The Indian Cyber Crime Coordination Centre (I4C) reported over 11.31 lakh financial cyber-fraud complaints in 2024, with citizens losing ₹11,333 crore — and only about ₹1,200-1,500 crore recovered. The single biggest predictor of recovery is how fast you call 1930. After 24 hours the recovery rate falls below 10%; after 7 days it is essentially zero — both because the money has been cashed out at the receiving end and because under the RBI circular full liability shifts to you.

A UPI fraud is any unauthorised debit from your bank account through a UPI / IMPS / NEFT / RTGS rail where you did not knowingly authorise the receiving party. Common variants:

• OTP fraud — caller poses as bank / NPCI / “RBI” and tricks you into reading an OTP.
• KYC update scam — SMS or call says “your account will be blocked” and routes you to a fake link.
• Fake QR scan — instead of receiving money you scan a “collect request” QR that debits you.
• Screen-share scam — fraudster makes you install AnyDesk / TeamViewer / QuickSupport “to fix a stuck refund” and then operates your phone.
• AnyDesk / remote-access fraud — variant of the above; full account drain.
• Bank-executive impersonation — caller “from card desk” / “loan dept” extracts CVV + OTP.
• Dating / matrimonial / sextortion fraud — emotional grooming → “emergency” UPI transfer → blackmail.
• UPI auto-debit fraud / silent mandate — you approve a small mandate that quietly auto-debits later.

The core protection is the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 (“Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”). The core rule:

• Reported within 3 working days of receiving the transaction alert → zero liability on the customer. Bank refunds in full within 10 working days of report.
• Reported within 4-7 working days → liability capped: ₹5,000 (BSBDA), ₹10,000 (most savings + ₹25 lakh credit cards), or ₹25,000 (high-balance / premium cards).
• Reported after 7 working days → liability per the bank's Board-approved policy — usually 100% on the customer.

Other statutes you will see cited on FIRs and notices:

• IT Act 2000 §66C — identity theft (use of someone's electronic signature / password / unique identifier).
• IT Act 2000 §66D — cheating by personation using computer resource (the standard “OTP / KYC” charge).
• BNS 2023 §316 — criminal breach of trust.
• BNS 2023 §318 — cheating (replaces old IPC §420; 7 years + fine for cheating with delivery of property).
• BNSS 2023 §173 — police's mandatory duty to register FIR for any cognisable offence (codifies Lalita Kumari v. Govt of UP, 2014 SCC 1).

Open three things at the same time — your phone for 1930, a second phone or family member's phone for the bank line, and your UPI app.

• 1930 — pickup typically inside 10 minutes. Have ready: your name, mobile, account number, transaction IDs, receiving UPI ID / account number, suspect mobile / fake caller's number. Operator registers the case on the National Cybercrime Reporting Portal (NCRP) and triggers the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) — this is the live fund-freezing pipe to all 217+ member banks and 19 wallet partners.
• Bank fraud line — ask for an immediate debit-freeze on your account, stop-payment on cards, and a complaint reference number (note it down — you will need it for the written dispute and the Ombudsman).
• UPI app → “Help” → “Report a Fraud” → fill the in-app form → screenshot the acknowledgement.

Do not click any link the fraudster sent. Do not install anything new. Do not reset your phone — you may destroy evidence.

• Open https://cybercrime.gov.in → “File a complaint” → “Report financial fraud” → register with mobile OTP.
• Upload, in this order: bank SMS alerts (screenshots), bank statement showing the debits, transaction receipts from your UPI app, screenshots of any chat / call log with the fraudster, the fraudster's mobile number / UPI ID / website link.
• The system generates an acknowledgement number beginning with the year (e.g., 2026XXXXXXXXX). Keep it safe — it links to the 1930 case automatically.
• Within 15 days convert the online complaint to an FIR at your local cyber police station — the portal sends a copy of your complaint to the SP cyber cell; visit the PS with a printout + ID.

This is the legal trigger for the 3-day zero-liability clock under the RBI circular. The 1930 call alone is not a written dispute.

• Visit your bank's home branch (or the nearest branch). Ask for the Dispute Resolution Committee (DRC) form — sometimes called Form FRM, Form DRC, or “Unauthorised Transaction Dispute Form”.
• Fill: transaction date / time / amount / reference, what happened, what protective steps you took, the 1930 case number, the cybercrime.gov.in acknowledgement, the FIR number (if filed).
• Get a stamped acknowledgement copy with date and the receiving officer's signature. This is your single most important document.
• Email a soft copy the same day to the bank's Nodal Officer (every bank lists this on its grievance page) and CC the Principal Nodal Officer.

• Bank has 90 days to investigate and decide. In practice, simple cases close in 15-30 days.
• If the funds are still in the receiving bank's account, your bank may issue a Transaction Reversal (TR) — credit to your account, claim to be settled with the receiving bank.
• For inter-bank cases the NPCI Online Dispute Resolution (ODR) mechanism is used — your bank initiates, NPCI brokers, receiving bank responds in T+5 days.

• Free, online, fast. Open https://cms.rbi.org.in → “File a Complaint” → choose “Mobile / Electronic Banking” → fraud type.
• Eligible only if (a) bank has rejected your complaint, OR (b) bank has not replied in 30 days from your written complaint, OR © you are unsatisfied with the bank's reply.
• RBIOS has a 30-day SLA for first hearing and can award up to ₹20 lakh plus ₹1 lakh for time/effort/mental harassment.
• The Ombudsman directly applies the RBI Limited Liability Circular — most well-documented zero-liability cases are decided in your favour.

• Cyber-crime is a cognisable offence. Police must register the FIR — Lalita Kumari is binding on every SHO.
• If the SHO refuses, write to the SP / DCP under §173(4) BNSS, or move the Magistrate under §175(3) BNSS.
• If still stuck, see RTI for FIR not registered — full template.

If the fraud amount is large (typically > ₹10 lakh) and the criminal recovery is slow, a summary suit under Order 37 CPC against the receiving account-holder (whose KYC the police will have on the FIR) is sometimes used to attach their property. This needs an advocate; NALSA can give a free panel lawyer if your annual income is under ₹3 lakh.

• Change your UPI PIN on every UPI app you use.
• Change your net-banking password and m-banking MPIN.
• Disable UPI Lite, UPI AutoPay, and any standing instructions you don't recognise.
• Revoke screen-share / accessibility permissions on all installed apps.
• Run Sanchar Saathi (sancharsaathi.gov.in) → check connections issued on your name; report fake SIMs.

+-----------------------------------+--------------------------------------+
| 1930 cybercrime helpline (MoHA)   | FREE. 24x7. First-hour fund-freeze.  |
+-----------------------------------+--------------------------------------+
| cybercrime.gov.in complaint       | FREE. Acknowledgement instant.       |
|                                   | Convert to FIR within 15 days.       |
+-----------------------------------+--------------------------------------+
| Bank DRC / Dispute form           | FREE. Stamped acknowledgement is     |
|                                   | the legal trigger for RBI circular.  |
+-----------------------------------+--------------------------------------+
| RBI Limited Liability Circular    | Day 0-3 → ZERO liability             |
| 6 July 2017 — slabs               | Day 4-7 → ₹5,000 / ₹10,000 / ₹25,000 |
|                                   | Day 8+   → as per bank's policy      |
+-----------------------------------+--------------------------------------+
| Bank investigation SLA            | 90 days. Refund in 10 working days   |
|                                   | of zero-liability decision.          |
+-----------------------------------+--------------------------------------+
| Banking Ombudsman (RBIOS)         | FREE. cms.rbi.org.in. 30-day SLA.    |
|                                   | Award up to ₹20L + ₹1L compensation. |
+-----------------------------------+--------------------------------------+
| FIR registration                  | FREE. Cognisable offence — must be   |
|                                   | registered (Lalita Kumari, BNSS 173).|
+-----------------------------------+--------------------------------------+
| RTI to PIO RBI Mumbai             | ₹10 IPO / DD. BPL = free.            |
+-----------------------------------+--------------------------------------+

+-------------------------+-----------------------------+
| State Bank of India     | 1800-11-2211 / 1800-425-3800|
+-------------------------+-----------------------------+
| HDFC Bank               | 1800-258-6161               |
+-------------------------+-----------------------------+
| ICICI Bank              | 1860-120-7777               |
+-------------------------+-----------------------------+
| Axis Bank               | 1860-419-5555               |
+-------------------------+-----------------------------+
| Punjab National Bank    | 1800-180-2222               |
+-------------------------+-----------------------------+
| Bank of Baroda          | 1800-258-44-55              |
+-------------------------+-----------------------------+
| Kotak Mahindra Bank     | 1860-266-2666               |
+-------------------------+-----------------------------+
| Yes Bank                | 1800-1200                   |
+-------------------------+-----------------------------+
| IndusInd Bank           | 1860-267-7777               |
+-------------------------+-----------------------------+
| Union Bank of India     | 1800-22-2244                |
+-------------------------+-----------------------------+

• Reported after 7 working days. RBI circular shifts full liability to the customer. Even RBIOS will rarely overturn this unless you can prove genuine inability to report (hospitalised, abroad with no signal, etc.).
• Money already cashed out. Mule accounts withdraw within hours. Once the cash is out at an ATM in a different state — or has been routed onward to crypto / abroad — recovery falls below 5%.
• Bank claims “OTP shared = customer negligence”. This is a standard but often wrong defence. The RBI circular explicitly covers transactions where the customer has been deceived (social engineering). Fight it at RBIOS — they routinely overrule banks on this.
• Cybercrime cell over-burdened. Some PSs sit on cases for weeks before triggering the freeze. Always escalate via the SP cyber cell after 72 hours.
• Receiving account is in a co-operative bank or PPI wallet — slower freeze pipeline; recovery harder.
• Customer disputed at the call centre but never filed the written DRC form. Without the written form on file, the bank's position is “no formal complaint received”.
• Fraudster used your own approved auto-pay mandate (subscription scams). Banks treat these as authorised; you must revoke the mandate.
• Multi-step layering. Funds bounce through 4-5 accounts in 30 minutes. Each hop adds one bank to coordinate. Reporting at minute 15 vs minute 90 changes everything.

Every bank's website lists a Customer Service / Grievance Redressal page with a Nodal Officer (state-level) and a Principal Nodal Officer (national). Email the principal nodal officer with: 1930 case number, cybercrime.gov.in acknowledgement, DRC form, FIR number, full transaction list, and your demand (full refund under RBI 2017 circular, with interest).

The Consumer Grievance Redressal Officer (CGRO) is mandated for every public-sector bank under DFS guidelines. They have power to overrule a branch-level rejection. SLA: 30 days.

The most important escalation. Open https://cms.rbi.org.in → register → file complaint. Pre-condition: 30 days must have passed since your written complaint to the bank, OR the bank must have rejected it. Free. 30-day SLA. Award up to ₹20 lakh + ₹1 lakh compensation. Decisions are appealable to the Appellate Authority (Deputy Governor) within 30 days.

If the fraud was a fake-broker / fake-IPO / pump-and-dump that involved a registered intermediary, SAT (Mumbai, with benches in Delhi & Chennai) hears appeals from SEBI orders. Not for plain UPI fraud.

The Reserve Bank of India is a public authority under §2(h) RTI Act 2005 — confirmed by the Supreme Court in Reserve Bank of India v. Jayantilal Mistry, (2016) 3 SCC 525. Banks themselves are public authorities only if substantially government-owned (PSU banks yes; private banks no — but the RBI's regulatory file on a private bank is RTI-able from RBI).

RTI helps here when:

• The bank has missed the 90-day SLA and the RBIOS hearing is months away — RTI to PIO, RBI Mumbai (DEPR / DBS / Consumer Education and Protection Department) asking for: (a) the bank's compliance report on the Limited Liability Circular for FY 2024-25, (b) the number of zero-liability cases the bank rejected and the basis, © any RBI inspection / supervisory action arising from cyber-fraud non-compliance.
• The cyber police station has refused FIR — see RTI for FIR not registered.
• The 1930 / cybercrime.gov.in case shows “closed” without your knowing why — RTI to the SP, Cyber Cell of your district for the closure report and reasons.
• You want similar-fraud trend data (useful for class-action / advocacy / media) — RTI to RBI for fraud-trend reports under §27 of the Banking Regulation Act.

RTI does NOT help here when:

• You want your money back today. RTI gives information, not a refund. The right forum for the refund itself is your bank → CGRO → RBIOS.
• The bank has decided the case in its 90-day window and you simply disagree — file at RBIOS, not RTI.
• You want the fraudster identified — that's a police / cyber-cell job, not RTI; the police get the call records via §94 BNSS, you cannot get them via RTI (third-party personal information bar under §8(1)(j)).
• The transaction was clearly authorised by you (you typed the UPI PIN voluntarily, no impersonation involved) — RBI circular does not cover voluntary transfers.

Q. The fraudster is calling again threatening to “report me”. What do I do?
Block the number, screenshot every threat, add it to your existing cybercrime.gov.in case as a fresh upload, inform the IO. Threats from a fraudster trying to discourage your complaint are a separate offence under BNS §351 (criminal intimidation).

Q. I shared the OTP. Will I still get a refund?
Yes — if you were deceived (social engineering) and you reported within 3 working days, the RBI circular gives you zero liability irrespective of whether you “shared” the OTP. The bank's standard “OTP shared = your fault” line is not law. Fight it at RBIOS with the Hare Ram Singh and similar Ombudsman precedents.

Q. The 1930 number was busy. Is there a backup?
Yes — immediately file at https://cybercrime.gov.in (the same backend as 1930) and call your bank's fraud line. Document the busy-1930 attempts (call log screenshot) — it strengthens your “reported in time” claim.

Q. My account is with a small co-operative bank that doesn't have a 24×7 fraud line. What do I do?
Call 1930 first (still works — co-operative banks are on the NCRP rail too), then call the co-op bank's branch manager. UCBs are regulated by RBI since the 2020 amendment to the Banking Regulation Act, so the Limited Liability Circular and RBIOS both apply.

Q. I lost ₹4 lakh on a fake share-trading WhatsApp group. Is it covered?
That's investment fraud, not pure UPI fraud — but the same 1930 + cybercrime.gov.in route applies. Recovery rates here are lower because you typed the UPI PIN voluntarily; the angle is “cheating by inducement” under BNS §318 + IT Act §66D. Also report to SEBI's SCORES portal (scores.sebi.gov.in) and tag the broker (if any).

Q. Can the bank refuse the DRC form?
No. RBI's Master Circular on Customer Service makes it mandatory to accept and acknowledge any written grievance. If a branch refuses, email the Principal Nodal Officer the same day and complain to RBIOS (refusal-to-receive itself is a deficiency in service).

Q. How long after the Ombudsman award before I get my money?
The bank has 30 days from the date of the award to comply, failing which the RBI can impose a penalty. Most awards are honoured in 2-3 weeks.

Q. Is the RBI Ombudsman award final?
The bank can appeal within 30 days to the Appellate Authority (a Deputy Governor of RBI). The customer can also appeal — but you can also choose to go to Consumer Forum for parallel relief, especially if you also want compensation for mental harassment.

• How to file a cybercrime complaint — full 2026 guide
• RTI when the police refuse to register your FIR
• RTI in 12 simple steps — for first-time filers
• All Indian government helplines — one master directory
• RTI forms + state-wise fee chart

Last reviewed: 26 April 2026 by RTI Wiki editorial team. RBI circulars and bank helplines change — verify on rbi.org.in / cms.rbi.org.in / cybercrime.gov.in or write to admin@bighelpers.in if you spot a stale figure.