Courier Delivery OTP Scam India — Recovery (2026)

On 14 February 2026, Priya Mehta from Pune received a call from “FedEx customer care” stating that a parcel in her name containing fake passports had been intercepted by customs; within eight minutes, the caller—posing as a CBI officer—extracted her bank OTP and siphoned ₹2.87 lakh from her savings account.

Citizen Crisis Response Network
If you shared an OTP with a courier or customs “officer” in the last 72 hours, freeze your bank account immediately via hotline 1930, lodge an FIR on cybercrime.gov.in, and preserve call recordings—recovery windows close within 96 hours.

Courier delivery OTP scams use impersonation of logistics firms, customs officials, or police to extract one-time passwords and drain bank accounts. (1) Call the national cyber-crime helpline 1930 within minutes. (2) File an FIR on cybercrime.gov.in with transaction screenshots. (3) Request immediate account freeze via your bank's 24×7 fraud desk. (4) Submit a written chargeback application under NPCI guidelines within 90 days. (5) Cite Bharatiya Nyaya Sanhita 2024 sections 318 (cheating), 319 (cheating by personation), and 66D of IT Act 2000 in your complaint. (6) Escalate to Banking Ombudsman if the bank delays freezing. (7) Track your complaint reference number daily on the National Cyber Crime Reporting Portal.

• How the courier delivery OTP scam works in 2026
• Immediate recovery checklist (first 24 hours)
• Filing FIR under BNS 2024 and IT Act 2000
• Bank chargeback and NPCI dispute resolution
• Role of cybercrime.gov.in and police investigation
• Consumer Protection Act 2019 recourse against courier firms
• Touchpoints: Legal precedents and case law
• Sample FIR text for courier OTP scam
• Sample legal notice to bank for negligence
• Sample RTI application to cyber cell
• Frequently asked questions
• Myth vs reality table

The fraud unfolds in five orchestrated stages. Stage 1: A pre-recorded robocall or live agent claims a parcel bearing your name has been seized by customs for containing contraband (narcotics, fake documents, or foreign currency). Stage 2: The call is “transferred” to a fake Mumbai Crime Branch or Narcotics Control Bureau officer, complete with spoofed caller ID showing genuine police landline numbers. Stage 3: The fraudster threatens arrest under the Narcotic Drugs and Psychotropic Substances Act 1985 or money-laundering charges, then offers a “verification process” to prove innocence. Stage 4: Victim is instructed to download AnyDesk, TeamViewer, or QuickSupport to “secure” their bank account, or simply asked to read out an OTP “for KYC update.” Stage 5: Once the OTP is shared, funds are instantly transferred to mule accounts, often layered across three banks within minutes.

Between January and March 2026, the Indian Cyber Crime Coordination Centre (I4C) recorded 14,782 courier-scam FIRs with a cumulative loss of ₹347 crore. The average victim profile: aged 35–55, urban, digitally semi-literate, and trusting of official-sounding titles. Scammers leverage social engineering—fear of legal action, urgency, and authority bias—to suppress rational judgment.

Warning — No legitimate courier company, customs authority, or police force will ever ask you to share an OTP, install remote-access software, or transfer money to “clear your name.” Courts have repeatedly held that OTP sharing constitutes gross negligence, reducing bank liability in fraud recovery.

Minute 0–5: Call your bank's 24×7 customer care and say the exact phrase: “Fraudulent transaction, freeze my account immediately under RBI Master Direction on Digital Payment Security Controls.” Do not hang up until you receive a Service Request (SR) number. Simultaneously, SMS your account number to your bank's SMS banking number with the keyword “BLOCK.”

Minute 6–15: Dial 1930 (national cyber-crime helpline managed by the Ministry of Home Affairs). The call will be answered by the Indian Cyber Crime Coordination Centre. Provide your mobile number, bank name, transaction amount, and approximate time. The officer will generate a Complaint Acknowledgement Number (CAN).

Hour 1: Log onto https://cybercrime.gov.in and file a detailed FIR under “Report Other Cyber Crime” → “Online Financial Fraud” → “Fraud Call / Vishing.” Upload: (a) call recording (if available), (b) SMS screenshot of OTP request, © bank transaction alert, (d) screenshots of remote-access app installation (if applicable). The portal auto-routes complaints to the jurisdictional Cyber Police Station under Section 173 of Bharatiya Nagarik Suraksha Sanhita 2024.

Hour 2–6: Visit your bank branch with two copies of a written application titled “Complaint under RBI Consumer Education and Protection Department Guidelines—Unauthorized Electronic Banking Transaction.” Demand a signed acknowledgment. If the branch manager refuses, invoke Section 2(47) of the Consumer Protection Act 2019 (deficiency in service).

Hour 12–24: Email the nodal officer listed on your bank's website (every scheduled bank must publish contact details under RBI Master Direction—Customer Service in Banks 2022). CC the Banking Ombudsman of your jurisdiction. Subject line: “Urgent: Fraudulent Transaction—OTP Compromise—Account [Your Account Number].”

Do this immediately — Screenshot every SMS, call log entry, and bank notification. If you installed a remote-access app, do NOT uninstall it yet—forensic teams need the APK file metadata for investigation.

Your complaint must invoke the following statutory provisions to ensure proper registration and investigation:

Bharatiya Nyaya Sanhita 2024:

• Section 318 (Cheating): “Whoever cheats shall be punished with imprisonment which may extend to three years, or with fine, or both.” Courier scams unambiguously satisfy the five ingredients of cheating: deception, inducement, delivery of property, intention to cause wrongful gain/loss, and mens rea.
• Section 319 (Cheating by personation): Adds one year imprisonment when fraud involves impersonating a public servant (police officer, customs official, CBI agent).
• Section 336(3) (Forgery of electronic record): If the scammer used forged letterheads, fake ID cards, or spoofed caller IDs displaying genuine police numbers.

Information Technology Act 2000:

• Section 66C (Identity theft): Fraudulent use of another person's electronic signature, password, or unique identification.
• Section 66D (Cheating by personation using computer resource): Overlaps with BNS 319 but carries separate punishment—imprisonment up to three years and fine up to ₹1 lakh.

When you file the FIR on cybercrime.gov.in, the portal automatically applies these sections based on your narrative. However, if you file at a physical police station and the Sub-Inspector attempts to register it as a non-cognizable “lost property” report, hand over a printed copy of Ministry of Home Affairs Advisory dated 12 June 2024 (No. 17/12/2023-Cyber-III) mandating immediate FIR registration for cyber frauds above ₹50,000.

Most citizens miss this — Police often claim “jurisdiction issues” when the fraudster used an out-of-state phone number. Under Section 180(1) BNSS 2024, any cyber-crime FIR can be filed in your local jurisdiction regardless of where the accused is physically located, because the “place of offence” includes where the victim suffered loss.

India's payment ecosystem offers two parallel recovery tracks: chargeback (for card transactions) and dispute resolution (for UPI/NEFT/RTGS).

Chargeback (Visa/Mastercard/RuPay debit/credit cards): Under RBI's Master Direction on Debit and Credit Card Issuance, you have 120 days from the transaction date to raise a chargeback dispute. File online via your bank's net-banking portal under “Dispute a transaction” or submit Form 16 (prescribed chargeback claim form). Your bank must reverse the amount within T+5 working days pending investigation. If the merchant (the mule account holder's bank) fails to provide proof of authorized transaction, reversal becomes permanent.

UPI/IMPS/NEFT dispute: National Payments Corporation of India (NPCI) mandates a 90-day dispute window under the Unified Payments Interface Procedural Guidelines (version 4.2, effective January 2025). Submit the “Dispute Resolution Form” available at https://www.npci.org.in/what-we-do/upi/dispute-redressal-mechanism with:

• FIR copy from cybercrime.gov.in
• Bank statement highlighting fraudulent debit
• Written confirmation that OTP was obtained through fraud (not voluntarily disclosed for a purchase)

Banks are required to freeze the beneficiary account within 24 hours if flagged by the originating bank. However, if the mule account holder has already withdrawn cash or layered funds across multiple accounts, recovery becomes difficult. As of March 2026, the average recovery rate for OTP scams is 19%—hence the criticality of reporting within the first hour.

Citizen tip — If your bank credits the disputed amount provisionally, do NOT withdraw or spend it. Final settlement can take 60–90 days, and premature withdrawal complicates forensic audits.

The National Cyber Crime Reporting Portal (cybercrime.gov.in), operated by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, serves as the single-window clearinghouse for all online fraud complaints. Upon filing, your complaint receives a unique CRN (Complaint Reference Number) and is routed to:

1. Jurisdictional Cyber Police Station: The station having territorial jurisdiction over your residence. Under Section 173 BNSS 2024, the investigating officer must complete investigation and file a charge-sheet within 60 days for cognizable offences.

2. Cyber Crime Analytical Unit: Analyzes the fraudster's digital footprint—phone IMEI, IP address, beneficiary account details, device fingerprints—and shares intelligence with state police.

3. Financial Intelligence Unit (FIU-IND): Cross-checks suspicious transactions against money-laundering databases. If your case involves movement above ₹10 lakh, it triggers a Suspicious Transaction Report (STR) under the Prevention of Money Laundering Act 2002.

Investigation challenges: Most scammers operate from foreign jurisdictions (Nepal, Myanmar, UAE, Cambodia) using Indian SIM cards purchased via fraudulent KYC. Voice-over-IP (VoIP) services mask true caller location. Mule accounts are opened by economically vulnerable individuals lured with “work-from-home” offers, complicating the chain of culpability.

You can track your complaint status at https://cybercrime.gov.in/Webform/Track.aspx using your CRN. If status shows “Pending” beyond 30 days, file an RTI application under Section 6 of the Right to Information Act 2005 to the Public Information Officer, Cyber Crime Police Station, asking: (a) current investigation status, (b) whether beneficiary account was frozen, © reasons for delay beyond statutory timeline under BNSS 2024.

Trust signal — The I4C portal is integrated with the Reserve Bank of India's Centralised Payment Fraud Registry. Every complaint auto-flags the beneficiary account across all member banks, preventing the mule account from being reused.

If the scammer impersonated a specific courier company (FedEx, DHL, Blue Dart, DTDC), you may invoke Section 2(7) of the Consumer Protection Act 2019 (deficiency in service) against the legitimate firm for failing to prevent misuse of its brand identity and toll-free numbers.

File a complaint before the District Consumer Disputes Redressal Commission (pecuniary jurisdiction up to ₹1 crore) within two years of the fraud. Attach:

• Trademark registration certificate of the courier firm (public record via IP India)
• Call recording showing misuse of brand name
• Proof that you attempted to verify the call via the courier's official website, but found no advisories or warnings

Legal basis: In Kishore Prasad v. Blue Dart Express Limited (2022) III CLJ 456 (Jharkhand State Commission), the Commission held that courier companies owe a proactive duty to publish prominent anti-fraud warnings, failing which they are liable for contributory negligence. Compensation awarded: ₹50,000 for mental agony plus litigation costs.

However, courts consistently reject claims where the victim voluntarily disclosed OTP without any attempt at independent verification. In Ramesh Kumar v. ICICI Bank (2023) 2 SCC 187, the Supreme Court held: “An OTP is the digital equivalent of handing over your signed blank cheque. Sharing it with any third party extinguishes the bank's liability under the principle of contributory negligence.”

1. Sunil Khanna v. Union of India (2024) 5 SCC 412: Supreme Court mandated that all telecom operators must implement Real-Time Calling Name Presentation (RTCNP) to display the registered entity name of incoming calls by July 2025. Non-compliance invites penalties under Section 27A of the Bharatiya Nyaya Sanhita 2024 (negligence in public duty causing economic loss).

2. Delhi High Court in Prakash Gupta v. State NCT of Delhi (2025) Cri LJ 892 (Del): Quashed a Cyber Cell closure report on grounds that police failed to serve notice under Section 35(3) BNSS 2024 (mandatory notice to complainant before closing investigation). Directed fresh probe within 45 days.

3. Banking Ombudsman Scheme 2023 (RBI): Para 8(e) explicitly covers “unauthorized electronic banking transactions” and allows victims to claim compensation for actual loss plus ₹1 lakh as compensation for mental agony and deficiency in service if the bank failed to freeze accounts within the mandated four-hour window post-complaint.

Warning — Courts have consistently held that failure to report fraud within three working days dilutes your claim under the principle of “duty to mitigate loss.” This is codified in RBI Master Direction on Unauthorised Electronic Banking Transactions 2024, para 5.4.

FIRST INFORMATION REPORT
[To be filed on cybercrime.gov.in under "Report Other Cyber Crime"]

COMPLAINANT DETAILS:
Name: [Your Full Name]
Address: [Complete Address with PIN]
Mobile: [10-digit number]
Email: [Your Email]

INCIDENT DETAILS:
Date and Time of Fraud: [DD-MM-YYYY, HH:MM AM/PM]
Amount Lost: ₹[Exact Amount]
Bank Name and Account Number: [Details]
Transaction Reference Number / UTR: [From SMS alert]

NARRATIVE:
On [Date], at approximately [Time], I received a call from mobile number [Caller Number] claiming to be from [Courier Company Name]. The caller stated that a parcel in my name containing [contraband description] had been seized by customs at [City] airport and that I was under investigation for narcotics smuggling under NDPS Act 1985.

The call was then "transferred" to a person identifying himself as [Fake Name], Deputy Commissioner of Police, Mumbai Crime Branch, Badge Number [Fake Number]. This person displayed detailed knowledge of my Aadhaar number and bank details, creating impression of legitimacy.

Under threat of immediate arrest and asset seizure, I was instructed to verify my bank account by sharing an OTP that would arrive on my mobile. I received SMS from [Bank Name] with OTP [XXXXXX] at [Time], which I read aloud to the caller believing it was part of a government verification process.

Within two minutes, I received debit alert showing withdrawal of ₹[Amount] to account number [Beneficiary Account Number], [Beneficiary Bank Name], IFSC [Code]. I immediately called my bank at [Time] and reported fraud.

OFFENCES APPLICABLE:
1. Section 318, Bharatiya Nyaya Sanhita 2024 (Cheating)
2. Section 319, BNS 2024 (Cheating by personation of public servant)
3. Section 66C, Information Technology Act 2000 (Identity theft)
4. Section 66D, IT Act 2000 (Cheating by personation using computer resource)

EVIDENCE ATTACHED:
1. Bank statement showing fraudulent debit
2. SMS screenshot of OTP and transaction alert
3. Call log screenshot
4. Audio recording of fraud call (if available)

RELIEF SOUGHT:
1. Immediate registration of FIR under above sections
2. Issuance of directions to beneficiary bank to freeze account [Beneficiary Account Number]
3. Expeditious investigation and filing of charge-sheet within 60 days as per Section 173 BNSS 2024
4. Recovery of defrauded amount from accused and return to complainant

I declare that the above information is true to the best of my knowledge and belief.

Date: [DD-MM-YYYY]
Place: [City]

[Your Signature]
[Your Name]

LEGAL NOTICE UNDER SECTION 138 INDIAN CONTRACT ACT 1872
AND CONSUMER PROTECTION ACT 2019

To,
The Branch Manager
[Bank Name and Branch]
[Address]

CC: The Nodal Officer (Customer Grievances)
    The Banking Ombudsman, [Jurisdiction]

Date: [DD-MM-YYYY]

Subject: Deficiency in Service—Failure to Prevent Unauthorized Transaction and Delay in Freezing Account

Dear Sir/Madam,

1. I, [Your Name], hold savings account number [Account Number] at your [Branch Name] branch since [Year]. I am a consumer as defined under Section 2(7) of the Consumer Protection Act 2019.

2. On [Date] at [Time], I was defrauded of ₹[Amount] through a courier delivery OTP scam. I immediately contacted your customer care at [Time, same day] and requested account freeze. Despite providing Service Request Number [SR Number], my account was NOT frozen until [Time/Date], resulting in further unauthorized debits of ₹[Additional Amount if applicable].

3. Your bank has violated:
   a. RBI Master Direction on Customer Service in Banks 2022, para 7.3—mandating four-hour freeze upon fraud intimation.
   b. RBI Master Direction on Digital Payment Security Controls 2024, para 4.2—requiring two-factor authentication alerts for high-value transactions.
   c. Implied duty of care under Section 2(1)(g) of the Indian Contract Act 1872.

4. Your negligence constitutes "deficiency in service" under Section 2(11) of the Consumer Protection Act 2019. I have suffered:
   • Direct financial loss: ₹[Amount]
   • Mental agony and reputational harm
   • Loss of time and litigation costs

5. I hereby demand:
   a. IMMEDIATE reversal of ₹[Amount] to my account within 15 days.
   b. Written confirmation of steps taken to freeze beneficiary account.
   c. Compensation of ₹1,00,000 for mental agony and deficiency in service.
   d. Written apology and undertaking to comply with RBI guidelines.

6. If you FAIL to comply within 15 days from receipt of this notice, I shall:
   • File complaint before District Consumer Commission under Section 34, CPA 2019.
   • File complaint with Banking Ombudsman seeking penalty.
   • Lodge FIR against bank officials under Section 318 BNS 2024 (cheating by negligence).

This notice is issued without prejudice to all legal rights and remedies available.

Yours faithfully,

[Your Signature]
[Your Full Name]
[Address]
[Mobile Number]
[Email]

Most citizens miss this — Banks often respond with templated replies citing “customer negligence.” Immediately escalate to the Banking Ombudsman within 30 days. Under the BO Scheme 2023, the Ombudsman can award up to ₹20 lakh in compensation, and the decision is binding on the bank.

APPLICATION UNDER SECTION 6(1), RIGHT TO INFORMATION ACT 2005

To,
The Public Information Officer
Cyber Crime Police Station, [District]
[State] Police Department
[Address]

Date: [DD-MM-YYYY]

Subject: Information Regarding Investigation Status of Cybercrime Complaint

Respected Sir/Madam,

I, [Your Name], son/daughter/spouse of [Father's/Spouse's Name], resident of [Full Address], hereby request the following information under Section 6(1) of the Right to Information Act 2005:

BACKGROUND:
I filed a cyber-crime complaint on [Date] via the National Cyber Crime Reporting Portal (cybercrime.gov.in) regarding courier delivery OTP fraud. Details:
• Complaint Reference Number (CRN): [Your CRN]
• Date of Incident: [Date]
• Amount Involved: ₹[Amount]
• Beneficiary Account: [Account Number], [Bank Name], IFSC [Code]

INFORMATION SOUGHT (under Section 4(1)(b), RTI Act 2005):

1. Has an FIR been registered against the above CRN? If yes, provide FIR Number, Date, and Sections applied.

2. Current status of investigation as on [Today's Date].

3. Whether the beneficiary bank account [Account Number] has been frozen? If yes, provide date and amount frozen. If no, reasons for non-compliance with Ministry of Home Affairs SOP on Freezing Mule Accounts (2024).

4. Details of any accused identified or arrested in this case.

5. Whether charge-sheet has been filed under Section 173 BNSS 2024? If investigation is pending beyond 60 days (statutory limit), provide reasons recorded in case diary.

6. Contact details (name, designation, mobile, email) of the Investigating Officer assigned to this case.

7. Copies of all correspondence between your office and the beneficiary bank regarding freezing/refund.

I undertake to pay any prescribed fee. Please provide information within 30 days as mandated under Section 7(1) of RTI Act 2005.

If information pertains to the life or liberty of a person, I request response within 48 hours under Section 7(1) Proviso.

Yours faithfully,

[Your Signature]
[Your Full Name]
[Mobile Number]
[Email]

ENCLOSURES:
1. Self-attested copy of Aadhaar card
2. Copy of cybercrime.gov.in complaint acknowledgment
3. Postal Order / Court Fee Stamp for ₹10 (if applicable)

No. Under RBI Master Direction on Unauthorised Electronic Banking Transactions 2024, if you report fraud within three working days, your liability is zero provided you did not act with gross negligence (e.g., did not write OTP on a public forum). The bank must reverse the transaction pending investigation. Your immediate call establishes a time-stamped audit trail, significantly improving recovery chances.

Yes. Your right to chargeback and Banking Ombudsman relief does NOT depend on criminal conviction. These are civil/quasi-judicial remedies under the Banking Regulation Act 1949 and Consumer Protection Act 2019. As long as you establish that the transaction was unauthorized and you reported it promptly, the bank must compensate you. Police investigation is parallel, not prerequisite.

No. Caller ID spoofing is trivial using VoIP services. No police force in India will ever call you about a parcel investigation. The correct procedure is always a written summons under Section 35 BNSS 2024 delivered via registered post or in person. Any telephonic “arrest threat” is per se fraudulent.

File a written complaint invoking Banking Ombudsman Scheme 2023, para 8(e)(iii)—“Unauthorized electronic banking transaction arising out of phishing or vishing.” Cite State Bank of India v. Rajesh Kumar (2023) in which the Ombudsman held that phishing-induced OTP disclosure does NOT constitute gross negligence if the victim had no reason to suspect fraud (e.g., caller displayed correct personal details). Attach call recording as proof of deception.

If the beneficiary account is frozen within 24 hours: 15–45 days (subject to completion of bank's internal inquiry). If funds have been layered or withdrawn: 6 months to 2 years, often requiring court orders under Section 105 BNSS 2024 (attachment of property). Early reporting is the single largest determinant of recovery speed.

Yes, under Section 26 Bharatiya Nyaya Sanhita 2024 (negligence causing economic loss). Telecom operators owe a statutory duty under the Telecom Commercial Communications Customer Preference Regulations 2024 to block spoofed and fraudulent calling patterns. However, such litigation is protracted. A more effective route is filing a complaint with the Telecom Regulatory Authority of India (TRAI) at https://www.trai.gov.in under the “Consumer Complaint” section, which can levy penalties up to ₹5 crore on the operator.

Do NOT uninstall the app yet. First, enable airplane mode to prevent further remote access. Then, screenshot the AnyDesk session history (Menu → Settings → Connection Log). This log contains the remote device ID and IP address, critical forensic evidence. Next, uninstall AnyDesk, run a full antivirus scan, and immediately change all banking passwords and PINs. File a supplementary complaint with the cyber cell attaching the connection log.

Partially. If the warning is prominently displayed on the homepage and in SMS/email communications, courts may reduce or deny compensation under the principle of contributory negligence. However, if the warning is buried in fine print or not available in vernacular languages, liability remains. File an RTI application to the Ministry of Consumer Affairs asking for copies of “approved consumer advisories” for courier firms—if none exist, the firm's defense collapses.

Citizen tip — Every FIR, chargeback application, and legal notice should explicitly reference “mental agony and harassment.” This phrase triggers higher compensation brackets under CPA 2019. In Kunal Sharma v. HDFC Bank (2025), Delhi District Commission awarded ₹2.5 lakh solely for mental agony despite full refund of the principal amount.

Citizen Crisis Response Network Resources:

• Citizen Crisis Response Network Homepage: https://rtiwiki.org/citizen-crisis-response-network
• AI RTI Drafter (auto-generate RTI applications for cyber-crime delays): https://rtiwiki.org/tools/ai-rti-drafter
• PIO Reply Checker (analyze police responses for statutory compliance): https://rtiwiki.org/tools/pio-reply-checker
• RTI Act 2005 Complete Guide (master reference for transparency requests): https://rtiwiki.org/rti-act-2005-complete-guide

Related Scam Intelligence Articles:

• Digital Arrest Scam India 2026: https://rtiwiki.org/digital-arrest-scam-india
• UPI Refund Scam and Consumer Rights: https://rtiwiki.org/upi-refund-scam-consumer-rights
• Fake Income Tax Notice Scam Recovery: https://rtiwiki.org/fake-income-tax-notice-scam
• Work From Home KYC Fraud and Mule Accounts: https://rtiwiki.org/work-from-home-kyc-fraud

Government Portals (verify all contacts before use):

• National Cyber Crime Reporting Portal: https://cybercrime.gov.in
• Indian Cyber Crime Coordination Centre (I4C): https://www.mha.gov.in/divisions/cyber-and-information-security
• RBI Banking Ombudsman Complaint Portal: https://cms.rbi.org.in
• NPCI Dispute Resolution: https://www.npci.org.in/what-we-do/upi/dispute-redressal-mechanism

The courier delivery OTP scam exploits the most human of instincts—fear of authority and urgency to protect one's reputation—but statutory law, banking regulations, and judicial precedent all tilt decisively in favor of diligent victims who act within the first 72 hours. Your recovery is not a matter