Email misuse for loans, apps, deliveries: India complaint guide 2026

If your inbox started filling up overnight with welcome emails from loan apps you never installed, food-delivery accounts in a city you do not live in, OTPs at 2 a.m., or KYC links from lenders you have never heard of, somebody is using your email address as their own. This is not spam. It is identity reuse. The fix is procedural, not technical, and you can do most of it from a phone before lunch.

In Indian practice, three different things get clubbed under “someone is using my email”:

1. Signup squatting. A stranger types your address into a loan app, a delivery service, a dating site or a streaming account at signup. The platform sends you a welcome email. They never verify the address, so the account stays linked to you forever.
2. OTP harvesting. Your address is the recovery channel on an account the attacker controls. They trigger password resets to confirm the address is alive, or to scout which banks and wallets you use.
3. Identity theft. Your name, PAN, Aadhaar or phone number are being used along with the email to open a real loan, a wallet account or a UPI handle. The welcome emails are receipts of that crime.

The first two are mostly noise. The third is a §66C offence under the Information Technology Act, 2000 and an §319 offence (cheating by personation) under the Bharatiya Nyaya Sanhita, 2023. The cure for each is different, but the first 30 minutes look identical for all three, so start there.

Do these in order. Do not skip ahead.

1. Minute 0 to 5, secure the email itself. Open the account on a trusted device. Change the password to something you have never used. Turn on two-step verification with an authenticator app, not SMS. Add a recovery phone number you actually control. Sign out of every other session from the security page. On Gmail this is at myaccount.google.com/security, on Outlook it is account.microsoft.com/security, on Apple Mail it is appleid.apple.com.
2. Minute 5 to 10, audit the recovery channels. Go to “Recovery email” and “Recovery phone” inside the account settings. If you find a number or address you do not recognise, remove it. Attackers often add their own recovery details so they can lock you out later.
3. Minute 10 to 15, scan for forwarding rules. Inside Gmail go to Settings, See all settings, Forwarding and POP/IMAP. Inside Outlook go to Settings, Rules. Delete any forwarding to an address that is not yours. This is the single most common backdoor and the one most users miss.
4. Minute 15 to 20, list every misuse email. Open a notebook or a fresh document. Write one line per company that sent a misuse email in the last 30 days. Capture sender name, sender email, date, subject and account ID if visible. You will need this list for the takedowns.
5. Minute 20 to 25, screenshot with headers. For each misuse email, open it, click “Show original” or “View source”, and screenshot the full header. The header is the only thing a grievance officer or a cyber cell will accept as proof. A body screenshot alone can be forged in 30 seconds.
6. Minute 25 to 30, file a written record. Email yourself a single summary message titled “Email misuse log, [date]” with the list and a sentence saying “I did not create any of these accounts.” This timestamps your version of events before any account goes to collections.

By minute 30 the bleeding has stopped. The inbox may still fill up for another 24 hours as queued OTPs arrive, but no new account can be opened, no recovery loop can be hijacked, and you have a paper trail.

Before you write to any company, build a small evidence pack. Cyber cells and grievance officers ask for the same items in the same order. Keep them in one folder named “email-misuse-2026” on your phone or laptop.

1. Full screenshot of each misuse email, including subject, sender, date and timestamp.
2. Full email header for at least three samples. The header contains the originating IP and the message ID, which is the only legal proof a message was sent.
3. The account ID, customer ID or application number from the body of the email, if any.
4. A self-declaration in writing saying you did not create the account, signed and dated.
5. A copy of your photo ID, masked to show only the last four digits and your name. Never send a full unmasked Aadhaar in a complaint email.
6. A short timeline in plain English: “First misuse email on 12 May 2026 at 02:14. I noticed on 13 May 2026 at 09:00. I changed the password on 13 May 2026 at 09:10.”
7. If a loan account or a UPI handle is involved, the SMS log from your phone for the same window. Loan disbursals always come with an SMS to a registered mobile.
8. A copy of any reply you get from the company. File these as you receive them.

This pack is the single artefact you will reuse for every channel below. Build it once, well, and the rest is forwarding.

There are five channels, and they do different things. Use them in the order shown, not in parallel.

1. 1. The company itself, grievance officer route. Every Indian-facing platform must publish a grievance officer email under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and now under the Digital Personal Data Protection Act, 2023, §13. The address is usually at the bottom of the privacy policy. Send the takedown email there with your evidence pack attached. The company has 15 working days under Rule 3(2)(a) to act. Keep the acknowledgement.
2. 2. The Reserve Bank of India route, only for loan apps. If a digital lender opened an account in your name, the RBI Digital Lending Guidelines, 2022 require the lender to verify the borrower's identity through a video KYC or an in-person check. Where this was not done, write to the lender's nodal officer and copy the RBI complaint portal at https://cms.rbi.org.in/. The lender must close the account and report the closure to all four credit bureaus within 30 days.
3. 3. CERT-In, for phishing or fraudulent sender domains. If the misuse emails are coming from a fake sender domain that looks like a real bank or a real lender, forward the full header to [email protected]. CERT-In, under §70B of the IT Act, can issue a takedown to the hosting provider. This is the right channel when the email itself is a fraud, not when the email is a genuine account opening done in your name.
4. 4. The Data Protection Board, under the DPDP Act, 2023. Once the company's 15 working days lapse without a fix, escalate to the Data Protection Board under §27. The grounds are §6 (consent was never given) and §13 (the grievance officer failed to redress). File at the Board portal as and when it goes live, and in the meantime keep your written grievance to the company on record. The Board can levy a penalty of up to ₹250 crore on the data fiduciary.
5. 5. The cybercrime channel, for identity theft. If a loan, a wallet, a UPI handle or a SIM has been opened in your name using the email, this is now a cognisable offence. File at https://cybercrime.gov.in/ under IT Act §66C (identity theft, three years and ₹1 lakh) and §66D (cheating by personation through a computer resource, three years and ₹1 lakh), plus BNS, 2023 §319 (cheating by personation). Call 1930 first to register the financial side, then file the written NCRP complaint within 24 hours. Our 1930 helpline script walks through the call minute by minute.

Do not start at channel 5 unless real money has moved. Doing so dilutes the FIR with non-financial complaints and slows the police down on the cases that actually involve theft.

You need a written FIR, not just an NCRP complaint, when any of the following has happened.

1. A loan has been disbursed to a bank account that is not yours, but in your name. CIBIL or another bureau may already show the account.
2. Your PAN, Aadhaar or driving licence has been used along with the email to clear a KYC.
3. A SIM card has been issued in your name on the strength of the email and a forged ID.
4. A wallet, a UPI handle or a Demat account has been opened using the email as the primary contact.
5. You have received a recovery call, a legal notice or a court summons for a debt you never took.

The FIR is filed at the nearest cyber crime police station, or at a regular police station which forwards it to the cyber cell under Bharatiya Nagarik Suraksha Sanhita, 2023 §173 (registration of FIR). Carry the evidence pack, a printout of the NCRP acknowledgement, and a photo ID. If a loan account has hit your credit report, also carry the latest CIBIL report. The investigating officer will issue a §94 BNSS notice to the lender or the platform asking for KYC documents and IP logs. Those logs are usually enough to close the loop.

If the local station refuses to file the FIR, the legal remedy is a complaint to the Superintendent of Police under BNSS §173(4), and beyond that a private complaint to the Judicial Magistrate under BNSS §175(3). You should not need to go that far. Most cyber cells in metros register the FIR on the same day if the NCRP printout is in hand.

This is the template to send to a grievance officer once you have the evidence pack ready. Paste it as the body of an email, attach the evidence, and send from the misused address itself so the grievance officer can match it.

To: grievance@[company].in
Cc: [email protected] (only if loan or KYC is involved)
Subject: Takedown request, account opened without consent, email misuse, [date]

Dear Grievance Officer,

I am writing under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 13 of the Digital Personal Data Protection Act, 2023. An account has been created on your platform using my email address [your email] without my consent.

Details of the misuse account, to the extent visible from your welcome email dated [date]:
  - Account or customer ID: [as shown in the email]
  - Phone number on file (if visible): [last 4 digits if shown]
  - Date of account creation: [date]
  - Welcome email subject: [subject line]

I confirm in writing that:
  - I did not create this account.
  - I have never used your platform.
  - I have not shared my email address with your platform for signup.
  - My consent under Section 6 of the DPDP Act, 2023 was never sought or given.

I request the following, within the 15 working day window under Rule 3(2)(a):
  - Closure of the account in full.
  - Erasure of all personal data associated with my email under Section 8(7) of the DPDP Act, 2023.
  - A written confirmation of closure to this email address.
  - The IP address, device fingerprint and signup timestamp of the account, to be preserved for a possible police investigation.

I have preserved full headers of your welcome email and a screenshot record. I will escalate to the Data Protection Board under Section 27 and to the cyber cell under Section 66C of the Information Technology Act, 2000 if I do not hear back within 15 working days.

Yours sincerely,
[Name]
[City, State]
[Date]

Send a copy of every reply to yourself on a second email address. Replies tend to disappear from inboxes once accounts are closed.

This deserves its own section because it is the fastest moving and the most expensive to ignore.

A welcome email from a digital lender almost always means one of three things. First, somebody completed a soft signup using your email but did not finish KYC, in which case there is no loan yet and you only need a closure email. Second, somebody finished KYC using a forged ID and your email, in which case there may be a real loan against your name. Third, the email is a phishing attempt designed to make you click a “verify” link. Treat the third possibility first.

The phishing tell is simple. A real lender will address you by your full legal name as it appears on the PAN, never as “Dear Customer”. A real lender will quote the last four digits of the disbursal bank account. A real lender will have a working grievance email at the same domain as the welcome email. A phishing email fails on at least one of these.

Once you have ruled out phishing, pull your free CIBIL report at https://www.cibil.com/freecibilscore and your CRIF, Experian and Equifax reports. If a loan shows up that you did not take, you are now in identity theft territory. The recovery path is the CIBIL dispute and wilful defaulter tag removal flow, and you should file the cyber FIR the same day. If no loan shows up across all four bureaus, the email is a signup squat and the takedown letter is enough.

Where the lender is unregistered, that is, the brand does not appear on the RBI list of NBFCs at https://www.rbi.org.in/Scripts/BS_NBFCList.aspx, write to the RBI directly. Unregistered digital lenders have been a regulatory priority since the 2022 guidelines and a fast escalation often gets the account closed inside a week.

A welcome email from a delivery platform, a food app or a quick-commerce service usually means signup squatting. The account is rarely worth money to the attacker, but it is worth a lot to you because it leaks your name and city to anyone who can see the platform's leaderboard or referral system.

The fix is short. Send the takedown email above. Most platforms close the account inside three working days because there is nothing to defend. The harder problem is that once your email is on the platform, the marketing emails do not always stop after closure. Use the unsubscribe link on each promotional email, and if that fails, write a second letter citing DPDP §8(7) (erasure on withdrawal of consent). Erasure is enforceable. Unsubscribe is not.

1. Replying to the misuse email directly. Welcome emails come from no-reply addresses that are not monitored. Always write to the published grievance officer instead.
2. Clicking “this is not me” links inside the welcome email. If the email is a phishing attempt, the link is the attack. Use the platform's official website, type the URL by hand.
3. Filing an NCRP complaint for every signup squat. This dilutes the system. Reserve NCRP for cases involving money, KYC, SIM cards, UPI handles or recovery calls.
4. Sending unmasked Aadhaar in the takedown email. Mask all but the last four digits and the name. The grievance officer does not need the rest.
5. Forgetting the header screenshot. A body screenshot alone is worthless as evidence. The header carries the IP and the message ID.
6. Closing the email account in panic. This destroys the evidence trail. Keep the account open, just secure it.
7. Believing the lender's claim that “it must have been you”. The burden of proof is on the data fiduciary under DPDP §8(5). Insist on the IP log and the device fingerprint.

In nine cases out of ten, somebody mistyped their own email at signup and put yours instead. Indian platforms almost never verify the email before sending the welcome and the first OTP, so the noise lands in your inbox. In the tenth case, somebody is deliberately using your address to mask their identity. Either way the fix is the same: change the password, turn on two-step verification, list the offending platforms, and send a takedown letter to each one.

No. The emails are your only proof that the account exists. Once you delete them, the platform can deny the signup ever happened, and you have nothing to attach to a grievance letter. Screenshot the full header for at least the first three of each kind, then archive the rest in a labelled folder.

Not with the email alone. A real loan needs a PAN, an Aadhaar or a driving licence, plus a phone OTP, plus video KYC for amounts above ₹50,000 under the RBI Master Direction on KYC, 2016 as amended. If you start seeing loan welcome emails, the chance is that somebody is also using your PAN or Aadhaar. Pull your CIBIL, CRIF, Experian and Equifax reports the same day. If nothing shows up, the email is a squat, not a theft.

NCRP is a written complaint filed at https://cybercrime.gov.in/ and routed to the relevant state's cyber cell. An FIR is filed at a police station under BNSS §173 and starts a criminal investigation. NCRP is enough for signup squats and for triggering bank freezes. An FIR is needed if a loan account, a wallet, a SIM or a Demat has been opened in your name, or if you have received a recovery call or a legal notice. File NCRP first, then walk into the cyber cell with the printout.

Under Rule 3(2)(a) of the Intermediary Guidelines, 2021 and §13 of the DPDP Act, 2023, every platform offering services in India must publish a working grievance officer email and address. A bounce is itself a violation. Save the bounce message, write to the platform's customer support with a copy of the bounce, and if still no reply within seven days, escalate directly to the Data Protection Board. The bounce becomes part of the evidence.

No. NCRP complaints are filed by the victim and recorded as such. They are not criminal records. The only thing that shows up on a routine background check is a conviction or, in some cases, a pending FIR. A complaint you filed to protect yourself does not harm your record.

You can, under §43A of the Information Technology Act, 2000 (compensation for failure to protect personal data) and under §82 of the DPDP Act, 2023 (compensation through the Board). The realistic route in 2026 is a complaint to the Data Protection Board under §27. The Board can both close the account and order compensation. A civil suit is available but slow, and most readers settle for closure and erasure rather than damages.

Three years from the last misuse email at minimum. Limitation under the Limitation Act, 1963 is three years for most personal claims. Identity theft cases under BNS §319 carry the same limitation. Keep the evidence pack on at least two devices and in one cloud folder, all named the same way for easy retrieval.

Yes. NCRP accepts complaints from any IP. The cyber cell will need an Indian point of contact, usually a family member or a lawyer, to receive notices. The grievance officer route works regardless of your location. You will need a Power of Attorney only if a police investigation goes to the FIR stage and physical statements are required.

Yes, when financial loss or identity reuse is involved. §66C of the IT Act, 2000 punishes identity theft with imprisonment up to three years and a fine up to ₹1 lakh. §66D punishes cheating by personation through a computer resource with the same range. BNS, 2023 §319 (cheating by personation) and §318 (cheating) cover the offline parts. Convictions are not common because most cases close at the lender or platform end before they reach trial. Closure plus erasure is the realistic outcome you should aim for.

The FAQ block above uses the H3 `==== Q? ====` syntax which RTI Wiki's sitewide `schema-auto.js` picks up and renders as `FAQPage` JSON-LD. Do not paste any inline `<script type=“application/ld+json”>` block into the source. DokuWiki escapes inline JSON-LD as visible text and the search engines will read the broken markup rather than the structured data.

1. The 1930 cyber fraud helpline, minute-by-minute script for the call you make when money has moved.
2. Bank freeze process after cyber fraud for the lien on a beneficiary account inside the golden hour.
3. CIBIL, NPA and wilful defaulter tag removal when a loan account opened in your name has already hit your credit report.
4. The citizen RTI playbook for the broader template of how to use RTI to recover from administrative damage.
5. Middle-class traps for the wider set of financial and identity hazards that share the same evidence playbook.

1. AI RTI Drafter for an RTI to a public-sector lender or a state cyber cell.
2. First Appeal Builder if the grievance officer ignores your closure letter.
3. AwaazRTI to dictate the takedown letter in Hindi or a regional language.
4. PIO Reply Checker for the reply you get from a public lender or a government grievance cell.

1. Information Technology Act, 2000, §43A (compensation for failure to protect data), §66C (identity theft), §66D (cheating by personation), §70B (CERT-In powers). Full text at https://www.indiacode.nic.in/.
2. Digital Personal Data Protection Act, 2023, §6 (consent), §8(5) (burden of proof on data fiduciary), §8(7) (right to erasure), §13 (grievance officer), §27 (Data Protection Board complaints), §82 (compensation). Full text at https://www.meity.gov.in/.
3. Bharatiya Nyaya Sanhita, 2023, §318 (cheating), §319 (cheating by personation).
4. Bharatiya Nagarik Suraksha Sanhita, 2023, §173 (FIR), §175(3) (private complaint to magistrate), §94 (production notice).
5. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Rule 3(2)(a) (grievance officer 15-day window).
6. Reserve Bank of India Digital Lending Guidelines, 2022 and Master Direction on KYC, 2016 as amended. Available at https://www.rbi.org.in/.
7. National Cyber Crime Reporting Portal at https://cybercrime.gov.in/ and helpline 1930.
8. CERT-In phishing and incident reporting at https://www.cert-in.org.in/ and [email protected].
9. CIBIL free score at https://www.cibil.com/freecibilscore.
10. RBI complaint management system at https://cms.rbi.org.in/.
11. RBI list of NBFCs at https://www.rbi.org.in/Scripts/BS_NBFCList.aspx.

A clean editorial illustration in Apple-liquid-glass green and white palette, top-down view of a smartphone showing an inbox with seven unread welcome emails from generic loan and delivery apps stacked, a soft padlock icon glowing over the screen, a small notepad beside the phone with a handwritten list of timestamps, neutral wooden desk background, no faces, no logos, no Indian flags, no text on the lock icon, 1200 by 630 pixels, photographic realism, soft morning light from the left, depth of field on the padlock. Save to /home/bighelpers/wiki/data/media/social/auto/email-misuse-loans-apps-deliveries-complaint-india.png.