notes

Information Technology Act, 2000 (as amended), Ministry of Electronics and Information Technology.
Digital Personal Data Protection Act, 2023, No. 22 of 2023, Parliament of India.
RBI Master Direction on Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (2017, updated 2023).
National Cyber Crime Reporting Portal: cybercrime.gov.in | Helpline: 1930.
Indian Cyber Crime Coordination Centre (I4C), Ministry of Home Affairs, Annual Report 2024.
Bharatiya Nyaya Sanhita, 2023, Sections 318 (Fraud & Cheating), 319 (Cheating by impersonation).

Disclaimer: This article is published for educational and informational purposes only and does not constitute legal advice. For advice specific to your situation, please consult a qualified legal professional.