Fake Loan App Harassment: Stop & Report 2026

Reviewed on: 2026-06-19.

It is 6 a.m. when the first message arrives. Not to you. To your boss. Your sister. A neighbour you called twice in your life. The message carries a morphed photograph and a caption that says you are a defaulter, a criminal, a fraud. Within the hour, two dozen people in your contact list have received the same message.

You borrowed five thousand rupees ten days ago from an app you downloaded from a link in a WhatsApp group. The app promised instant disbursal, no questions. It delivered. It also, silently, uploaded every name and number in your phone. Now it is using that list as a weapon.

This is the standard playbook of an unauthorised loan app. The harassment is not incidental. It is the product. Understanding that changes how you fight back.

The Reserve Bank of India issued the Digital Lending Directions in 2022 (updated in 2025), which bind every Regulated Entity (RE) and Lending Service Provider (LSP) operating in India. These directions are enforceable law, not advisories.

What an app is prohibited from doing:

• Accessing your contacts, call logs, or media files without your explicit consent. Even with consent, the app may use device data only for the stated purpose during onboarding and KYC. It cannot store or share contact data beyond operational need.
• Charging any fee that was not disclosed in the Key Fact Statement (KFS) before you accepted the loan.
• Disbursing money through any account other than the borrower's own bank account. If the app sent money via a wallet or third-party app and you never saw a proper sanction letter, this is a red flag for an unauthorised operator.
• Using recovery agents who resort to harassment, abuse, or public shaming. Lenders must communicate recovery agent details to borrowers at loan sanction. An agent who never identified themselves lawfully is not operating under any legitimate authorisation.

What you are legally entitled to:

• A Key Fact Statement before signing, which must include the Annual Percentage Rate (APR), all fees, and a cooling-off period.
• A cooling-off period of at least 3 days for loans longer than 7 days, during which you can repay only the principal plus proportionate APR and exit without any penalty.
• A nodal grievance officer at the lender's end, reachable by name and contact. If no grievance officer was ever disclosed to you, the entity is either non-compliant or unauthorised.
• Escalation to the RBI Ombudsman if your complaint is not resolved within 30 days.

If the app did not give you a KFS, disbursed to a wallet rather than a bank account, or cannot name a grievance officer, it is almost certainly not a Regulated Entity under RBI. It may be operating entirely outside the law.

Harassment escalates when victims make small payments to make the calls stop. Each payment confirms that the tactic works, and the demand grows. Do not transfer money to an app demanding a “settlement fee,” “processing charge,” or “legal fee” that was not part of your original loan agreement.

If you genuinely borrowed money and owe a lawful amount, that obligation does not disappear. But the obligation is only to the amount stated in the agreement, not to extortion-layer fees invented by an unlicensed operator.

Before you block anything, document everything:

1. Screenshot every threatening message, call log entry, and social media post targeting you.
2. Record the full name of the app, the version, the Google Play or App Store URL if it is still live, and the screenshots of its permissions screen.
3. Note the phone numbers from which calls were made. Many use VoIP numbers that still carry metadata useful for investigation.
4. Download a copy of the loan agreement if the app emailed you one. If it never sent a signed agreement, document that absence.

Evidence gathered before blocking is admissible. Evidence gathered afterwards is harder to reconstruct.

The National Cyber Crime Helpline 1930 is the fastest first response. Call it and report the harassment. The operator will log your complaint and may initiate a hold on further fraudulent transactions if financial fraud is involved alongside the harassment.

After calling, file a written complaint on cybercrime.gov.in:

1. Select “Financial Fraud” as the complaint category.
2. Use “Register and Track” so you receive a complaint reference number. This number is essential for follow-up.
3. Attach your screenshots, the app name, and the phone numbers used for harassment.

Your complaint on cybercrime.gov.in routes to the State Cyber Crime Cell for investigation. You will receive an acknowledgement, and the complaint is trackable. You can check progress via your cybercrime complaint status.

If you have already lost money to the app, also read the complete guide to reporting cyber fraud via 1930 for steps to freeze fraudulent transactions.

For every loan app that is either unauthorised by RBI or violating the Digital Lending Directions, report directly on sachet.rbi.org.in. Sachet is RBI's platform for complaints about entities operating in the financial sector without proper authorisation or in breach of RBI norms.

File a complaint on Sachet for:

• An app disbursing loans without being an RBI Regulated Entity or an NBFC licensed under RBI.
• An app accessing your contact list or sending messages to third parties.
• An app charging fees not disclosed in any agreement.
• Recovery agents using threats or public shaming.

Keep your Sachet complaint reference number. If RBI takes action against the entity, your complaint becomes part of the regulatory record.

Online complaints do not replace a formal First Information Report. Visit your nearest police station or the State Cyber Crime Cell and:

1. Present the screenshots and your cybercrime.gov.in reference number.
2. Ask for an FIR under the Information Technology Act (especially Section 66C for identity theft and Section 67 for transmitting obscene material if morphed images were used).
3. Ask for an FIR under Indian Penal Code / Bharatiya Nyaya Sanhita for criminal intimidation if explicit threats were made.

A registered FIR enables the police to request data from the platform or telecom operator under lawful process, which is the primary tool for unmasking anonymous harassment numbers.

If the app also tricked you with false promises about loan terms, the digital arrest scam playbook may overlap. Read the guide on digital arrest scams for additional protection steps.

Some loan apps request access to your banking app, UPI PIN, or OTP as a “verification step.” If you shared any such credentials:

• Call your bank's 24×7 helpline immediately and report a suspected compromise.
• Request a temporary block on your account or UPI handle until the risk is assessed.
• File a complaint with the Banking Ombudsman if your bank is unresponsive or a fraudulent transaction has occurred and is not being reversed.

The RBI Ombudsman can order restitution for fraudulent transactions where the bank failed to act promptly after being notified.

Before borrowing from any digital lending app, verify:

1. The app must name an RBI-Regulated Entity (bank or NBFC) that is the actual lender. Check that the NBFC is registered on the RBI website at rbi.org.in under “List of NBFCs.”
2. The app must provide a physical address and a grievance officer's name and contact in-app or in the agreement.
3. The loan must be disbursed to your bank account, not a wallet, not cash.
4. The app must provide a signed loan agreement and KFS before disbursing.

If any of these are missing, do not proceed. Report the app on sachet.rbi.org.in even if you have not borrowed from it yet. Reporting prevents others from being trapped.

No. Under RBI's Digital Lending Directions, a lending app cannot access your contact list, call logs, or media without your explicit consent. Even where you did grant consent during installation, the app can only use device data for the stated purpose such as KYC onboarding. Using your contact list to send harassment messages to third parties is both a breach of RBI rules and potentially an offence under the Information Technology Act.

Payments made under coercion or fraud are recoverable in law, but recovery depends on tracing the operator. File a complaint with 1930 and on cybercrime.gov.in with full transaction details. The bank may be able to initiate a dispute or freeze if the payment was made recently to an identifiable account. The RBI Ombudsman can also be approached via Banking Ombudsman if your bank does not cooperate with a reversal request.

Threats of legal action from an unauthorised lender carry no legal force. A genuine creditor files a civil suit or approaches a tribunal. They do not threaten borrowers on WhatsApp at 2 a.m. using borrowed photographs. If the entity is not a licensed NBFC or bank partner, it cannot initiate court proceedings in its own name as a lender. Report the threat as criminal intimidation in your FIR.

They can file their own complaint on cybercrime.gov.in for receiving unsolicited, defamatory, or threatening messages. Their complaints strengthen the aggregate case against the operator. If morphed images were sent, Section 67 of the Information Technology Act makes the transmission itself an offence regardless of whether the target has an existing loan relationship with the app.

Yes. Report the app on Google Play or Apple App Store using the “Flag as inappropriate” or “Report app” function. Also report the app URL to the Ministry of Electronics and Information Technology through the Cybercrime portal. MEITY has the power to direct Google and Apple to take down apps that violate Indian law. Your cybercrime.gov.in complaint triggers this channel.

Verify independently. Search the NBFC list on rbi.org.in using the entity name. Authorised digital lenders are also required to display their RE partner's name and CIN in their app and in the loan agreement. A claim of RBI registration without a verifiable NBFC name is a fabrication. Report via Sachet.

Not always instantly. The police or Cyber Cell investigation takes time. However, several things happen quickly: 1930 may be able to coordinate a hold on transactions; the lender's harassment is itself evidence in a criminal complaint which increases risk for them; and RBI action on Sachet can trigger suspension of the entity's operations. Block the numbers, restrict social media sharing, and notify your contacts not to respond to messages from the app.

File an RTI to: the State Cyber Cell and RBI (Sachet portal) for the lending entity

Ask:

• What is the current status of my cybercrime complaint bearing reference number [number] filed on [date] against loan app [name]?
• Is the entity named [name] registered as an NBFC or partner of any RBI Regulated Entity for digital lending as of [date]?
• How many complaints have been received against the digital lending app [name] or its associated NBFC on the Sachet portal in the last 12 months?
• What action has been taken by the State Cyber Crime Cell against loan apps operating without RBI authorisation in [state] in the current financial year?
• What is the timeline prescribed for investigating and resolving a harassment complaint filed against an unregistered digital lending entity?

→ Use our free AI RTI Drafter to generate a complete Section 6(1) application.

Also consider escalating your grievance via CPGRAMS to the Ministry of Home Affairs (for cybercrime response) or the Ministry of Finance (for RBI enforcement).

• National Cyber Crime Reporting Portal - cybercrime.gov.in (Helpline 1930 confirmed on portal; complaint categories: Financial Fraud, Other Cyber Crime; updated 05/06/2026)
• RBI Sachet Portal - sachet.rbi.org.in (File a Complaint and Track Complaint functions confirmed live; covers RBI-regulated entities including NBFCs)
• RBI Circular on Digital Lending Guidelines - RBI/2022-23/111, dated 02 September 2022 (Key Fact Statement, cooling-off period, contact access prohibition, fund disbursal rules, grievance officer requirement, 30-day escalation window; note: subsequently superseded by RBI Digital Lending Directions, May 2025)
• Reserve Bank of India - rbi.org.in (NBFC list for verification of authorised digital lenders)

By Dr. Shrawan Kumar Pathak