Cyber Insurance Claim Rejected After Online Fraud? Here Is How to Fight It

Who this guide is for

This guide is for an individual policyholder who bought a personal cyber insurance cover — sometimes sold as cyber fraud protection, online fraud insurance, or an add-on to a bank account or card — and who has suffered a loss from online fraud and had a claim rejected or stalled. It applies if you faced:

• A phishing or smishing attack where you clicked a fake link or shared details on a spoofed page, and money left your account.
• A UPI, net banking, or debit/credit card fraud, including a fake "refund", "KYC update", or "electricity bill" call that ended in an unauthorised transfer.
• Identity theft where someone used your stolen details to open accounts, take loans, or transact in your name.

It is most useful if the insurer has sent a written rejection or a "claim closed" message and you want to challenge it with evidence rather than give up.

Who this guide is NOT for

This guide does not cover corporate or business cyber insurance, where the policy terms, sums insured, and dispute routes are different and usually involve a broker and forensic vendors. It also does not cover situations where there was no insurance at all — if you only want to recover the money from the fraudster or the bank, the route is the cybercrime portal, the bank dispute, and the banking ombudsman, not an insurance claim. Finally, this is general information, not legal advice: where the loss is large or the facts are contested, consult a qualified lawyer or insurance adviser before signing anything or accepting a final repudiation.

What you can do this weekend

Friday evening

Open the rejection letter or email and read it slowly. Underline the exact words the insurer used — for example an exclusion name, the phrase "reasonable care", or a reference to "voluntary disclosure of credentials" or "delay in intimation". Then open your policy document and find the matching clause. Write down, in one line, the precise ground you have to defeat. Next, pull together everything you already have: screenshots of the phishing message or fake call, your bank statement showing the disputed entry, the cybercrime portal acknowledgement, and any emails with the insurer. Save them all in one folder named by date.

Saturday

Build your fraud timeline. On a single page, list in date-and-time order: when the fraud message or call reached you, what you did, the exact moment money left your account, when you discovered the loss, and every report you then made — to the bank, to 1930 or cybercrime.gov.in, and to the insurer. Be honest and specific. This timeline is the backbone of your whole appeal because it shows you acted promptly and did not knowingly authorise the loss. If any report is missing — for example you never formally complained to the bank in writing — fix that today by sending a written complaint and noting the reference number.

Sunday

Draft your appeal to the insurer using the template further down this page. Answer each rejection ground point by point. Attach the timeline, the cybercrime acknowledgement, the bank dispute reference, and the screenshots. Ask the insurer's Grievance Redressal Officer for the exact clause relied on and for a written, reasoned decision. Keep a copy of everything. From the date the insurer receives your grievance, a clock starts — if you do not get a satisfactory reply within the time the insurer's grievance policy states, you can take the matter to IRDAI on Bima Bharosa and then to the Insurance Ombudsman.

Documents and evidence checklist

Step-by-step action plan

Step 1 — Read the rejection letter and match it to your policy

Every successful appeal starts with knowing the exact ground used against you. Find the clause in the rejection letter — it may be an exclusion, the "reasonable care" or "duty of care" condition, a "voluntary disclosure of credentials" carve-out, a "known scam" exclusion, or a "delay in intimation" condition. Open your policy schedule and full wording and locate the same clause. Note the precise language and any time limits. If the insurer did not state a clear reason, write and ask for the specific clause in writing. You cannot rebut a ground you have not pinned down.

Step 2 — Build a clean, dated fraud timeline

Write a single page listing, in order with dates and times: how the fraud reached you, what you did at each step, the exact moment money left, when you realised it was fraud, and each report you made. A clear timeline does two things at once — it shows you reported quickly and it shows you did not knowingly authorise the loss. Attach the screenshots and statements that back up each line. Keep it factual; do not exaggerate or guess. This document is what the insurer's grievance officer, IRDAI, and the Ombudsman will read first.

Step 3 — Lock in the cybercrime complaint and the bank complaint

These two complaints are both your remedy and your evidence. Report the fraud on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the helpline 1930 as early as possible — fast reporting also improves the chance of a transaction freeze and partial recovery. Separately, send a written complaint to your bank disputing the transaction and keep the reference number and reply. Most personal cyber policies require both, so make sure each one is in writing with an acknowledgement. If you also have an FIR, keep it. For the bank side, our guide on escalating a UPI fraud complaint closed without a refund explains how to push the bank and NPCI route.

Step 4 — Rebut the exact ground in writing to the insurer

Write to the insurer's Grievance Redressal Officer, quoting the policy number and claim number. Take each rejection ground in turn and answer it. If they cite "reasonable care", show the security steps you took and that you were deceived by a convincing impersonation. If they cite "voluntary disclosure", show you were tricked, not careless. If they cite delay, explain the reason and attach proof of when you discovered the fraud. Attach the timeline, the cybercrime acknowledgement, the bank dispute, and the screenshots. Ask for a written, reasoned decision within the time their grievance policy states. Use the template below.

Step 5 — Escalate to IRDAI through Bima Bharosa

If the insurer does not resolve your grievance within the stated time, or gives a reply you are not satisfied with, register the grievance with IRDAI on the Bima Bharosa portal. Upload the rejection letter, your appeal, the insurer's reply, and your evidence. Bima Bharosa creates a formal regulatory record and routes the complaint to the insurer for a fresh look. It does not pass a binding award itself, but it often makes the insurer review the file again, and it is a useful step before the Ombudsman.

Step 6 — Approach the Insurance Ombudsman

If the dispute is still unresolved, you can file — free of cost — with the Insurance Ombudsman for your area. The Ombudsman hears personal-lines complaints, including cyber and miscellaneous insurance, where you have already complained to the insurer and either got no reply within the prescribed period or got an unsatisfactory one. The Ombudsman can pass a binding award up to the limit prescribed under the scheme. File within the time limit set by the scheme, attach all your documents, and keep the complaint factual. Where the amount or facts are serious, consider professional advice before this stage.

Escalation ladder

Copy-paste appeal template

Replace the text in square brackets with your own details before sending.

When RTI can help

The RTI Act, 2005 applies to public authorities. Your private insurance company is not a public authority, so RTI cannot be used to get its claim file. But online fraud almost always involves a public authority too — the police and the cyber cell. Once you have filed a complaint on the cybercrime portal or an FIR at a police station, those records are held by a public authority. You can file an RTI with the relevant police Public Information Officer to:

• Confirm that your complaint or FIR was registered and ask about the current status and action taken.
• Ask whether any request to freeze or recover the defrauded amount was sent to the beneficiary bank.
• Ask which officer or unit is handling the matter and the steps taken so far.

This information is useful because an action-taken reply, or proof that your complaint exists, strengthens your insurance appeal and your Ombudsman case. Note one limit: where an investigation or prosecution is ongoing, the police may decline to share details that could impede it, so frame your questions around status and action taken rather than investigation strategy. Read our full guide on how to file an RTI online, and if the police PIO does not reply in time, see how to file a first appeal under Section 19. For combining a government grievance with RTI, our CPGRAMS and RTI guide is helpful.

When RTI will not help

Against the insurer: A private insurance company, a third-party administrator, an app, a payment platform, or a private bank cannot be made to answer an RTI application, because none of them is a public authority. For these bodies, your route is the policy documents, the insurer's grievance officer, the IRDAI grievance route on Bima Bharosa, the Insurance Ombudsman, and, if needed, the consumer commission. RTI is not part of that chain.

To overturn the rejection: Even where RTI applies — against the police or cyber cell — it only gives you information. It does not order the insurer to pay, and it does not order the police to recover your money. Use the information it produces as evidence in your insurer appeal, your IRDAI grievance, and your Ombudsman complaint, which are the routes that can actually direct a payment.

For the bank dispute: If your bank is a private bank, you cannot RTI it. Use the bank's grievance process and the banking ombudsman. Only a public sector bank is a public authority that can be asked under RTI, and even then RTI gives information, not an order to refund.

Common mistakes to avoid

• Giving up after the first rejection. A rejection letter is the start of the appeal process, not the end. Insurers must give a reasoned decision, and many rejections are reversed at the grievance, IRDAI, or Ombudsman stage when you answer the exact ground with evidence.
• Not finding the precise clause used to reject. Arguing in general terms rarely works. Pin down the exact exclusion or condition in the rejection letter and your policy, then rebut that specific clause.
• Skipping the cybercrime or bank complaint. Most cyber policies require both. Without the cybercrime acknowledgement and the written bank dispute, the insurer has an easy reason to reject and the Ombudsman has less to work with.
• Deleting evidence. People often delete the phishing SMS, the fake caller's number, or the spoofed email out of frustration. Save every screenshot and message first — they are what defeat the "you authorised it" argument.
• Reporting late and not explaining why. Delay is one of the strongest grounds insurers use. Report fast, and if you were late for a genuine reason, explain it in writing with proof and ask for the delay to be condoned.
• Trying to RTI the private insurer. It is not a public authority. This wastes time. Use the insurer grievance, IRDAI, and Ombudsman routes, and reserve RTI for the police or cyber cell on action taken.
• Accepting a verbal "no". Always insist on the rejection in writing with the clause cited. A written, reasoned decision is what you need to escalate to IRDAI and the Ombudsman.