Courier Delivery OTP Scam India — Recovery (2026)

A common version of this fraud: a victim receives a call from a “courier customer care” line claiming a parcel in their name has been intercepted by customs; the caller — posing as a police or CBI officer — pressures the victim into sharing a bank OTP, and money is siphoned from the savings account within minutes.

Citizen Crisis Response Network
If you shared an OTP with a courier or customs “officer” recently, call the 1930 cyber-crime helpline and your bank's 24×7 fraud desk immediately, lodge a complaint on cybercrime.gov.in, and preserve call recordings and SMS screenshots — early reporting is the single biggest factor in recovery.

Courier delivery OTP scams use impersonation of logistics firms, customs officials, or police to extract one-time passwords and drain bank accounts. (1) Call the national cyber-crime helpline 1930 within minutes. (2) File a complaint on cybercrime.gov.in with transaction screenshots. (3) Request an immediate account freeze via your bank's 24×7 fraud desk. (4) Submit a written dispute to your bank under the applicable RBI and NPCI grievance-redressal rules. (5) In your complaint, cite Bharatiya Nyaya Sanhita 2023 section 318 (cheating) and sections 66C (identity theft) and 66D (cheating by personation using a computer resource) of the IT Act 2000. (6) Escalate to the RBI Ombudsman if the bank delays or denies relief. (7) Track your complaint reference number on the National Cyber Crime Reporting Portal.

• How the courier delivery OTP scam works in 2026
• Immediate recovery checklist (first 24 hours)
• Filing a complaint under BNS 2023 and IT Act 2000
• Bank dispute and NPCI dispute resolution
• Role of cybercrime.gov.in and police investigation
• Consumer Protection Act 2019 recourse against courier firms
• What the courts and regulators say
• Sample complaint text for courier OTP scam
• Sample legal notice to bank for negligence
• Sample RTI application to cyber cell
• Frequently asked questions
• Myth vs reality table

The fraud typically unfolds in stages. Stage 1: A pre-recorded robocall or live agent claims a parcel bearing your name has been seized by customs for containing contraband (narcotics, fake documents, or foreign currency). Stage 2: The call is “transferred” to a fake police, Crime Branch, or Narcotics Control Bureau officer, often with a spoofed caller ID showing a genuine-looking police number. Stage 3: The fraudster threatens arrest under laws such as the Narcotic Drugs and Psychotropic Substances Act 1985 or money-laundering charges, then offers a “verification process” to prove innocence. Stage 4: The victim is instructed to download remote-access software (such as AnyDesk, TeamViewer, or QuickSupport) to “secure” their bank account, or simply asked to read out an OTP “for KYC update.” Stage 5: Once the OTP is shared, funds are transferred to mule accounts, often layered across several banks within minutes.

Courier-parcel and “digital arrest” frauds have grown sharply in recent years, with the Indian Cyber Crime Coordination Centre (I4C) and the Ministry of Home Affairs repeatedly flagging large aggregate losses. Victims are commonly working adults who are trusting of official-sounding titles. Scammers leverage social engineering — fear of legal action, urgency, and authority bias — to suppress rational judgment.

Warning — No legitimate courier company, customs authority, or police force will ever ask you to share an OTP, install remote-access software, or transfer money to “clear your name.” Courts have repeatedly observed that voluntarily sharing an OTP or clicking a fraudulent link, despite bank warnings, can reduce the bank's liability in fraud recovery.

Minute 0–5: Call your bank's 24×7 customer care and say clearly: “Fraudulent transaction, please freeze my account immediately.” Do not hang up until you receive a Service Request (SR) number. If your bank offers SMS blocking, also send the prescribed BLOCK keyword to your bank's SMS banking number.

Minute 6–15: Dial 1930 (the national cyber-crime helpline coordinated by the Ministry of Home Affairs). The call is handled through the Indian Cyber Crime Coordination Centre framework. Provide your mobile number, bank name, transaction amount, and approximate time. You will be given a complaint acknowledgement number.

Hour 1: Log on to https://cybercrime.gov.in and file a detailed complaint under “Report Other Cyber Crime” → “Online Financial Fraud” → “Fraud Call / Vishing.” Upload: (a) call recording (if available), (b) SMS screenshot of the OTP request, © bank transaction alert, (d) screenshots of any remote-access app installation. The portal routes complaints to the jurisdictional Cyber Police Station for action.

Hour 2–6: Visit your bank branch with two copies of a written application titled “Complaint regarding unauthorised electronic banking transaction.” Demand a signed acknowledgment. If the branch refuses, note that deficiency in service is actionable under the Consumer Protection Act 2019.

Hour 12–24: Email the nodal officer listed on your bank's website (banks are required to publish grievance-redressal contact details under RBI customer-service norms). CC the RBI Ombudsman mechanism. Subject line: “Urgent: Fraudulent Transaction — OTP Compromise — Account [Your Account Number].”

Do this immediately — Screenshot every SMS, call log entry, and bank notification. If you installed a remote-access app, do NOT uninstall it yet — forensic teams may need the app's connection log and metadata for investigation.

Your complaint can invoke the following statutory provisions to support proper registration and investigation:

Bharatiya Nyaya Sanhita 2023 (which replaced the Indian Penal Code):

• Section 318 (Cheating): Cheating that dishonestly induces delivery of property is punishable, with the punishment increasing where the cheating involves delivery of property or valuable security. Courier scams typically satisfy the ingredients of cheating: deception, dishonest inducement, and wrongful loss.
• Personation of a public servant: Where the fraudster impersonates a police officer, customs official, or other public servant, the conduct also attracts the BNS provisions on personating a public servant (BNS section 204) and on wearing the garb or carrying a token of a public servant with fraudulent intent (BNS section 205).
• Forgery (BNS section 336): If the scammer used forged letterheads, fake identity cards, or spoofed documents, the forgery provisions of the BNS may also apply.

Information Technology Act 2000:

• Section 66C (Identity theft): Fraudulent or dishonest use of another person's electronic signature, password, or unique identification feature. Punishable with imprisonment up to three years and fine up to ₹1 lakh.
• Section 66D (Cheating by personation using computer resource): Punishable with imprisonment up to three years and fine up to ₹1 lakh.

When you file your complaint on cybercrime.gov.in, describe the facts clearly so that the appropriate sections are applied. If you file at a physical police station and the officer attempts to register it only as a non-cognizable “lost property” report, insist on registration of an FIR: under the BNSS, information disclosing a cognizable offence must be recorded, and an FIR can be registered irrespective of where the offence appears to have originated.

Most citizens miss this — Police sometimes cite “jurisdiction issues” when the fraudster used an out-of-state phone number. Under the BNSS, information about a cognizable offence can be recorded at any police station and forwarded to the station with jurisdiction (a “zero FIR”), so you can begin the process at your local police station regardless of where the accused is located.

India's payment ecosystem offers parallel recovery tracks: chargeback (for card transactions) and dispute resolution (for UPI/IMPS/NEFT/RTGS).

Chargeback (Visa/Mastercard/RuPay debit/credit cards): Raise a chargeback dispute with your bank promptly, within the time limit prescribed by the card network and your bank's terms. File online via your bank's net-banking portal under “Dispute a transaction,” or in writing at the branch. If the beneficiary's bank cannot establish that the transaction was authorised, the reversal may become permanent.

UPI/IMPS/NEFT dispute: The National Payments Corporation of India (NPCI) provides a dispute-redressal mechanism for UPI transactions. Raise the dispute through your bank or the UPI app, and submit:

• the complaint copy from cybercrime.gov.in
• a bank statement highlighting the fraudulent debit
• a written account explaining that the OTP was obtained through fraud (not voluntarily disclosed for a genuine purchase)

When the originating bank flags a fraudulent transfer, the beneficiary bank can act on the beneficiary account. However, if the mule-account holder has already withdrawn cash or layered funds across multiple accounts, recovery becomes harder — which is why reporting within the first hour matters so much.

Citizen tip — If your bank credits the disputed amount provisionally, do NOT withdraw or spend it. Final settlement can take several weeks, and premature withdrawal complicates the bank's inquiry.

The National Cyber Crime Reporting Portal (cybercrime.gov.in), operated under the Indian Cyber Crime Coordination Centre (I4C) framework of the Ministry of Home Affairs, is the single-window channel for online fraud complaints. On filing, your complaint receives a unique reference number and is routed to:

1. Jurisdictional Cyber Police Station: the station having territorial jurisdiction over your residence, which takes the complaint forward for investigation.

2. Cyber-crime analytics: analysis of the fraudster's digital footprint — phone numbers, IP addresses, beneficiary account details — shared with state police.

3. Financial intelligence: suspicious transactions can be cross-checked against money-laundering databases; large or layered transfers may trigger reporting under the Prevention of Money Laundering Act 2002.

Investigation challenges: many scam operations are run from outside India (with reported hubs in South-East Asia and neighbouring countries) using Indian SIM cards obtained through fraudulent KYC. Voice-over-IP services mask the true caller location. Mule accounts are often opened by economically vulnerable individuals lured with “work-from-home” offers, complicating the chain of culpability.

You can track your complaint status on cybercrime.gov.in using your reference number. If the status shows no progress for a long time, you can file an RTI application under section 6 of the Right to Information Act 2005 to the Public Information Officer of the Cyber Crime Police Station, asking for: (a) the current investigation status, (b) whether the beneficiary account was frozen, and © the reasons for any delay.

Trust signal — The cyber-crime reporting and banking systems are increasingly integrated, so that a flagged beneficiary account can be acted on across member banks to prevent the mule account from being reused.

If the scammer impersonated a specific courier company (for example FedEx, DHL, Blue Dart, or DTDC), you may consider a complaint of deficiency in service under the Consumer Protection Act 2019 — but note that liability of the genuine courier firm is far from automatic, because the firm did not itself defraud you.

A consumer complaint is filed before the District Consumer Disputes Redressal Commission (within its pecuniary limit) generally within two years of the cause of action. If you pursue this route, attach:

• evidence of the misuse of the firm's brand name (such as a call recording)
• proof that you attempted to verify the call through the courier's official website or customer care

Courts and consumer commissions generally do not hold a bank or courier liable where the victim voluntarily disclosed an OTP without any attempt at independent verification. Treat the courier-firm route as secondary to the cyber-crime complaint and the bank dispute.

OTP sharing and bank liability: Indian courts have, in several cases, held that where a customer voluntarily shares an OTP or clicks a fraudulent link despite bank warnings, the bank's liability for the resulting loss may be reduced or excluded. This is why establishing that you were *deceived* — for example through a recorded call — matters for your claim.

RBI framework on unauthorised transactions: The RBI's framework on limiting customer liability for unauthorised electronic banking transactions provides that prompt reporting strengthens your claim, and that a customer's liability can be limited where the loss is due to deficiency on the bank's part or to a third-party breach, provided the customer reports promptly. Check the current RBI circular and your bank's policy for the exact reporting windows and liability bands.

RBI Ombudsman: The RBI's integrated Ombudsman scheme covers grievances including those relating to unauthorised electronic banking transactions, and complaints can be filed free of charge online at https://cms.rbi.org.in.

Warning — Reporting delay can weaken your claim under the principle of mitigating your own loss. Report to the bank and on 1930 / cybercrime.gov.in as early as possible, and keep the timestamps.

CYBER-CRIME COMPLAINT
[To be filed on cybercrime.gov.in under "Report Other Cyber Crime"]

COMPLAINANT DETAILS:
Name: [Your Full Name]
Address: [Complete Address with PIN]
Mobile: [10-digit number]
Email: [Your Email]

INCIDENT DETAILS:
Date and Time of Fraud: [DD-MM-YYYY, HH:MM AM/PM]
Amount Lost: ₹[Exact Amount]
Bank Name and Account Number: [Details]
Transaction Reference Number / UTR: [From SMS alert]

NARRATIVE:
On [Date], at approximately [Time], I received a call from mobile number [Caller Number] claiming to be from [Courier Company Name]. The caller stated that a parcel in my name containing [contraband description] had been seized by customs at [City] and that I was under investigation.

The call was then "transferred" to a person identifying himself as a police/CBI officer named [Fake Name], with badge number [Fake Number]. This person displayed detailed knowledge of my personal and bank details, creating an impression of legitimacy.

Under threat of immediate arrest and asset seizure, I was instructed to verify my bank account by sharing an OTP that would arrive on my mobile. I received an SMS from [Bank Name] with OTP [XXXXXX] at [Time], which I read aloud to the caller believing it was part of an official verification process.

Within minutes, I received a debit alert showing withdrawal of ₹[Amount] to account number [Beneficiary Account Number], [Beneficiary Bank Name], IFSC [Code]. I immediately called my bank at [Time] and reported the fraud.

OFFENCES APPLICABLE:
1. Section 318, Bharatiya Nyaya Sanhita 2023 (Cheating)
2. Section 204 / 205, BNS 2023 (Personating a public servant)
3. Section 66C, Information Technology Act 2000 (Identity theft)
4. Section 66D, IT Act 2000 (Cheating by personation using computer resource)

EVIDENCE ATTACHED:
1. Bank statement showing the fraudulent debit
2. SMS screenshot of the OTP and transaction alert
3. Call log screenshot
4. Audio recording of the fraud call (if available)

RELIEF SOUGHT:
1. Registration of an FIR under the above sections
2. Directions to the beneficiary bank to freeze account [Beneficiary Account Number]
3. Expeditious investigation
4. Recovery of the defrauded amount and return to the complainant

I declare that the above information is true to the best of my knowledge and belief.

Date: [DD-MM-YYYY]
Place: [City]

[Your Signature]
[Your Name]

LEGAL NOTICE UNDER THE CONSUMER PROTECTION ACT 2019

To,
The Branch Manager
[Bank Name and Branch]
[Address]

CC: The Nodal Officer (Customer Grievances)
    The RBI Ombudsman (via https://cms.rbi.org.in)

Date: [DD-MM-YYYY]

Subject: Deficiency in Service — Failure to Prevent Unauthorised Transaction and Delay in Freezing Account

Dear Sir/Madam,

1. I, [Your Name], hold savings account number [Account Number] at your [Branch Name] branch since [Year]. I am a consumer as defined under the Consumer Protection Act 2019.

2. On [Date] at [Time], I was defrauded of ₹[Amount] through a courier delivery OTP scam. I immediately contacted your customer care at [Time, same day] and requested an account freeze. Despite providing Service Request Number [SR Number], my account was NOT frozen until [Time/Date], resulting in further unauthorised debits of ₹[Additional Amount if applicable].

3. Your bank has, in my submission, failed to act in accordance with the applicable RBI directions on customer service and on limiting customer liability for unauthorised electronic banking transactions, and with its implied duty of care.

4. Your conduct constitutes "deficiency in service" under the Consumer Protection Act 2019. I have suffered:
   - Direct financial loss: ₹[Amount]
   - Mental agony and harassment
   - Loss of time and litigation costs

5. I hereby demand:
   a. Reversal of ₹[Amount] to my account within 15 days.
   b. Written confirmation of the steps taken to freeze the beneficiary account.
   c. Reasonable compensation for mental agony and deficiency in service.
   d. A written undertaking to comply with RBI guidelines.

6. If you FAIL to comply within 15 days from receipt of this notice, I shall:
   - File a complaint before the District Consumer Commission under the Consumer Protection Act 2019.
   - File a complaint with the RBI Ombudsman.
   - Pursue all available criminal and civil remedies.

This notice is issued without prejudice to all legal rights and remedies available.

Yours faithfully,

[Your Signature]
[Your Full Name]
[Address]
[Mobile Number]
[Email]

Most citizens miss this — Banks often respond with templated replies citing “customer negligence.” If you are not satisfied, escalate to the RBI Ombudsman. The integrated Ombudsman scheme is free, can be used without a lawyer, and can direct the bank to pay compensation in deserving cases.

APPLICATION UNDER SECTION 6(1), RIGHT TO INFORMATION ACT 2005

To,
The Public Information Officer
Cyber Crime Police Station, [District]
[State] Police Department
[Address]

Date: [DD-MM-YYYY]

Subject: Information Regarding Investigation Status of Cyber-crime Complaint

Respected Sir/Madam,

I, [Your Name], son/daughter/spouse of [Father's/Spouse's Name], resident of [Full Address], hereby request the following information under Section 6(1) of the Right to Information Act 2005:

BACKGROUND:
I filed a cyber-crime complaint on [Date] via the National Cyber Crime Reporting Portal (cybercrime.gov.in) regarding a courier delivery OTP fraud. Details:
- Complaint Reference Number: [Your Reference Number]
- Date of Incident: [Date]
- Amount Involved: ₹[Amount]
- Beneficiary Account: [Account Number], [Bank Name], IFSC [Code]

INFORMATION SOUGHT:

1. Has an FIR been registered against the above complaint? If yes, provide the FIR number, date, and sections applied.

2. The current status of the investigation as on [Today's Date].

3. Whether the beneficiary bank account [Account Number] has been frozen? If yes, the date and amount. If no, the reasons.

4. Details of any accused identified or arrested in this case.

5. Whether a charge-sheet has been filed. If the investigation is pending, the reasons recorded.

6. The name, designation, and contact details of the Investigating Officer assigned to this case.

7. Copies of correspondence between your office and the beneficiary bank regarding freezing or refund (subject to the exemptions in the RTI Act).

I undertake to pay any prescribed fee. Please provide the information within 30 days as mandated under Section 7(1) of the RTI Act 2005.

Yours faithfully,

[Your Signature]
[Your Full Name]
[Mobile Number]
[Email]

ENCLOSURES:
1. Self-attested copy of identity proof
2. Copy of the cybercrime.gov.in complaint acknowledgment
3. Prescribed RTI fee (₹10) by the permitted mode

Reporting promptly is the most important thing you can do. Under the RBI's framework on customer liability for unauthorised electronic banking transactions, prompt reporting limits or removes the customer's liability in many situations, especially where the loss results from deficiency on the bank's part or a third-party breach. Your immediate call also creates a time-stamped trail that improves recovery chances. Check the exact reporting windows in the current RBI circular and your bank's policy.

Possibly. Your right to pursue a bank dispute and RBI Ombudsman relief does not depend on a criminal conviction — these are civil and quasi-judicial remedies. If you establish that the transaction was unauthorised and that you reported it promptly, the bank may have to compensate you. The police investigation runs in parallel, and is not a prerequisite.

No. Caller-ID spoofing is easy to do with VoIP services. No police force in India will call you about a parcel investigation and demand an OTP or money. Genuine legal process involves a written summons or notice delivered through proper channels. Any telephonic “arrest threat” demanding payment or an OTP is fraudulent.

Escalate. File a written complaint to your bank's nodal officer, and if you are not satisfied, approach the RBI Ombudsman at https://cms.rbi.org.in. Stress that you were deceived (not merely careless) and attach any call recording or SMS that shows the deception. Whether OTP disclosure amounts to “gross negligence” depends on the facts, and being actively defrauded is different from carelessly revealing a credential.

It varies widely. If the beneficiary account is frozen quickly and the funds are still there, a provisional credit or refund may follow within a few weeks, subject to the bank's inquiry. If the funds have been withdrawn or layered, recovery can take much longer and may require court orders. Early reporting is the single largest factor in recovery speed.

Telecom operators have regulatory obligations to curb fraudulent and spoofed calling patterns, and TRAI has been rolling out caller-name presentation (CNAP) to display the registered name behind a call. The most practical route for an individual is to report the number and complaint to your operator and to TRAI (https://www.trai.gov.in), rather than to litigate against the operator, which is slow and uncertain.

Do NOT uninstall the app immediately. First, enable airplane mode to cut off any remote access. Then screenshot the app's connection log (which can contain the remote device ID and IP address — useful forensic evidence). After preserving that, uninstall the app, run a full antivirus scan, and change all banking passwords and PINs. File a supplementary note with the cyber cell attaching the connection log.

It can reduce a courier firm's exposure, but the position depends on the facts. Your primary remedies are the cyber-crime complaint and the bank dispute. Pursue the courier firm only as a secondary route, and only where you can show specific misuse of its identity.

Citizen tip — In your bank dispute, consumer complaint, and legal notice, describe the deception and the harm clearly, including “mental agony and harassment,” as these are relevant to compensation under the Consumer Protection Act 2019.

Citizen Crisis Response Network Resources:

• Citizen Crisis Response Network Homepage: https://righttoinformation.wiki/citizen-crisis-response-network
• AI RTI Drafter (auto-generate RTI applications for cyber-crime delays): https://righttoinformation.wiki/tools/rti-assistant
• PIO Reply Checker (analyse police responses for statutory compliance): https://righttoinformation.wiki/tools/pio-reply-checker
• RTI Act 2005 Complete Guide (master reference for transparency requests): https://righttoinformation.wiki/rti-act-2005-complete-guide

Related Scam Intelligence Articles:

• Digital Arrest Scam India 2026: https://righttoinformation.wiki/digital-arrest-scam-india

Government Portals (verify all contacts before use):

• National Cyber Crime Reporting Portal: https://cybercrime.gov.in
• Indian Cyber Crime Coordination Centre (I4C): https://www.mha.gov.in/divisions/cyber-and-information-security
• RBI Ombudsman Complaint Portal: https://cms.rbi.org.in
• NPCI Dispute Resolution: https://www.npci.org.in/what-we-do/upi/dispute-redressal-mechanism
• Telecom Regulatory Authority of India (TRAI): https://www.trai.gov.in

The courier delivery OTP scam exploits the most human of instincts — fear of authority and the urge to protect one's reputation — but statutory law, banking regulations, and judicial practice all favour diligent victims who act quickly. Call 1930 and your bank, file on cybercrime.gov.in, preserve your evidence, and escalate to the RBI Ombudsman if your bank delays. Your best protection is to report within the first hour.