SIM Swap Fraud in India: When Telecom Says "Not Our Fault" (2026)

On 4 March 2026, Anand Kulkarni, a 41-year-old chartered accountant in Pune, lost ₹6,42,300 in 38 minutes. His phone went “No Service” at 11:14 am while he was in a client meeting. He thought it was a network drop. By 11:52 am, his ICICI savings, his wife's HDFC account, and his Paytm wallet were all empty. The retailer in Hadapsar had issued a duplicate SIM to a stranger that morning, without any video verification, against the rules. The telecom company's reply, three weeks later, was one line: “Customer is responsible for safeguarding OTP.”

This article is a Citizen Intelligence guide. It tells you how the SIM-swap workflow actually plays out inside telecom call-centres, what they hide, and where to push when the standard customer-care script (“we have escalated, sir”) starts looping. For the bank-side recovery angle, also read SIM swap fraud recovery. For lost / stolen SIM blocking, see how to block a lost SIM.

SIM swap fraud is the unauthorised issuing of a duplicate SIM card for your mobile number to a fraudster. The fraudster walks into a telecom retailer with fake ID or social-engineers a bribe-friendly distributor. The retailer activates a new SIM tied to your number. Your SIM goes dead. Every OTP from that minute onwards goes to the fraudster's hand. Banks, UPI apps, email, cloud, even WhatsApp - all use the mobile OTP as the second factor. Once the SIM is theirs, your digital life is theirs.

Telecom retailers in India earn commission per SIM activation. Distributors get volume bonuses. The Department of Telecommunications has issued instructions on biometric / video re-verification before any duplicate SIM is handed over. On paper, the retailer must:

1. Check government-issued photo ID of the person asking for the duplicate SIM
2. Re-verify against the original KYC record (Aadhaar / passport / voter ID)
3. Call the registered number where possible (it is dead, so this step is skipped)
4. Get a fresh photograph + signature on the Customer Acquisition Form (CAF)
5. Submit the CAF to the operator's distributor within 24 hours

In practice, smaller retailers and franchise outlets skip steps 2, 3 and 5. A photocopy of any “looks similar” ID is enough. The CAF is filled in later. The auditing is patchy. The fraudster walks out with an active SIM in 20 minutes.

When you complain, the operator's first-level call-centre is not authorised to confirm a compliance failure. They are trained to repeat: “Customer must have shared OTP / PIN with someone.” This is the script. It buys the company time. By the time you climb to the Appellate Authority, 30 days have passed and your bank's chargeback clock has expired.

A duplicate-SIM request inside a telecom company moves through four layers:

The retailer level is where the fraud succeeds. The nodal level is where the truth sits (the CAF copy, the retailer ID, the activation timestamp). Most citizens never reach the nodal level because step 2 keeps them in a loop of “we will revert”.

1. Retail social-engineering. Walk into a low-footfall retailer with a Photoshop-edited ID matching the victim's name.
2. MNP port-out scam. Send the victim a fake “you are eligible for a free upgrade” SMS. Trick them into sharing the UPC (Unique Porting Code). Port the number to another operator's SIM in their possession.
3. Distributor insider. A bribed distributor pushes a duplicate SIM through the operator's system with a backdated CAF.
4. Lost phone exploitation. Phone snatched at a metro station - thief immediately walks to the nearest retailer with the victim's wallet (containing ID).
5. International call mask. Calls show an Indian number but originate over internet. The Sanchar Saathi “report incoming international call with Indian number” feature catches these.
6. Multiple SIMs on one ID. Fraud rings issue 9+ SIMs against a single Aadhaar (legal limit varies, currently capped). Sanchar Saathi's “Know Your Mobile Connections” lets you see all SIMs issued against your Aadhaar.

• They have a Customer Acquisition Form (CAF) on file for every SIM. You can ask for it. They will resist.
• They have a CCTV recording at the retailer for at least 30 days, often 90. You can ask the police to seize it.
• The retailer's Point of Sale (PoS) ID is logged against every activation. The operator knows exactly which retailer activated the fraud SIM.
• The Appellate Authority's decision is binding on the operator under the TRAI Telecom Consumers Complaint Redressal Regulations 2012.
• Under IT Rules 2021, every “intermediary” (and telecoms are intermediaries for messaging) must have a Grievance Officer with a published name + email, and reply within 15 days.
• They settle silently when you cite Section 66C / 66D of the IT Act 2000 (identity theft + cheating by personation) + Sections 318 / 319 of the Bharatiya Nyaya Sanhita 2023 (cheating + cheating by personation, replacing IPC 420 / 419) in your legal notice.

Tweet your complaint with screenshots at @Airtel_Presence / @JioCare / @VodafoneIN. Within 30 minutes, an “Online Care” handle replies: *“Hi Anand, sorry to hear that. Please DM your number and we'll look into it.”* This is not customer care. This is reputation management. The DM goes to a separate desk that handles social-media optics, not compliance. Read Why companies ask you to DM after a public complaint for the full playbook.

Do not move to DM. Keep the thread public. Reply with: *“Please reply on this thread. As per IT Rules 2021, your Grievance Officer must respond in writing within 15 days. Kindly share the Grievance Officer's name and email here.”*

Telecom complaint processes are designed to outlast the citizen's patience. The pattern:

1. Week 1: “Ticket raised, sir. 48 hours.” Nothing happens.
2. Week 2: “Escalated to backend team. Please give 7 more working days.”
3. Week 3: “We need a copy of FIR + ID + last 6 months bank statement + affidavit on ₹100 stamp paper.”
4. Week 4: “We are still investigating. The retailer is being questioned.”
5. Week 6: “As per our investigation, the duplicate SIM was issued after due verification. Hence, no compensation can be paid.”

By Week 6, you have made 14 calls, written 5 emails, lost two working days, and your bank's chargeback window is closed. Most people give up here. The system relies on this.

• SMS log - the last SMS from the operator before “No Service”. Photo it from another device.
• Call log - all incoming / outgoing calls that day. Screenshot before the phone is reset.
• Bank SMS / push notifications with exact timestamps.
• UPI app transaction history - download statement PDF from the app.
• Email login alerts - Google / Microsoft both send “new device login” alerts.
• WhatsApp “you registered on a new device” notification if it triggered.
• CCTV of the retailer at the activation time - request seizure via police u/s 94 BNSS 2023 (formerly 91 CrPC).
• CAF copy - ask the operator for the Customer Acquisition Form used for the duplicate SIM. RTI helps if it is BSNL / MTNL; for private operators use a TRAI complaint + IT Rules 2021 grievance officer route.

For RTI on a public-sector telecom (BSNL / MTNL), see RTI for telecom bill dispute which uses the same routing.

Walk into the nearest operator's own store (not a franchise retailer). Show ID. Ask them to deactivate the fraud SIM and re-issue your SIM with biometric re-verification on the spot. Insist on a paper receipt with the POS ID printed.

Dial 1930. Then file on cybercrime.gov.in. Print the acknowledgement. Walk into the nearest police station (cyber cell if available) and demand an FIR under Sections 66C, 66D IT Act + 318, 319 BNS 2023. See cyber crime portal vs police station for which route is binding.

Email the bank's [email protected] address plus the branch manager. Subject line: *“Unauthorised electronic transactions on (account no) - SIM swap fraud - claim of zero liability under RBI Master Circular dated 6 July 2017.”* Attach the FIR acknowledgement, the 1930 reference, and the operator's deactivation receipt. This is the cut-off for account freeze + zero-liability protection.

Call 121 / 198 or use the operator app. Get a complaint docket number. Note that the TRAI Telecom Consumers Complaint Redressal Regulations 2012 require resolution within 7 working days for service issues, 24 hours for service activation issues.

Each operator publishes a state-wise Nodal Officer contact at /complaints or /contact-us. Send a written email + speed post. Use the sample below. Cite the unresolved docket number from Step 4.

The Appellate Authority is internal but independent of customer-care chain. Decision is binding on operator. Filing fee: nil. Reply due in 90 days. Read how to file a TRAI telecom complaint for the full Appellate template.

1. Go to sancharsaathi.gov.in > “Citizen Centric Services” > “Know Your Mobile Connections” - check every SIM issued against your Aadhaar. Flag the fraud one.
2. Report the suspicious communication on chakshu.sancharsaathi.gov.in. This is the DoT's direct fraud-reporting channel that feeds into operator action + LEA referrals.

File at e-Daakhil under the Consumer Protection Act 2019. Claim: refund + compensation for mental agony + cost of litigation. Pecuniary jurisdiction: District (up to ₹50 lakh), State (₹50 lakh - ₹2 crore), National (above ₹2 crore).

File at cms.rbi.org.in if the bank refuses zero-liability. See Banking Ombudsman complaint guide.

Call 1915 or file at consumerhelpline.gov.in. NCH conciliates between you and the operator. Useful pressure even though decisions are not binding.

RTI Act 2005 applies to public authorities. BSNL and MTNL are covered. Airtel, Jio, Vi are not. But:

1. You can RTI the DoT (LSA - Licensed Service Area) asking how many duplicate-SIM compliance audits were done on Operator X in your circle in the last 12 months, with audit findings.
2. You can RTI the District Police Cyber Cell asking the number of SIM-swap FIRs filed against Retailer ID (POS code) - this exposes repeat-offender retailers.
3. You can RTI the State Consumer Disputes Redressal Commission asking for the disposal time of SIM-swap cases against Operator X.

Use the 🪄 AI RTI Drafter to draft these in under 2 minutes. For appeal templates use the 📝 First Appeal Builder. To verify a Public Information Officer's reply, use the 🔍 PIO Reply Checker.

Run TRAI + RBI in parallel. Then Consumer Commission. Criminal FIR runs alongside throughout. None of these block the others.

1. Chakshu portal + Sanchar Saathi “Know Your Connections” in the same hour. Operators respond fastest to DoT-routed complaints.
2. A legal notice citing Section 66C / 66D + BNS 318 / 319 + IT Rules 2021 Rule 3(2) sent by speed post + email to the Grievance Officer and CC the Appellate Authority. Most settlements happen at this stage.
3. Public Twitter / X post tagging @DoT_India + @TRAI + the operator's official handle (not @Brand_Cares). Refuse DM. Keep it public.
4. RBI written email under the 3-day window with FIR + 1930 ack attached. Zero-liability becomes hard for the bank to refuse.
5. Visiting the operator's Circle Office in person with a printed file. Citizens who walk in get answers same day. Citizens who only call wait 6 weeks.

1. Sharing OTP “to verify” with anyone calling as bank / telecom staff. No genuine staff ever asks. (See WhatsApp OTP fraud.)
2. Giving up after the first-level “we have escalated” reply. That is not an answer.
3. Moving to DM on social media. Kills the public pressure.
4. Missing the 3-working-day bank deadline. Zero-liability lapses.
5. Filing FIR without listing all sections (66C, 66D + BNS 318, 319, 336). Police list whatever they want; you must insist on the right sections.
6. Not asking for the CAF copy. This is the single piece of paper that proves operator negligence.
7. Not preserving CCTV deadline. 30-90 days at most. Apply to police u/s 94 BNSS within 2 weeks.
8. Accepting partial refund + NDA. Companies offer “goodwill” amounts in exchange for silence. Read the fine print before signing.

To,
The Nodal Officer,
[Operator Name], [Circle - e.g. Maharashtra]
[Published address from operator website]

Subject: Unauthorised issuance of duplicate SIM for my mobile number
[XXXXXXXXXX] on [date] - claim for compensation + investigation
of retailer POS ID

Sir / Madam,

1. I am the registered subscriber of mobile number [XXXXXXXXXX]
   (KYC: Aadhaar / Passport / Voter ID No. [XXXX]) on [Operator Name]
   since [date of original activation].

2. On [date], at approximately [HH:MM], my SIM went "No Service"
   without notice from your end. On enquiry at your store at
   [address], I learnt that a duplicate SIM had been issued to an
   unknown person at [retailer name + POS ID] at [HH:MM] on the
   same day.

3. Within [38] minutes of my SIM going dead, an unauthorised
   transaction of ₹[XX,XXX] was carried out on my [bank name]
   account. FIR No. [XXX] dated [date] has been filed at
   [police station] under Sections 66C, 66D of the IT Act 2000
   and Sections 318, 319, 336 of the Bharatiya Nyaya Sanhita 2023.
   1930 acknowledgement: [number]. NCRP reference: [number].

4. The duplicate SIM was issued without the re-verification
   prescribed by DoT instructions. The retailer did not match my
   KYC photograph, did not call my registered number, and did
   not file a fresh Customer Acquisition Form within 24 hours.
   This is a direct compliance failure on the part of your
   distribution chain.

5. Under the TRAI Telecom Consumers Complaint Redressal
   Regulations 2012 (Reg. 25) and IT Rules 2021 Rule 3(2),
   I request:
   (a) Immediate written confirmation of deactivation of the
       fraudulent SIM (POS ID, retailer name, activation time).
   (b) Copy of the Customer Acquisition Form (CAF) used for the
       duplicate SIM issuance.
   (c) Compensation of ₹[amount] being the direct loss caused
       by your compliance failure.
   (d) Confirmation that the said retailer's licence has been
       suspended pending audit.

6. If a written response is not received within 15 days, I will
   approach (i) the Appellate Authority of [Operator Name],
   (ii) the DoT via the Chakshu / Sanchar Saathi portal,
   (iii) the District Consumer Disputes Redressal Commission
   under the Consumer Protection Act 2019, and
   (iv) the RBI Banking Ombudsman against my bank.

Yours faithfully,
[Name]
[Address]
[Email] | [Alternate mobile]
Date: [DD MMM 2026]
Encl: 1. Copy of FIR + 1930 acknowledgement
      2. Copy of original SIM KYC
      3. Bank statement showing unauthorised debits
      4. Photograph / receipt of fraudulent SIM deactivation

Print this table. Stick it on your wall.

Yes, partially. Issuing a duplicate SIM without DoT-mandated re-verification is the operator's compliance failure. Liability is established once you show the retailer skipped video / photo / KYC re-verification. The Appellate Authority can order operator compensation.

If you report unauthorised electronic banking transactions to your bank in writing within 3 working days, your liability is zero (RBI Master Circular dated 6 July 2017). Day 4-7: liability capped at ₹5,000-₹25,000 depending on account type. After 7 days: bank's board-approved policy governs.

No. RTI Act applies to public authorities only. But you can RTI the DoT LSA office asking for the operator's duplicate-SIM audit report in your circle, and you can RTI the police for the number of SIM-swap FIRs against a specific retailer POS ID.

A DoT portal at sancharsaathi.gov.in that shows every mobile number issued against your Aadhaar across all operators. You can flag and request disconnection of any number you do not recognise.

Chakshu (chakshu.sancharsaathi.gov.in) is the DoT's reporting channel for suspected fraud calls / SMS / WhatsApp messages. It feeds into operator action, LEA referrals and number blacklisting. Faster than 1930 for non-financial-loss reporting.

Yes. The attempted SIM swap itself is an offence under Section 66C + 66D IT Act. File FIR even without financial loss. It creates a record if money is stolen later, and it forces the operator's compliance audit on the retailer.

Yes, in the District Consumer Commission. The retailer is the operator's agent; both are jointly liable. File against retailer + operator together at e-Daakhil.

SIM swap = a fresh duplicate SIM issued by the operator to a fraudster. Original SIM goes dead. SIM cloning = a technical attack copying the IMSI / Ki from your SIM onto another. Both SIMs work in parallel. Cloning is rare in India today; SIM swap is the standard fraud.

Both. §66C covers identity theft (using your mobile number / Aadhaar / electronic signature). §66D covers cheating by personation (using a computer resource to cheat). SIM-swap frauds use both. Insist police list both in the FIR.

Yes, under IT Rules 2021 Rule 3(2) (data-fiduciary disclosure) and TRAI regulations. Most operators resist. The Appellate Authority + consumer commission can compel disclosure. Police u/s 94 BNSS can seize.

Yes. The MNP port-out can be reversed if you complain to your original operator within 24 hours and the new operator's Nodal Officer within 7 days. File with TRAI under Reg. 25 of the Complaint Redressal Regulations.

Escalate to the bank's Internal Ombudsman (mandatory under RBI guidelines), then the RBI Integrated Ombudsman at cms.rbi.org.in. See Banking Ombudsman guide. Most banks settle once the Ombudsman issues a hearing notice.

Realistic: 3-6 months for full recovery. The bank side (RBI zero-liability) clears in 30-60 days if you reported on time. The telecom side (Appellate Authority + compensation for operator negligence) takes 90-180 days. Criminal FIR runs longer (1-3 years).

Yes, temporarily. File a dispute with the credit bureau (CIBIL, Experian, Equifax) attaching the FIR. The lender must mark the loan as “disputed” under RBI guidelines. Once the FIR investigation concludes, the entry is removed.

For the FIR, complaint to Nodal / Appellate Authority, Chakshu, Sanchar Saathi, RBI Ombudsman, and Consumer Commission - no. All can be done by the citizen directly. For criminal prosecution and recovery suit, a lawyer helps.

No single window yet. The closest is Sanchar Saathi + 1930 + cybercrime.gov.in triad. Run all three simultaneously in the first 24 hours.

Yes, this is a documented attack. Set your number to roaming-restricted or call-divert to a trusted number before travelling. Sanchar Saathi has a “Report incoming international call with Indian number” feature you should monitor.

Yes, and arguably riskier because the swap happens digitally without a physical store visit. Same DoT re-verification rules apply. Check Sanchar Saathi for every e-SIM activation against your KYC.

Not directly. The police u/s 94 BNSS 2023 (formerly §91 CrPC) can seize it. Push the Investigating Officer in writing within 14 days of FIR. CCTV is usually retained 30-90 days only.

Sometimes. Operators are reluctant to suspend franchise retailers because revenue depends on them. The Appellate Authority can order suspension. Repeat-offender retailers are the open secret of the industry.

You can ask the bank + operator to allow a registered authorised representative for all communications. The RBI Charter of Customer Rights protects disabled / senior account holders specifically.

Some cyber-insurance policies do, with sub-limits (₹50,000 to ₹5 lakh). Check the wording of “fraudulent electronic transactions” + “SIM swap” cover. Do not assume; ask the insurer in writing.

File the cybercrime.gov.in complaint first (NCRP acknowledgement is your shield). Approach the Superintendent of Police in writing u/s 173(3) BNSS 2023 (replaces §154(3) CrPC). If still refused, file a private complaint u/s 223 BNSS (replaces §200 CrPC) before the Magistrate. See cyber-crime complaint India.

Banking Ombudsman orders the bank to refund. TRAI Appellate Authority orders the operator to compensate for negligence in issuing the duplicate SIM. Two different limbs of the same fraud - run both.

• Scenario A: Reported within 1 hour, FIR same day, bank email within 24 hours. Outcome: full recovery in 45 days under RBI zero-liability.
• Scenario B: Reported on day 4. Bank says liability is yours (missed the 3-day window). Outcome: Banking Ombudsman intervention, partial recovery (50-80%) in 4-6 months.
• Scenario C: Reported on day 12 with no FIR. Most banks reject. Outcome: Consumer Commission case, recovery in 12-18 months if you can prove operator compliance failure.
• Scenario D: Port-out fraud caught within 6 hours; number recovered, no money stolen. Outcome: operator compensation ₹10,000-₹25,000 via Appellate Authority for service disruption.

1. Move banking OTP to a “burner” number that is not your public mobile.
2. Enable Aadhaar lock at uidai.gov.in - blocks misuse of your Aadhaar for new SIM activations.
3. Check Sanchar Saathi every 90 days for unknown SIMs against your Aadhaar.
4. Use UPI PIN-only mode (disable SMS-OTP-only fallback where possible).
5. Keep two banks - one operational, one savings with no UPI / netbanking. Move surplus to the second account every Friday.
6. Photograph your CAF + Aadhaar receipt at the time of every new SIM activation - this is your proof of original KYC.
7. Avoid public Wi-Fi for banking. Use mobile data only.
8. Register every adult's mobile in Sanchar Saathi DND + Chakshu.

For UPI-specific recovery, read recover money from UPI fraud. For debit-card fraud, see debit card fraud recovery. For Aadhaar-enabled payment system (AePS) frauds, see AEPS Aadhaar fraud recovery. For broader cybercrime, see file a cybercrime complaint 2026.

• DoT Sanchar Saathi - sancharsaathi.gov.in
• DoT Chakshu - chakshu.sancharsaathi.gov.in
• National Cyber Crime Reporting Portal - cybercrime.gov.in (helpline 1930)
• TRAI - trai.gov.in
• RBI Integrated Ombudsman - cms.rbi.org.in
• National Consumer Helpline - consumerhelpline.gov.in (helpline 1915)
• e-Daakhil Consumer Commission - edaakhil.nic.in

• Citizen Intelligence hub - how systems really work
• SIM swap fraud recovery (bank-side workflow)
• Block a lost / stolen SIM card
• File a TRAI telecom complaint 2026
• RTI for a telecom bill dispute
• Cyber-crime complaint in India
• Cyber-crime portal vs police station
• WhatsApp OTP fraud explained
• Banking Ombudsman complaint guide
• Freeze account after fraud - bank process
• Why companies ask you to DM after a public complaint
• Recover money from a UPI fraud
• Debit card fraud recovery
• AEPS / Aadhaar fraud recovery
• File a cybercrime complaint 2026

Use the 🪄 AI RTI Drafter to draft any RTI in this article in 2 minutes, the 📝 First Appeal Builder for appeals, and the 🔍 PIO Reply Checker to audit any reply you receive.

Reviewed on: 13 May 2026.

• Mobile Number Validation MNV and SIM fraud