OTP / Bank-Call Scam: Recover Your Money 2026

Reviewed on: 2026-06-19.

The call sounded legitimate. The caller knew your name, last four card digits, and even your recent transaction. They said your account was flagged for fraud and that you needed to “verify” your identity by sharing an OTP sent to your phone. You shared it. Within seconds, money left your account.

This is a vishing attack (voice phishing) built around OTP capture. The criminal had already obtained your card details, possibly from a data breach or a phishing SMS, and needed only the one-time password to push through a transaction. Sharing the OTP is the trigger, but the RBI's limited-liability rules still offer you a path to recovery, provided you act fast.

This page focuses on the OTP/vishing modus and the steps to freeze your account and file a claim. For the broader process of disputing fraudulent transactions across any channel, see how to get your money refunded after cyber fraud. If the scammer also ported your SIM to steal OTPs going forward, read SIM swap fraud: what to do next.

Do not read the rest of this article first. Open your banking app or call your bank's 24-hour helpline and do all of the following:

1. Say the words “unauthorised transaction” and ask the agent to block your card and account immediately.
2. Ask them to note the exact time of your call. This timestamp is evidence for your RBI liability claim.
3. Request a complaint or service request number and note it down.
4. Ask the agent to “raise a chargeback” or “dispute the debit” right then. Do not wait for a separate visit to a branch.

Most private and public sector banks have 24-hour helplines accessible from the number on the back of your card or on their official website. If you cannot reach your bank, walk to the nearest ATM and block your card yourself using the ATM menu.

The National Cybercrime Helpline 1930 is operated by the Ministry of Home Affairs. When you call, you report a financial fraud. The operator logs your complaint and can coordinate with banks to flag the account where the money landed, making it harder for the fraudster to withdraw it.

You must also file a written complaint at cybercrime.gov.in:

1. Select the option to register a complaint and choose the financial fraud category.
2. You can report with or without creating an account; registering lets you track your cybercrime complaint status later.
3. Fill in your name, mobile number, bank account details, the amount lost, the date and time of the fraud, and a factual description of how the call proceeded.
4. Note the complaint acknowledgement number the portal gives you.

File this complaint on the same day. The earlier the complaint reaches the portal, the sooner law enforcement can coordinate a freeze on the destination account through the Citizen Financial Cyber Fraud Reporting and Management System.

On the next working day, visit your branch and submit a written complaint. Bring:

1. A printout or copy of your cybercrime portal complaint with the acknowledgement number.
2. Your bank statement showing the unauthorised debit.
3. Any SMS or call records from the time of the fraud.

Ask the branch to mark the complaint as an “unauthorised electronic transaction” under the RBI circular dated 6 July 2017 (reference: DBR.No.Leg.BC.78/09.07.005/2017-18). Use that exact phrase. It triggers the bank's obligation to handle the complaint under a defined timeline.

The Reserve Bank of India circular of 6 July 2017 sets out when a bank must refund you and how much.

Zero liability (full refund): You owe nothing and must be refunded in full if:

• The bank itself was negligent or there was a deficiency in their system, OR
• A third party broke in without any negligence on your part AND you reported the transaction within three working days of the bank sending you an alert (SMS, email, or app notification).

Critical point on OTP sharing: The circular classifies OTP sharing as customer negligence because you shared a credential. However, this does not end your claim entirely. Post-reporting liability shifts to the bank. That means any debit that happens after the moment you notified your bank is the bank's responsibility, not yours. The bank must also prove that the fraud was your fault; the burden of proof lies with the bank, not with you.

Limited liability (partial refund) for delayed reporting:

Bank's obligation after you report:

• The bank must credit the disputed amount to your account (as a shadow reversal) within 10 working days of your complaint.
• The bank must close the complaint and determine final liability within 90 days.
• If the bank fails to resolve within 90 days, it must compensate you separately for the delay.

If the bank rejects your claim without a satisfactory explanation, or does not respond to your written complaint within a reasonable period (verify the current eligibility window on cms.rbi.org.in), escalate to the RBI Integrated Ombudsman:

1. File online at cms.rbi.org.in (the RBI Complaint Management System).
2. Select your bank and describe the grievance. Attach your bank complaint reference number and the cybercrime portal acknowledgement.
3. The Ombudsman can direct the bank to refund the loss amount and award additional compensation for harassment or mental agony; verify the current award limits on cms.rbi.org.in.
4. The service is free for complainants.

You can also contact how to report cyber fraud via 1930 for guidance on escalating your cybercrime complaint to the state police cyber cell.

A genuine bank security call will ask you to visit a branch or use the official app. It will never ask for a one-time password, full card number, PIN, or internet banking password.

Possibly yes, in part. Sharing the OTP counts as negligence under the RBI circular, so you may not get a zero-liability refund. However, any debit after you report to the bank is the bank's responsibility. File your complaint immediately and let the bank determine liability. If you disagree with their decision, escalate to the RBI Ombudsman. Do not assume you have no claim.

Within three working days of the bank's alert SMS or email. Reporting sooner, ideally within hours, also helps law enforcement freeze the destination account before the fraudster withdraws the money.

If the bank failed to send an SMS or email alert (which they are required to do), that counts as negligence on the bank's side. Mention this explicitly in your written complaint and to the Ombudsman.

An authenticated transaction is not the same as an authorised transaction. You were deceived into sharing the OTP. File your complaint using the RBI circular reference (DBR.No.Leg.BC.78/09.07.005/2017-18) and escalate to the Ombudsman if the bank refuses to process your claim.

Yes. A cybercrime portal complaint and an FIR are separate. Visit your local police station or state cyber cell and file an FIR under relevant provisions of the IT Act 2000 and BNS 2023. The FIR strengthens your case if the bank disputes your claim or if you pursue the matter in court.

Raise a dispute directly in the UPI app (Google Pay, PhonePe, Paytm) under “Help” or “Dispute.” Also report to your bank, as the bank linked to your UPI handle processes the dispute. Timelines and chargeback procedures vary by bank; verify the current process on npci.org.in or with your bank's customer care.

The RBI Integrated Ombudsman can direct the bank to refund the amount lost and award additional compensation for harassment or deficiency in service. There is no filing fee. Check the current award limits on cms.rbi.org.in before filing.

File an RTI to: Reserve Bank of India (the public authority that regulates bank fraud reporting obligations and runs the Ombudsman scheme)

Use an RTI application under Section 6(1) of the RTI Act 2005 addressed to the Central Public Information Officer, Reserve Bank of India, to ask:

• What are the prescribed timelines under the July 2017 circular for banks to resolve unauthorised-transaction complaints, and what action does RBI take when banks breach those timelines?
• How many complaints were received by the RBI Integrated Ombudsman in the last financial year relating to unauthorised electronic transactions, and what was the resolution rate?
• What oversight does RBI exercise over banks' 24/7 fraud-reporting helplines, and how are non-compliant banks penalised?
• What is the procedure for a customer to access the record of their own complaint filed under the Ombudsman scheme?
• How does RBI verify that banks correctly apply the zero-liability and limited-liability rules when adjudicating customer claims?

→ Use our free AI RTI Drafter to generate a complete Section 6(1) application.

Helpline: Cybercrime National Helpline 1930 (24 hours). RBI Complaint Management System: cms.rbi.org.in.

• RBI Master Circular on Customer Protection, 6 July 2017 (RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18): rbi.org.in
• National Cyber Crime Reporting Portal: cybercrime.gov.in
• RBI Complaint Management System (Integrated Ombudsman): cms.rbi.org.in
• NPCI UPI dispute information: npci.org.in

By Dr. Shrawan Kumar Pathak