If you just lost money to an online payment scam in India, the next 3 days decide whether the bank pays you back or whether you eat the loss. The legal framework is unusually friendly to the victim, but only if you follow a specific written sequence. This 2026 playbook walks you through it step by step, in the order that actually works.
Direct answer. Call 1930 and file at cybercrime.gov.in (NCRP) within 24 hours. Send a written email to your bank inside 3 working days quoting the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 (Limiting Liability of Customers in Unauthorised Electronic Banking Transactions) - this caps your liability at zero if you reported within 3 working days and were not negligent. File an FIR. Preserve every screenshot. Wait 30 days, then escalate to the RBI CMS Ombudsman. Do NOT keep using the compromised account, and do NOT pay any “release fee” to a “recovery agent”.
Indian victims of online payment fraud have a strong right to a zero-liability refund under the RBI Customer Liability Framework 2017 if they report the fraud to their bank within 3 working days in writing. In parallel, file a National Cybercrime Reporting Portal (NCRP) complaint at cybercrime.gov.in or call 1930 within 24 hours so the cyber cell can freeze the recipient account. After 30 days, escalate to the RBI Integrated Ombudsman if the bank refuses.
Time is the single biggest factor in fraud recovery. The RBI's customer-liability circular ties your refund right to how fast you reported, in three buckets:
Within the first 24 hours, you also have the cybercrime side: a complaint at NCRP or call to 1930 lets the cyber cell push freeze instructions to the recipient bank before the money is laundered to a mule chain. After about 12 hours, the money typically has been moved across 3 to 5 mule accounts and is far harder to recover.
So the rule is brutally simple: report inside 24 hours to NCRP, write to your bank within 3 working days, and keep evidence of both timestamps.
The Indian Cybercrime Coordination Centre (I4C) runs the 1930 helpline on top of the National Cybercrime Reporting Portal. When you call, the operator opens a “ticket” linked to your bank account and pushes a near-real-time hold request to the recipient bank's nodal officer.
What to keep ready before calling:
If 1930 is busy, file the complaint directly at cybercrime.gov.in - the portal opens a ticket in the same I4C system. Save the acknowledgement number; that number is your proof of reporting time.
Warning: do not pay any “recovery agent”. Within hours of a fraud, scammers may message you on Telegram or WhatsApp claiming to be “ex-cyber officers” who can recover your money for a fee. They are recovery scammers - the second wave of the same network. Real recovery never asks you to pay anything. The only legitimate channels are 1930, your bank, NCRP, and the RBI Ombudsman.
Phone calls do not count for the 3-working-day rule. The RBI customer-liability circular protects you only if your report is “in writing”, and the burden of proving you were negligent falls on the bank, not you. Email or written letter both qualify.
Send your email to:
To: branch-manager@[bank].com; nodaloffice@[bank].com CC: your own backup email Subject: Unauthorised electronic transaction - account [last 4 digits] - reporting within 3 working days under RBI customer-liability circular dated 6 July 2017
Dear Sir/Madam,
I, [Name], hold savings account number ending [XXXX] at your [branch] branch. I am writing to formally report an unauthorised electronic banking transaction on my account.
On [date] at approximately [time], an amount of ₹[amount] was debited from my account vide [UPI ID / RRN / transaction reference], to beneficiary [recipient UPI / name / account]. I did not authorise this transaction. I did not share my OTP, PIN, password, CVV, or UPI PIN with any party.
This communication is sent within 3 working days of the bank alert (alert dated [date], time [time]), within the meaning of the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions. Therefore my liability is zero and I request a full reversal of ₹[amount] within 10 working days as required by paragraph 8 of the said circular.
I have also filed:
Please:
1. Reverse the disputed amount to my account on a "shadow credit" or provisional basis as required by the circular. 2. Issue a written acknowledgement with a complaint reference number within 24 hours. 3. Block my debit card and reset internet banking and UPI credentials. 4. Coordinate with the recipient bank's nodal officer to freeze the receiving account. 5. Provide me with the dispute resolution timeline.
Failing satisfactory resolution within 30 days, I will escalate to the Reserve Bank of India - Integrated Ombudsman under the RBI - Integrated Ombudsman Scheme 2021.
Attachments: SMS / email alert screenshot, NCRP acknowledgement, FIR copy (if available), bank statement extract.
Regards, [Name] [Phone] | [Email] | [Address] Account: [number] | [Branch]
Send this from the email registered on your bank account. Do not delete the sent copy.
For amounts above ₹2 lakh, an FIR is mandatory under most state cybercrime SOPs. For smaller amounts, an “NCRP complaint” is treated equivalent to an FIR for many banking purposes, but a proper FIR is still useful for chargebacks and ombudsman cases.
You can file:
Cite the right offences in your FIR:
The FIR copy is mandatory for the bank's chargeback to a credit-card network and useful for the District Commission consumer complaint if the bank stalls.
Most fraud refunds fail not because the law is weak but because the victim deleted the SMSes during cleanup. Within 30 minutes of the fraud, do the following:
Evidence preservation checklist:
If you reset your phone, change your SIM, or wipe the messaging app, you may lose admissible evidence. Save first, clean later.
If the loss was on a credit or debit card, your bank can raise a “chargeback” with the Visa, Mastercard, Rupay, or Amex network. Chargebacks have strict timelines under each network:
Ask your bank in writing to “raise a chargeback under the relevant fraud reason code”. Ask for the chargeback reference number and expected timeline.
For UPI, the dispute resolution mechanism is operated by NPCI under the UPI dispute resolution framework. The first port of call is your bank or payment app's grievance officer (GPay, PhonePe, Paytm, BHIM all have one). If the issue is not resolved in 30 days, NPCI's UDIR (UPI Dispute Resolution) and the RBI Ombudsman take over. Cite the NPCI dispute mechanism in your bank email.
If your bank does not refund within 30 days of your written complaint, file at cms.rbi.org.in under the RBI - Integrated Ombudsman Scheme 2021. The RBI Ombudsman is free, online, and binding on the bank up to ₹30 lakh in compensation (above the disputed amount, the Ombudsman can also award up to ₹1 lakh for mental harassment).
You need:
The Ombudsman process is paper-based, with hearings only when needed. Most fraud cases close in 30 to 90 days at this stage.
| Channel | When to use | Cost | Typical time | What you get |
|---|---|---|---|---|
| 1930 helpline | Within hours of fraud | Free | Real-time | Account freeze attempt |
| NCRP cybercrime.gov.in | Within 24 hours | Free | 24 hours ack | Cybercrime ticket / e-FIR in some states |
| Bank written email | Within 3 working days | Free | 10 working days for shadow credit | Refund per RBI circular |
| Police FIR | Within 7 days, mandatory above ₹2 lakh | Free | Variable | Investigation + chargeback proof |
| Card chargeback | Within 60-120 days (network rule) | Free | 30-90 days | Reversal via Visa / MC / Rupay |
| NPCI UDIR (UPI) | After bank refuses | Free | 30-60 days | UPI-side reversal |
| RBI Ombudsman (CMS) | After 30 days bank delay | Free | 30-90 days | Binding order, up to ₹30 lakh + ₹1 lakh harassment |
| Consumer Commission (e-Daakhil) | If bank refuses despite Ombudsman | ₹100-₹500 | 3-9 months | Refund + compensation |
| Civil court | Large amounts, complex evidence | Higher | 1-3 years | Refund + damages |
Do NOT do any of these - each one wrecks your case:
If the recipient handle ends in @paytm, @ybl, @okaxis, @ibl, or another payment-app suffix, NPCI's mule-account framework allows the receiving payment service provider (PSP) to freeze and reverse if reported within the dispute window. Mention specifically in your NCRP complaint and bank email: “Recipient UPI handle [handle] - request immediate beneficiary freeze under NPCI mule-account guidelines”.
If your card was used on an offshore website (often a gaming, dating, or crypto site as cover), this is a “card not present” fraud. RBI rules from 1 January 2021 require all CNP transactions on international cards to use AFA (Additional Factor of Authentication) - if your card was charged without OTP or 3D Secure, that is a clean liability shift to the bank. Cite the RBI circular DPSS.CO.PD.No.116/02.14.003/2020-21 in your email.
If money was withdrawn from your account using an Aadhaar-enabled Payment System (AePS) device at a “BC” point, you have a separate playbook. The biometric was likely cloned. See our dedicated guide: AePS / Aadhaar-enabled payment fraud recovery. The 3-working-day RBI rule still applies, plus you can lock your Aadhaar biometrics on UIDAI's portal.
Some frauds target the corporate-salary-account window of large IT services and BPO employees, where salary credits arrive on a fixed day. The fraud often takes the form of a fake “HR” email asking you to “verify” your account. The recovery sequence is the same as above, plus your employer's CISO and the bank's corporate-banking team get looped in.
A subset of frauds happens because your SIM was cloned or “swapped” by a fraudster who tricked the telecom company. If your phone suddenly shows “no signal” for hours and then payments leave your account, this is a SIM-swap scam. Recovery steps:
This is the bank's standard first defence. The legal position is more nuanced. The RBI customer-liability circular puts the burden of proving customer negligence on the bank, not you. Sharing OTP under social-engineering pressure (impersonation of bank / RBI / police) has been treated by multiple ombudsman orders as “fraud-induced sharing”, not negligence. Your reply email to the bank should specifically rebut: “I was induced by impersonation of [bank / RBI / police / family]; the disclosure was extracted by deception, which under the customer-liability circular and consistent ombudsman orders is fraud-induced and not negligence on my part.”
The bank's burden of proof is real. Hold the line.
The 3-day rule is the customer-protection lever inside the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017. If you report an unauthorised electronic transaction to your bank in writing within 3 working days of the bank's transaction alert, and you did not contribute to the fraud through gross negligence (such as writing your PIN on the card), your liability is zero and the bank must credit the disputed amount within 10 working days. It is not “automatic” in the sense that the bank pays without process, but the burden of proving that you were grossly negligent shifts to the bank. Many ombudsman orders since 2018 have ruled in favour of victims who reported within the 3-day window.
Both. Calling 1930 opens an immediate ticket and triggers a freeze attempt at the recipient bank, but the call alone does not create a permanent paper-trail you can attach to the bank email or ombudsman case. Filing at cybercrime.gov.in immediately afterwards generates a written NCRP acknowledgement number, which is the document you actually need. Do both: call 1930 first for speed, file at cybercrime.gov.in within the same hour for paper.
Yes. Section 173 of the BNSS 2024 (which replaced CrPC 154) makes it mandatory for any police station to register an FIR for a cognisable offence, regardless of jurisdiction. Online fraud above ₹1 lakh in most states is treated as a “zero-FIR” matter - any station must take it and forward to the right cyber cell. If a station refuses, write to the SP / DCP and copy the State Human Rights Commission and the State CID's cyber wing. The NCRP filing is itself treated as an FIR-equivalent in many states for losses above their threshold.
Harder, but not impossible. Voluntary transfers under deception (someone claiming to be a relative in trouble, an HR department, a delivery courier) still constitute “cheating by personation” under BNS Section 319 and 318. The bank will likely argue this falls outside the RBI customer-liability circular's “unauthorised” definition. But you can still attempt: (a) NCRP freeze if the recipient account is still active, (b) chargeback if it was on a card, © civil suit for recovery, (d) ombudsman complaint citing inadequate fraud monitoring. Recovery rates here are lower (15 to 30 percent within first 24 hours; near zero after a week) but action is still worthwhile.
The RBI circular at paragraph 8 mandates a “shadow credit” within 10 working days of the customer's written report, while the bank investigates. Many banks delay this, especially if they want to argue customer negligence. A clear written email citing the specific circular paragraph and copying the nodal officer pushes most banks to give the shadow credit. If they still refuse, that refusal itself becomes a deficiency under the Consumer Protection Act 2019 and a separate ground in your RBI Ombudsman complaint. Some ombudsman orders specifically award compensation for delayed shadow credit.
Generally, no - not immediately. Closing the account ends the dispute trail with that bank and complicates the refund. Instead, lock everything that can be locked: debit card, internet banking, UPI, mobile banking. Open a fresh, clean account at another bank for new transactions and salary credits, but keep the compromised account open with zero balance and active monitoring until the dispute closes. Move SIPs and auto-debits to the new account in writing. Once the refund is credited and the dispute fully closes, you can then reassess whether to close the old account.
The RBI - Integrated Ombudsman Scheme 2021 is a free, paper-based, online dispute-resolution mechanism for banking, NBFC, and payment-system grievances. You file at cms.rbi.org.in after waiting 30 days from your written complaint to the bank. The Ombudsman is binding on the bank up to ₹30 lakh on the disputed amount and can award an additional ₹1 lakh for mental harassment. It is faster than civil court (typically 30 to 90 days) and has no lawyer requirement. Banks comply with ombudsman orders almost always - failure to comply triggers RBI supervisory action. For most online payment fraud cases up to ₹30 lakh, the Ombudsman is the correct forum after the bank refuses.
Yes. Banking is a “service” under Section 2(42) of the Consumer Protection Act 2019, and a wrongful debit or refusal to refund is a “deficiency in service” under Section 2(11). You can file at e-Daakhil (edaakhil.nic.in) at the District Commission for amounts up to ₹50 lakh. Many victims combine the RBI Ombudsman path with a parallel consumer complaint. The ombudsman is faster but the consumer commission can award higher compensation in some cases. See our how to file a consumer court case guide.
International cyber fraud is harder but not hopeless. The Mutual Legal Assistance Treaty (MLAT) network and Interpol Red Notices apply for large amounts. For a citizen, the practical route is: (a) NCRP forwards to I4C, which liaises with international agencies; (b) FIR with the cyber cell; © bank chargeback if it was a card transaction (chargebacks work even for offshore merchants); (d) RBI Ombudsman against your bank for any failure of monitoring. Recovery rates depend heavily on which jurisdiction the recipient sits in. Money routed through Indian mule accounts is recoverable; money already converted to crypto and offshore is mostly not.
No. The “recovery agent” market is dominated by the same fraud networks. Real recovery is free - 1930, NCRP, your bank, RBI Ombudsman, and the consumer commission. Anyone asking for a “registration fee”, “GST”, “release charge”, “tax clearance”, or “advance commission” is a recovery scammer. Some pose as “ex-cyber officers”, “law firms”, or “specialised recovery experts” with fake testimonial videos. They will eventually ask for your remaining bank credentials. The single most reliable signal: if they want money upfront, they are scamming you. Do not engage.
Online payment fraud recovery is a paperwork race against a 3-day clock. Call 1930 in the first hour, write to your bank inside 3 working days, file the FIR, and preserve every screenshot. The RBI customer-liability circular and the BNS / IT Act are written for you, not the bank. Most victims who follow this sequence in writing get a full refund within 30 to 90 days. Most victims who only call and never write, get nothing. If this guide saved someone you know an SMS-deletion mistake, share it - that one screenshot they would have lost is the difference between zero liability and full loss.