Consider a typical case. A parent receives a WhatsApp message from what appears to be her child's school administrator, demanding around ₹18,500 as an urgent examination fee within two hours. The profile picture matches the school logo, the group name reads like the real parents' group, and two or three other “parents” have already confirmed payment. She transfers the amount. Minutes later, the real school principal calls to warn parents about a cloned WhatsApp group in which fraudsters are impersonating teachers and extracting money. This pattern—seen across many cities in 2025–2026—is what this guide helps you prevent, report, and recover from.
Citizen Crisis Response Network — If you or a parent in your child's school WhatsApp group has been defrauded, lost money to fake fee demands, or encountered impersonators spreading panic rumours, this guide provides step-by-step FIR filing, statutory remedies under BNS 2024, evidence preservation for WhatsApp chat exports, and technical safeguards to prevent cloning and phishing in school communication channels.
https://righttoinformation.wiki/citizen-crisis-response-network
School WhatsApp group fraud in India (2026) involves criminals cloning group names, impersonating teachers or administrators, and demanding fake fees or spreading kidnapping rumours. (1) File FIR under BNS section 318(4) (cheating and dishonestly inducing delivery of property), BNS section 319 (cheating by personation) and section 66D of the IT Act 2000 (cheating by personation using a computer resource). (2) Export WhatsApp chat (three-dot menu > More > Export chat). (3) Notify your school principal immediately. (4) Report to cybercrime.gov.in portal. (5) Enable two-step verification on WhatsApp. (6) Verify group admin phone numbers independently. (7) Never share OTPs or payment screenshots in groups; confirm fees via official school portal or physical notice only.
Fraudsters exploit the trust architecture of parent-teacher WhatsApp groups. The attack vector follows a repeatable pattern: reconnaissance, impersonation, urgency engineering, and payment extraction. Complaints involving impersonation and fee fraud through messaging apps can be reported to the National Cyber Crime Reporting Portal (cybercrime.gov.in) and the cyber-fraud helpline 1930.
Stage one: reconnaissance. Criminals harvest phone numbers from publicly visible school websites, alumni directories, or compromised parent databases. In some cases, a single parent's phone is compromised via phishing, granting access to the legitimate school group's participant list.
Stage two: cloning. The fraudster creates a new WhatsApp group with a near-identical name—often a single character difference or extra space (“St. Xavier's Parents Grade 7” vs. “St. Xavier's Parents—Grade 7”). The group display picture is copied from the legitimate group. Between 15 and 40 parent phone numbers are added in batches to avoid detection.
Stage three: impersonation. One member changes their WhatsApp profile name to “Principal Mrs. Sharma” or “Admin Office.” The profile picture is cloned from the school website or legitimate group. A message is posted: “Urgent: Board exam registration fee ₹18,500 due by 5 PM today. Payment details below. Reply PAID once done.”
Stage four: social proof. Accomplices or fake numbers post: “Paid, transaction ID 4729381.” “Done, thanks.” This triggers herd behaviour. Parents, fearing their child will miss registration, transfer money without independent verification.
Most citizens miss this — WhatsApp does not verify group names or admin credentials. A group named “CBSE Official” or “School Principal” carries zero platform authentication. Always verify via a second channel—phone call to a known school number or physical notice.
The following are illustrative scenarios drawn from the common patterns reported in school WhatsApp fraud. They are composite examples, not specific documented incidents.
The fake fee demand. A parent is added to a cloned group that closely mimics the real “Parents—Grade 7” group. The display picture is the school logo, and one member's profile name reads “Principal Mrs. Sharma.” A message demands an urgent examination fee, payable within hours to a UPI ID. Two or three “parents” post “Paid, thanks” to create social proof. Several families transfer money before the school clarifies that no such fee was demanded. Such frauds are charged under BNS section 318(4), BNS section 319 and section 66D of the IT Act 2000; UPI funds are typically routed through mule accounts, which is why an immediate complaint matters.
The panic rumour. Parents in a cloned group receive a message claiming a kidnapping attempt near the school gate and that the school is closed. Panic spreads, parents rush to withdraw children mid-day, and only later does the school issue a clarification that no incident occurred. Spreading such false alarms is an offence under BNS section 353 (statements conducing to public mischief) read with section 66D of the IT Act 2000.
The fake “sports kit” collection. A fraudster posing as a “Vice Principal” demands a moderate amount for an “annual sports kit.” Several parents pay before the school's official communication clarifies that no such fee exists. Funds withdrawn through a payment gateway in a shell entity's name are hard to recover once dispersed—reinforcing why fees should only be paid after independent verification.
Warning — Schools in tier-2 and tier-3 cities are often more vulnerable. Many lack dedicated IT administrators, and parent digital literacy is uneven. Fraudsters tend to target mid-tier private schools where fee amounts are moderate (₹10,000–₹25,000 range) and parents are less likely to verify independently.
The Bharatiya Nyaya Sanhita 2023 (BNS), which replaced the Indian Penal Code 1860 with effect from 1 July 2024, consolidates and modernises fraud provisions.
BNS section 318: Cheating. Section 318 defines cheating. Simple cheating under section 318(2) is punishable with imprisonment up to three years, or fine, or both. Section 318(4)—cheating and thereby dishonestly inducing the deceived person to deliver property (the successor to section 420 IPC)—is punishable with imprisonment up to seven years and fine. This is the core charge in a school fee fraud, because the parent was induced to transfer money.
BNS section 319: Cheating by personation. Whoever cheats by pretending to be some other person is punished with imprisonment up to five years, or fine, or both. This directly fits WhatsApp group impersonation, where the fraudster pretends to be a school official.
BNS section 353: Statements conducing to public mischief. Whoever makes, publishes, or circulates any statement, false information, rumour or report—including through electronic means—with intent to cause, or likely to cause, fear or alarm to the public is punishable with imprisonment up to three years, or fine, or both. Applicable to fake kidnapping or bomb-threat rumours in school groups.
IT Act 2000, section 66D: Punishment for cheating by personation by using computer resource. Imprisonment up to three years and fine up to ₹1,00,000. This section continues in force alongside BNS 2024 and is often charged concurrently.
IT Act 2000, section 66C: Punishment for identity theft. Imprisonment up to three years and fine up to ₹1,00,000. Applies when a fraudster uses another person's electronic signature, password, or unique identification (e.g., cloning a teacher's WhatsApp profile).
WhatsApp chat logs, when exported with metadata intact and corroborated by subscriber identity records from the telecom operator, are treated as admissible electronic evidence under section 63 of the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872), subject to the certificate requirements of that section.
Tip — Cite the specific sections (BNS 318(4) and 319, IT Act 66C and 66D) clearly in your complaint, and ask that the matter be handled by the cyber crime unit. A clearly framed complaint helps the investigating officer act faster.
Step 1: Preserve evidence immediately. Export the WhatsApp chat. Open the fraudulent group > three-dot menu > More > Export chat > Without media (or With media if images/videos are evidentiary). Email the .txt file to yourself and save to cloud storage. Take screenshots showing group name, participant list, admin details, and fraudulent messages. Note exact timestamps.
Step 2: File online complaint. Visit https://cybercrime.gov.in (National Cyber Crime Reporting Portal, operated by Ministry of Home Affairs). Click “Report cybercrime” > “Women/Child related crime” (if applicable) or “Financial fraud.” Fill form with: school name, fraudulent group name, phone numbers of fraudster(s), transaction details (UPI ID, account number), amount lost, timeline. Upload exported chat .txt file and screenshots. You will receive an acknowledgement number.
Step 3: File FIR at local cyber police station. Visit your city's dedicated Cyber Crime Police Station or the jurisdictional police station. Carry: cybercrime.gov.in acknowledgement printout, WhatsApp chat export (printed and on USB drive), bank transaction statements, school communication (legitimate notice if available), identity proof, and address proof. Insist on FIR registration under BNS section 318(4), BNS section 319, IT Act section 66D, and IT Act section 66C. Refuse to accept a Non-Cognizable Report (NCR) or General Diary (GD) entry—these do not trigger investigation.
Step 4: Obtain FIR copy. You are entitled to a free copy of the FIR under section 173(2) of the BNSS 2023, which must be given forthwith, free of cost, to the informant or victim. The FIR number is critical for all follow-up correspondence.
Step 5: Inform your bank and call 1930. If the fraud involved UPI, IMPS, or NEFT, immediately call your bank's fraud helpline (typically on the back of your debit card) and the national cyber-fraud helpline 1930, then file a written complaint at the branch. Ask the bank to flag and attempt to freeze the beneficiary account so the funds are not dispersed further. Reporting within the first hours gives the best chance of stopping the money before it moves through mule accounts.
Step 6: Follow up regularly. Under section 193(3)(ii) of the BNSS 2023, the police are required to inform the informant or victim of the progress of the investigation within ninety days, including by electronic means. Send a written application (or email to the investigating officer) requesting status updates. Mention your FIR number and attach a copy of your original FIR.
Do this immediately — If you have transferred money in the last few hours, call your bank's 24×7 helpline and the cyber-fraud helpline 1930 at once and ask for the transaction to be held or recalled. The sooner you report, the higher the chance of stopping the funds before they are withdrawn.
WhatsApp chat exports are admissible under section 63 of the Bharatiya Sakshya Adhiniyam 2023 (BSA, which replaced the Indian Evidence Act 1872 with effect from 1 July 2024). Section 63 treats computer output (information stored or copied in electronic form) as a document admissible in evidence, subject to the conditions and certificate prescribed in that section.
Metadata preservation. When you export a chat, WhatsApp generates a .txt file embedding timestamps, sender identifiers, and message sequence. Do NOT edit this file. Courts accept unaltered exports corroborated by subscriber identity records (obtained by police through a summons to produce documents under section 94 of the BNSS 2023 to the telecom operator).
Chain of custody. To strengthen admissibility, create a contemporaneous note: “On [date], at [time], I exported WhatsApp group '[name]' from my phone [IMEI number]. The export file SHA-256 hash is [calculate using an online tool]. I emailed this file to [your email] and uploaded to [Google Drive/Dropbox] at [timestamp].” Sign and date this note; attach a printed copy to your FIR application.
Certificate under Section 63(4) BSA 2023. If your case goes to trial, the Investigating Officer will file a certificate identifying the computer/device that produced the electronic record, describing the manner of production, and providing particulars of the device. This satisfies the statutory presumption of authenticity under Section 63(4).
Photographs and videos. If the fraudulent group contained images (e.g., fake fee payment QR codes, forged school letterheads), export the chat “With media.” Each image file carries EXIF metadata (date, time, device model). Use a tool like ExifTool or Metadata Viewer (free Android/iOS apps) to extract and document metadata before submitting to police.
Citizen tip — Police often lack training in digital evidence. Print the exported .txt file with line numbers, highlight key fraudulent messages in yellow, and annotate margins with “Fraudulent demand,” “Fake admin name,” etc. Hand this annotated printout to the investigating officer—it dramatically accelerates case preparation.
Schools and parent committees must implement these eight controls immediately.
1. Official group creation. Only the school's designated IT coordinator or principal should create parent WhatsApp groups. The group description must include the school's official website URL, email, and landline number for verification.
2. Admin-only messaging. In group settings > Group settings > Send messages, select “Only admins.” This prevents any parent or infiltrator from posting messages. Critical announcements are admin-only; parents respond via private message to the school office number.
3. Participant approval. In group settings > Group settings > Edit group info, select “Only admins.” In Add participants, select “Admins must approve.” Every join request is manually verified against the school's enrolment database.
4. Anti-cloning vigilance. Periodically search your phone's chat list for groups with similar names. Educate parents: if you are suddenly added to a group you did not knowingly join, exit immediately and report to the school.
5. Two-step verification. Every parent should enable WhatsApp Settings > Account > Two-step verification. This requires a 6-digit PIN in addition to SMS OTP, preventing account takeover even if SMS is intercepted via SIM swap fraud.
6. Verified Business Account. Schools should register a WhatsApp Business API account (via an approved Business Solution Provider) and obtain the green verified badge. This badge cannot be spoofed. Educate parents: “Official school messages will only come from the number with the green tick.”
7. Out-of-band verification. Any fee demand, schedule change, or emergency alert posted in WhatsApp must be simultaneously communicated via SMS to all parents, email, and posted on the school's parent portal or website. Parents are instructed: “If you see a message in WhatsApp but no corresponding SMS/email, ignore and report.”
8. Incident response protocol. Schools must have a written policy: “If any parent reports a suspicious message, the school will immediately broadcast a warning in the official group, post an alert on the website, and send an SMS to all parents within 30 minutes.” Most of the fee-fraud cases above would have been mitigated if such a protocol existed.
Most citizens miss this — Enabling “disappearing messages” in school groups destroys evidence. Schools must disable this feature: Group info > Disappearing messages > Off. Critical communications should be permanent and exportable.
Schools owe a duty of care to students and parents not only for physical safety but also for safeguarding personal data and communication integrity.
Consumer Protection Act 2019 (CPA). Whether schooling counts as a “service” under the CPA is unsettled: consumer forums (for example, the NCDRC in *Manu Solanki v. Vinayaka Mission University*) have held that core educational activity is not a “service”, while the Supreme Court has allowed consumer claims in some narrow situations involving specific promises or misrepresentation. So a consumer complaint before the District Consumer Disputes Redressal Commission under section 35 CPA 2019 (for deficiency in service in handling parent data or communications) is worth attempting, but the school may raise a threshold objection that education is outside the CPA. Treat this route as arguable, not guaranteed.
Digital Personal Data Protection Act 2023 (DPDP). Once the DPDP Rules are fully notified and in force, schools that collect parent phone numbers will be “Data Fiduciaries.” Section 8 of the DPDP Act requires a Data Fiduciary to put in place reasonable security safeguards and to intimate the Data Protection Board and affected persons in the event of a personal data breach. The Act's Schedule provides for a penalty of up to ₹250 crore for failure to take reasonable security safeguards to prevent a breach.
Negligence and vicarious liability. If a school employee (teacher, clerk, IT admin) is complicit in leaking parent data or in creating a fraudulent group, the school may be exposed to vicarious liability under ordinary principles of the law of tort, under which an employer can be answerable for wrongful acts committed by an employee in the course of employment. Parents may consider a civil suit for damages in addition to the criminal complaint.
Contractual duty. Most school admission forms include a clause: “The school will protect the confidentiality of contact information.” Breach of this clause is actionable in civil court under section 73 of the Indian Contract Act 1872 (compensation for loss or damage caused by breach).
Warning — If your school refuses to acknowledge the fraud incident, send a legal notice (template below) asserting deficiency in service and threatening CPA 2019 complaint. Most schools settle to avoid publicity and regulatory scrutiny.
| Myth | Reality |
|---|---|
| “WhatsApp groups with school logo are official.” | Anyone can set a group name and display picture to match the school logo. WhatsApp does not verify group authenticity. Only a verified Business Account (green badge) offers platform assurance. |
| “If other parents confirm payment, it must be real.” | Fraudsters post fake “payment done” messages using accomplice numbers or bots. Social proof is weaponised. Always verify independently via phone call or school portal. |
| “Police cannot do anything in cybercrime cases.” | Cheating and personation are cognizable offences under BNS sections 318(4) and 319 and IT Act sections 66C and 66D; police are obliged to register an FIR and investigate. Most cities have dedicated cyber crime cells, and the national helpline 1930 and cybercrime.gov.in portal route financial-fraud complaints for quick action. |
| “WhatsApp chats are not legal evidence.” | Bharatiya Sakshya Adhiniyam 2023 section 63 recognises electronic records. Exported chats with metadata, corroborated by telecom subscriber records, are admissible. Courts regularly rely on WhatsApp evidence in fraud trials. |
| “Schools are not responsible for private parent groups.” | Schools that create or endorse WhatsApp groups for official communication take on a duty of care over those channels and over the parent data they hold. Whether a consumer complaint lies is arguable, but negligence and data-protection obligations can still be raised. |
| “Two-step verification is optional and inconvenient.” | Two-step verification adds a PIN on top of the SMS OTP, which sharply reduces the risk of account takeover. Without it, a SIM-swap or phishing attack can compromise your account quickly and give fraudsters access to all your groups. |
To, The Station House Officer, Cyber Crime Police Station, [City Name] Subject: FIR under BNS Sections 318(4) and 319, IT Act Sections 66C and 66D — School WhatsApp Group Fraud Respected Sir/Madam, I, [Your Full Name], aged [Age], resident of [Full Address], parent of [Child Name], student of [School Name, Class/Grade], hereby lodge a complaint regarding a cybercrime fraud committed via WhatsApp. FACTS: 1. On [Date], at approximately [Time], I was added to a WhatsApp group named "[Fraudulent Group Name]" which appeared identical to the official parent group of my child's school. 2. The group display picture was the school logo. One participant's profile name read "[Fake Admin Name, e.g., Principal Mrs. Sharma]". 3. At [Time], a message was posted in the group: "[Exact text of fraudulent message, e.g., Urgent board exam fee ₹18,500 due by 5 PM. Pay to UPI ID fraudster@bank. Reply PAID.]" 4. Believing this to be an official communication, I transferred ₹[Amount] via [UPI/NEFT/IMPS] from my [Bank Name] account [Account Number] to [Fraudster's UPI ID / Account Number] at [Time] on [Date]. Transaction ID: [ID]. 5. At [Time], I received a call from the school's official number [School Phone] informing me that no such fee demand was issued and that the WhatsApp group was fake. 6. I immediately realised I had been defrauded. I contacted my bank's fraud helpline at [Time] and filed a written complaint at [Branch Name] on [Date]. 7. I have also filed an online complaint on https://cybercrime.gov.in on [Date], acknowledgement number [Number]. EVIDENCE: I am submitting the following: a) Exported WhatsApp chat (.txt file) from the fraudulent group (Annexure A). b) Screenshots of the fraudulent group, messages, and participant list (Annexure B). c) Bank transaction statement showing the fraudulent transfer (Annexure C). d) Copy of cybercrime.gov.in acknowledgement (Annexure D). e) Official communication from [School Name] clarifying no such fee was demanded (Annexure E). ACCUSED: The fraudster(s) operated the WhatsApp number +91-[Number] and used the profile name "[Fake Name]". The UPI ID [ID] or bank account [Number] is linked to the fraud. OFFENCES COMMITTED: 1. BNS Section 318(4): Cheating and dishonestly inducing delivery of property. 2. BNS Section 319: Cheating by personation. 3. IT Act 2000 Section 66D: Cheating by personation using a computer resource. 4. IT Act 2000 Section 66C: Identity theft. I request you to: 1. Register an FIR under the above sections. 2. Provide me a copy of the FIR as per Section 173(2) of the BNSS 2023. 3. Requisition subscriber identity details of the fraudster's phone number and bank account details from the telecom operator and bank under Section 94 of the BNSS 2023. 4. Freeze the beneficiary account to prevent further withdrawal. 5. Arrest and prosecute the accused. I am available at [Phone], [Email] for further inquiry. Date: [Date] Place: [City] Signature: _______________ Name: [Your Full Name]
Do this immediately — Carry two printed and signed copies of this FIR text, all annexures, and a USB drive with digital copies. Hand one set to the police; retain one set with you along with a signed acknowledgement receipt from the police station.
Recovery is possible but depends almost entirely on speed. If you act within the first hours—before the money is dispersed across mule accounts—your bank, prompted by the cyber-fraud helpline 1930 and the police, can attempt to flag and freeze the beneficiary account. Once funds are withdrawn or layered across multiple accounts, recovery becomes difficult. File the FIR immediately, inform your bank in writing, and ask the police to seize the suspect account under section 106 of the BNSS 2023 (power of a police officer to seize property connected with an offence). Report on cybercrime.gov.in and call 1930 the moment you realise the fraud.
Schools often fear reputational damage and may delay cooperation. Send a legal notice (template below) citing deficiency in service under CPA 2019 and threatening a consumer complaint. Simultaneously, file a complaint with the District Education Officer or State Education Department demanding an inquiry into data protection lapses. Under the Right to Information Act 2005, you may file an RTI application to the school (if government-aided) or the Education Department asking: “How many cyber fraud incidents involving parent data have been reported to this school in the last 12 months? What safeguards are in place?” This creates a documented trail and often prompts the school to cooperate.
Use the RTI drafter at https://righttoinformation.wiki/tools/rti-assistant to generate a precise RTI application. Check replies using the PIO Reply Checker at https://righttoinformation.wiki/tools/pio-reply-checker.
(1) Check for the green verified badge (WhatsApp Business API account). (2) Independently call the school's official landline or known mobile number listed on the school website—do NOT call any number provided in the suspicious group. (3) Check the group creation date: tap group name > scroll to “Created [date].” If it was created recently while the school year is mid-way, suspect fraud. (4) Check participant count: official groups typically have 40–200 parents; cloned groups often have 10–30. (5) Ask the group admin to send a verification photo holding today's newspaper and school ID card (fraudsters rarely comply). (6) Cross-check announcements with the school website, SMS, or parent portal.
Parent-created groups lack institutional accountability. Criminals can easily infiltrate. If no official group exists, suggest the school create one following the technical safeguards outlined above. If you join an informal parent group, apply these rules: (a) Never share OTPs, personal documents, or payment confirmations. (b) Verify every fee demand via direct school contact. © Disable auto-download of media (WhatsApp Settings > Storage and data > Media auto-download > uncheck all). (d) Exit immediately if the group culture becomes gossip-driven or if unverified “urgent alerts” appear.
Possibly, where the school's negligence (for example, leaking parent data, failing to warn of a known cloning attack, or not securing official communication channels) caused or contributed to your loss. You can attempt a consumer complaint under section 35 CPA 2019 before the District Consumer Disputes Redressal Commission, ordinarily within two years of the cause of action (section 69 CPA 2019), claiming (a) refund of the amount lost, (b) compensation for mental agony, and © litigation costs. Note that the school may argue education is outside the CPA, so this route is arguable rather than certain; a civil suit for negligence is the alternative. Attach the FIR copy, bank statements, the school admission agreement, and any correspondence showing the school's negligence.
File an FIR under BNS section 353 (statements conducing to public mischief) read with section 66D of the IT Act 2000. Rumour-mongering can trigger mass panic, traffic jams, and even stampedes. Inform the school principal immediately and ask the school to issue a public clarification via SMS, website, and notice as quickly as possible. Police can trace the originator of a forwarded message through WhatsApp metadata and the telecom subscriber records requisitioned under section 94 of the BNSS 2023.
(1) School website alumni directories. (2) Social media (Facebook parent groups, school event photo tags). (3) Data breaches: schools often store parent data in unsecured Excel files or cloud folders; disgruntled employees or contractors may leak. (4) SIM swap or phishing attacks on a single parent's phone, giving access to legitimate group participant lists. (5) Admission form data sold by coaching classes, tuition centres, or education consultants. Schools must comply with DPDP Act 2023 (once rules are notified) and implement access controls, encryption, and audit trails for all parent data.
WhatsApp is an intermediary under IT Act 2000 section 79 and enjoys safe harbour—it is not liable for third-party content. However, under IT Rules 2021 (Intermediary Guidelines), WhatsApp must enable grievance redressal. You may report the abuse and contact WhatsApp's Grievance Officer for India through the official contact page at https://www.whatsapp.com/contact/ (the current Grievance Officer's name and contact details are published in WhatsApp's in-app and website grievance section, as required by the IT Rules 2021). WhatsApp generally disables accounts used for fraud once a valid complaint is processed. For legal recourse, your claim is against the fraudster and potentially the school (if negligent), not WhatsApp. In rare cases where WhatsApp's negligence in processing a fraud report leads to harm, you may file a civil suit; however, no successful precedent exists in India as of 2026.
LEGAL NOTICE UNDER CONSUMER PROTECTION ACT 2019 To, The Principal / Management, [School Full Name], [School Address] [Date] Subject: Deficiency in Service — Failure to Prevent WhatsApp Group Fraud — Demand for Compensation Dear Sir/Madam, NOTICE ON BEHALF OF: [Your Name], parent of [Child Name], Class [X], Admission No. [Number] 1. My client enrolled their child in your institution on [Date] and has been paying fees and trusting your administration for the child's safety and welfare. 2. On [Date], my client was defrauded of ₹[Amount] via a cloned WhatsApp group impersonating your school's official parent communication channel. (Details in FIR No. [Number], [Police Station], dated [Date], copy enclosed.) 3. Your institution's negligence contributed to this fraud: a) Parent phone numbers were not adequately protected. b) No official WhatsApp security protocol was communicated to parents. c) Despite the fraud being reported to your office at [Time] on [Date], no timely warning was broadcast to other parents, causing further victims. d) No incident response plan was in place. 4. To the extent the Consumer Protection Act 2019 applies, your failure to safeguard parent data and the integrity of official communication channels constitutes "deficiency in service" within the meaning of Section 2(11). My client also reserves the right to pursue a civil claim in negligence. 5. Under Section 8 of the Digital Personal Data Protection Act 2023 (once operative), you are a Data Fiduciary and must implement reasonable security safeguards. Your breach exposes you to penalties and civil liability. 6. My client has suffered: a) Financial loss: ₹[Amount] b) Mental agony, distress, and loss of trust c) Time and expense in filing police complaints and pursuing recovery DEMAND: Within 15 days of receipt of this notice: 1. Refund ₹[Amount] to my client's bank account [Account Number]. 2. Pay ₹[Amount, e.g., ₹50,000] as compensation for mental agony and deficiency in service. 3. Issue a written apology and commit to implementing the WhatsApp security safeguards outlined in this notice (attached). FAILING WHICH: My client will file a complaint under Section 35 of the Consumer Protection Act 2019 before the District Consumer Disputes Redressal Commission, [District], claiming the above amounts plus litigation costs and further relief as deemed fit. This notice is issued under Section 35(1)(a) CPA 2019 as a pre-condition to filing the complaint. Yours faithfully, [Your Name] [Address] [Phone] [Email] Enclosures: 1. Copy of FIR No. [Number], [Police Station], dated [Date] 2. Bank transaction statement showing the fraudulent transfer 3. Copy of the cybercrime.gov.in acknowledgement 4. Copy of the school admission agreement 5. Recommended WhatsApp security safeguards (annexed)
School WhatsApp group fraud works because it hijacks trust, not technology. No platform badge or group name proves who is really on the other side. Treat every urgent money demand as suspect until you have confirmed it through a second, independent channel—a phone call to a number you already know, the school's official portal, or a physical notice. Enable two-step verification, insist that your school run official groups on admin-only settings, and never pay a fee on the strength of a WhatsApp message alone.
If you are defrauded, act fast: preserve the chat export, call 1930 and report on cybercrime.gov.in, inform your bank in writing, and file an FIR under BNS sections 318(4) and 319 with IT Act sections 66C and 66D. Speed is what decides whether the money can be stopped.
For more help, see the Citizen Crisis Response Network, draft a school or department RTI with the RTI drafter, and check any reply you receive with the PIO Reply Checker.