Right to Information Wiki

How to recover money lost to UPI fraud — complete 2026 guide

India's working reference for the RTI Act, 2005 — current, sourced, and free.

Draft an RTI now Build a first appeal
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


recover-money-upi-fraud-2026 [2026/04/26 09:25] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +{{htmlmetatags>metatag-keywords=(recover money UPI fraud,UPI fraud refund,1930 cybercrime helpline,cybercrime.gov.in complaint,RBI Limited Liability Circular 2017,zero liability fraud,OTP fraud recovery,KYC scam refund,fake QR code scam,AnyDesk fraud,screen-share scam,NPCI chargeback ODR,Banking Ombudsman RBIOS,IT Act 66D,BNS 316 318,FIR for cyber fraud)&metatag-description=(Step-by-step 2026 guide to recovering money lost to UPI fraud — call 1930 within the first hour, freeze your bank, file at cybercrime.gov.in within 24 hrs, claim zero liability under the RBI Limited Liability Circular dated 6 July 2017. With Banking Ombudsman escalation and the honest line on when RTI helps and when it doesn't.)}}
 +
 +====== How to recover money lost to UPI fraud — complete 2026 guide ======
 +
 +{{ :social:auto:recover-money-upi-fraud-2026.png?direct&1200 |How to recover money lost to UPI fraud 2026 — RTI Wiki citizen guide}}
 +
 +{{page>snippets:dpdp-banner}}
 +
 +<WRAP info>
 +**Quick answer.** The first 60 minutes decide everything. Do these three things **in parallel**, not one after the other:
 +  - **Call 1930** — the national cybercrime helpline (24x7, MoHA). Operator coordinates an immediate fund-freeze with the receiving bank.
 +  - **Call your bank's 24x7 fraud line** (SBI 1800-11-2211, HDFC 1800-258-6161, ICICI 1860-120-7777, Axis 1860-419-5555) — ask for an instant debit-freeze on your account.
 +  - **Open the UPI app** (PhonePe / GPay / Paytm) → "Help" → "Report fraud / unauthorised transaction" → submit the transaction ref.
 +
 +Within **24 hours**, file a detailed complaint at **cybercrime.gov.in**. Within **3 working days**, file a written dispute with your bank using their DRC (Dispute Resolution Committee) form. Under the **RBI Limited Liability Circular dated 6 July 2017**, if you report within 3 working days you are entitled to **zero liability** — the bank refunds you in full and recovers from the fraudster's bank later.
 +</WRAP>
 +
 +===== Sushil's story — "₹2.4 lakh gone in one OTP, ₹2.1 lakh recovered in 75 days" =====
 +
 +<WRAP center round box 80%>
 +//Sushil Deshpande, 39, IT manager at a manufacturing firm in Pune. Got a call on 14 March 2025 at 11:42 am from a number that displayed "HDFC KYC" on Truecaller.//
 +
 +> "The voice was calm, professional, even bored. He said my account would be deactivated in two hours if I didn't complete a 'pending KYC verification'. He read out my last four PAN digits — correctly. He asked me to read out an SMS code 'to confirm I'm the rightful holder'. I read it. Within four seconds, ₹2.4 lakh was debited from my SB account in three transactions to a Yes Bank current account in someone's name I'd never heard. I knew immediately what had happened. I called 1930. Total wait time on the helpline that morning — 9 minutes. The operator was sharp. She took the transaction IDs, my account number, the receiving account number from my SMS alerts, and within 35 minutes she had registered the case on NCRP. Parallelly I called HDFC's fraud line. By 1:15 pm — about 90 minutes from the fraud — HDFC confirmed they had flagged the receiving Yes Bank account; ₹1.6 lakh was already frozen there. By evening I had filed the full complaint at cybercrime.gov.in with 12 screenshots, the call recording, my bank statement, and the suspect mobile number. The Pune Cyber Police Station registered an FIR in 8 days under BNS 2023 §316/§318 plus IT Act §66D. HDFC's internal investigation took 71 days. The Banking Ombudsman award came on the 75th day — ₹1.6 lakh refunded to me from frozen funds, ₹50,000 paid by HDFC under the partial-liability slab (because by the bank's reckoning my report at 90 minutes counted as Day 1 — but the dispute form at the branch was signed Day 4, and they tried to use that), and ₹30,000 written off as unrecoverable. **One OTP cost me ₹30,000 net. Without 1930 within the first hour, it would have been the full ₹2.4 lakh.**"
 +
 +—Sushil, June 2025
 +</WRAP>
 +
 +The Indian Cyber Crime Coordination Centre (I4C) reported **over 11.31 lakh financial cyber-fraud complaints in 2024**, with citizens losing **₹11,333 crore** — and only about **₹1,200-1,500 crore recovered**. The single biggest predictor of recovery is **how fast you call 1930**. After 24 hours the recovery rate falls below 10%; after 7 days it is essentially zero — both because the money has been cashed out at the receiving end and because under the RBI circular full liability shifts to you.
 +
 +===== What this is — and the law that protects you =====
 +
 +A **UPI fraud** is any unauthorised debit from your bank account through a UPI / IMPS / NEFT / RTGS rail where you did not knowingly authorise the receiving party. Common variants:
 +
 +  * **OTP fraud** — caller poses as bank / NPCI / "RBI" and tricks you into reading an OTP.
 +  * **KYC update scam** — SMS or call says "your account will be blocked" and routes you to a fake link.
 +  * **Fake QR scan** — instead of receiving money you scan a "collect request" QR that debits you.
 +  * **Screen-share scam** — fraudster makes you install AnyDesk / TeamViewer / QuickSupport "to fix a stuck refund" and then operates your phone.
 +  * **AnyDesk / remote-access fraud** — variant of the above; full account drain.
 +  * **Bank-executive impersonation** — caller "from card desk" / "loan dept" extracts CVV + OTP.
 +  * **Dating / matrimonial / sextortion fraud** — emotional grooming → "emergency" UPI transfer → blackmail.
 +  * **UPI auto-debit fraud / silent mandate** — you approve a small mandate that quietly auto-debits later.
 +
 +The core protection is the **RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017** ("Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions"). The core rule:
 +
 +  * **Reported within 3 working days** of receiving the transaction alert → **zero liability** on the customer. Bank refunds in full within **10 working days** of report.
 +  * **Reported within 4-7 working days** → liability capped: ₹5,000 (BSBDA), ₹10,000 (most savings + ₹25 lakh credit cards), or ₹25,000 (high-balance / premium cards).
 +  * **Reported after 7 working days** → liability per the bank's Board-approved policy — usually 100% on the customer.
 +
 +Other statutes you will see cited on FIRs and notices:
 +
 +  * **IT Act 2000 §66C** — identity theft (use of someone's electronic signature / password / unique identifier).
 +  * **IT Act 2000 §66D** — cheating by personation using computer resource (the standard "OTP / KYC" charge).
 +  * **BNS 2023 §316** — criminal breach of trust.
 +  * **BNS 2023 §318** — cheating (replaces old IPC §420; 7 years + fine for cheating with delivery of property).
 +  * **BNSS 2023 §173** — police's mandatory duty to register FIR for any cognisable offence (codifies //Lalita Kumari v. Govt of UP, 2014 SCC 1//).
 +
 +===== Step-by-step process — three parallel tracks =====
 +
 +==== Step 1 — Within the first hour: 1930 + bank fraud line + freeze ====
 +
 +Open three things at the same time — your phone for 1930, a second phone or family member's phone for the bank line, and your UPI app.
 +
 +  * **1930** — pickup typically inside 10 minutes. Have ready: your name, mobile, account number, transaction IDs, receiving UPI ID / account number, suspect mobile / fake caller's number. Operator registers the case on the **National Cybercrime Reporting Portal (NCRP)** and triggers the **Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS)** — this is the live fund-freezing pipe to all 217+ member banks and 19 wallet partners.
 +  * **Bank fraud line** — ask for an immediate **debit-freeze** on your account, **stop-payment** on cards, and a **complaint reference number** (note it down — you will need it for the written dispute and the Ombudsman).
 +  * **UPI app** → "Help" → "Report a Fraud" → fill the in-app form → screenshot the acknowledgement.
 +
 +Do **not** click any link the fraudster sent. Do **not** install anything new. Do **not** reset your phone — you may destroy evidence.
 +
 +==== Step 2 — Within 24 hours: file at cybercrime.gov.in ====
 +
 +  * Open https://cybercrime.gov.in → "File a complaint" → "Report financial fraud" → register with mobile OTP.
 +  * Upload, in this order: bank SMS alerts (screenshots), bank statement showing the debits, transaction receipts from your UPI app, screenshots of any chat / call log with the fraudster, the fraudster's mobile number / UPI ID / website link.
 +  * The system generates an **acknowledgement number** beginning with the year (e.g., 2026XXXXXXXXX). Keep it safe — it links to the 1930 case automatically.
 +  * Within **15 days** convert the online complaint to an **FIR** at your local cyber police station — the portal sends a copy of your complaint to the SP cyber cell; visit the PS with a printout + ID.
 +
 +==== Step 3 — Within 3 working days: written dispute to the bank ====
 +
 +This is the legal trigger for the **3-day zero-liability** clock under the RBI circular. The 1930 call alone is **not** a written dispute.
 +
 +  * Visit your bank's home branch (or the nearest branch). Ask for the **Dispute Resolution Committee (DRC) form** — sometimes called Form FRM, Form DRC, or "Unauthorised Transaction Dispute Form".
 +  * Fill: transaction date / time / amount / reference, what happened, what protective steps you took, the 1930 case number, the cybercrime.gov.in acknowledgement, the FIR number (if filed).
 +  * Get a **stamped acknowledgement copy** with date and the receiving officer's signature. This is your single most important document.
 +  * Email a soft copy the same day to the bank's **Nodal Officer** (every bank lists this on its grievance page) and CC the **Principal Nodal Officer**.
 +
 +==== Step 4 — Bank investigation + transaction reversal ====
 +
 +  * Bank has **90 days** to investigate and decide. In practice, simple cases close in 15-30 days.
 +  * If the funds are still in the receiving bank's account, your bank may issue a **Transaction Reversal (TR)** — credit to your account, claim to be settled with the receiving bank.
 +  * For inter-bank cases the **NPCI Online Dispute Resolution (ODR)** mechanism is used — your bank initiates, NPCI brokers, receiving bank responds in T+5 days.
 +
 +==== Step 5 — If unresolved at 90 days: Banking Ombudsman (RBIOS) ====
 +
 +  * Free, online, fast. Open https://cms.rbi.org.in → "File a Complaint" → choose "Mobile / Electronic Banking" → fraud type.
 +  * Eligible only if (a) bank has rejected your complaint, OR (b) bank has not replied in 30 days from your written complaint, OR (c) you are unsatisfied with the bank's reply.
 +  * RBIOS has a **30-day SLA** for first hearing and can award up to **₹20 lakh** plus **₹1 lakh** for time/effort/mental harassment.
 +  * The Ombudsman directly applies the RBI Limited Liability Circular — most well-documented zero-liability cases are decided in your favour.
 +
 +==== Step 6 — In parallel: the FIR ====
 +
 +  * Cyber-crime is a **cognisable offence**. Police **must** register the FIR — //Lalita Kumari// is binding on every SHO.
 +  * If the SHO refuses, write to the **SP / DCP** under §173(4) BNSS, or move the **Magistrate** under §175(3) BNSS.
 +  * If still stuck, see [[:rti-for-fir-not-registered|RTI for FIR not registered — full template]].
 +
 +==== Step 7 — Civil suit for residual recovery (only for large amounts) ====
 +
 +If the fraud amount is large (typically > ₹10 lakh) and the criminal recovery is slow, a **summary suit** under Order 37 CPC against the receiving account-holder (whose KYC the police will have on the FIR) is sometimes used to attach their property. This needs an advocate; NALSA can give a free panel lawyer if your annual income is under ₹3 lakh.
 +
 +==== Step 8 — Hardening: what to do the same evening ====
 +
 +  * Change your **UPI PIN** on every UPI app you use.
 +  * Change your **net-banking password** and **m-banking MPIN**.
 +  * Disable **UPI Lite**, **UPI AutoPay**, and any **standing instructions** you don't recognise.
 +  * Revoke screen-share / accessibility permissions on all installed apps.
 +  * Run **Sanchar Saathi** (sancharsaathi.gov.in) → check connections issued on your name; report fake SIMs.
 +
 +===== Sample helpline + fee + SLA table =====
 +
 +<code>
 ++-----------------------------------+--------------------------------------+
 +| 1930 cybercrime helpline (MoHA)   | FREE. 24x7. First-hour fund-freeze.  |
 ++-----------------------------------+--------------------------------------+
 +| cybercrime.gov.in complaint       | FREE. Acknowledgement instant.       |
 +|                                   | Convert to FIR within 15 days.       |
 ++-----------------------------------+--------------------------------------+
 +| Bank DRC / Dispute form           | FREE. Stamped acknowledgement is     |
 +|                                   | the legal trigger for RBI circular.  |
 ++-----------------------------------+--------------------------------------+
 +| RBI Limited Liability Circular    | Day 0-3 → ZERO liability             |
 +| 6 July 2017 — slabs               | Day 4-7 → ₹5,000 / ₹10,000 / ₹25,000 |
 +|                                   | Day 8+   → as per bank's policy      |
 ++-----------------------------------+--------------------------------------+
 +| Bank investigation SLA            | 90 days. Refund in 10 working days   |
 +|                                   | of zero-liability decision.          |
 ++-----------------------------------+--------------------------------------+
 +| Banking Ombudsman (RBIOS)         | FREE. cms.rbi.org.in. 30-day SLA.    |
 +|                                   | Award up to ₹20L + ₹1L compensation. |
 ++-----------------------------------+--------------------------------------+
 +| FIR registration                  | FREE. Cognisable offence — must be   |
 +|                                   | registered (Lalita Kumari, BNSS 173).|
 ++-----------------------------------+--------------------------------------+
 +| RTI to PIO RBI Mumbai             | ₹10 IPO / DD. BPL = free.            |
 ++-----------------------------------+--------------------------------------+
 +</code>
 +
 +===== Bank fraud helplines — quick reference =====
 +
 +<code>
 ++-------------------------+-----------------------------+
 +| State Bank of India     | 1800-11-2211 / 1800-425-3800|
 ++-------------------------+-----------------------------+
 +| HDFC Bank               | 1800-258-6161               |
 ++-------------------------+-----------------------------+
 +| ICICI Bank              | 1860-120-7777               |
 ++-------------------------+-----------------------------+
 +| Axis Bank               | 1860-419-5555               |
 ++-------------------------+-----------------------------+
 +| Punjab National Bank    | 1800-180-2222               |
 ++-------------------------+-----------------------------+
 +| Bank of Baroda          | 1800-258-44-55              |
 ++-------------------------+-----------------------------+
 +| Kotak Mahindra Bank     | 1860-266-2666               |
 ++-------------------------+-----------------------------+
 +| Yes Bank                | 1800-1200                   |
 ++-------------------------+-----------------------------+
 +| IndusInd Bank           | 1860-267-7777               |
 ++-------------------------+-----------------------------+
 +| Union Bank of India     | 1800-22-2244                |
 ++-------------------------+-----------------------------+
 +</code>
 +
 +===== Common reasons recovery fails =====
 +
 +  * **Reported after 7 working days.** RBI circular shifts full liability to the customer. Even RBIOS will rarely overturn this unless you can prove genuine inability to report (hospitalised, abroad with no signal, etc.).
 +  * **Money already cashed out.** Mule accounts withdraw within hours. Once the cash is out at an ATM in a different state — or has been routed onward to crypto / abroad — recovery falls below 5%.
 +  * **Bank claims "OTP shared = customer negligence".** This is a **standard but often wrong** defence. The RBI circular explicitly covers transactions where the customer has been deceived (social engineering). Fight it at RBIOS — they routinely overrule banks on this.
 +  * **Cybercrime cell over-burdened.** Some PSs sit on cases for weeks before triggering the freeze. Always escalate via the SP cyber cell after 72 hours.
 +  * **Receiving account is in a co-operative bank or PPI wallet** — slower freeze pipeline; recovery harder.
 +  * **Customer disputed at the call centre but never filed the written DRC form.** Without the written form on file, the bank's position is "no formal complaint received".
 +  * **Fraudster used your own approved auto-pay mandate** (subscription scams). Banks treat these as authorised; you must revoke the mandate.
 +  * **Multi-step layering.** Funds bounce through 4-5 accounts in 30 minutes. Each hop adds one bank to coordinate. Reporting at minute 15 vs minute 90 changes everything.
 +
 +===== If stuck — the escalation ladder =====
 +
 +==== Rung 1 — Bank's nodal grievance officer ====
 +
 +Every bank's website lists a Customer Service / Grievance Redressal page with a **Nodal Officer** (state-level) and a **Principal Nodal Officer** (national). Email the principal nodal officer with: 1930 case number, cybercrime.gov.in acknowledgement, DRC form, FIR number, full transaction list, and your demand (full refund under RBI 2017 circular, with interest).
 +
 +==== Rung 2 — CGRO at the bank's regional office ====
 +
 +The **Consumer Grievance Redressal Officer (CGRO)** is mandated for every public-sector bank under DFS guidelines. They have power to overrule a branch-level rejection. SLA: 30 days.
 +
 +==== Rung 3 — Banking Ombudsman (RBIOS) ====
 +
 +The most important escalation. Open https://cms.rbi.org.in → register → file complaint. **Pre-condition:** 30 days must have passed since your written complaint to the bank, OR the bank must have rejected it. Free. 30-day SLA. Award up to ₹20 lakh + ₹1 lakh compensation. Decisions are appealable to the **Appellate Authority** (Deputy Governor) within 30 days.
 +
 +==== Rung 4 — Securities Appellate Tribunal (only for investment fraud) ====
 +
 +If the fraud was a fake-broker / fake-IPO / pump-and-dump that involved a registered intermediary, SAT (Mumbai, with benches in Delhi & Chennai) hears appeals from SEBI orders. Not for plain UPI fraud.
 +
 +==== Rung 5 — Right to Information (RTI) ====
 +
 +The Reserve Bank of India is a **public authority** under §2(h) RTI Act 2005 — confirmed by the Supreme Court in //Reserve Bank of India v. Jayantilal Mistry, (2016) 3 SCC 525//. Banks themselves are public authorities only if substantially government-owned (PSU banks yes; private banks no — but the RBI's regulatory file on a private bank is RTI-able from RBI).
 +
 +**RTI helps here when:**
 +
 +  * The bank has missed the 90-day SLA and the RBIOS hearing is months away — RTI to **PIO, RBI Mumbai (DEPR / DBS / Consumer Education and Protection Department)** asking for: (a) the bank's compliance report on the Limited Liability Circular for FY 2024-25, (b) the number of zero-liability cases the bank rejected and the basis, (c) any RBI inspection / supervisory action arising from cyber-fraud non-compliance.
 +  * The cyber police station has refused FIR — see [[:rti-for-fir-not-registered|RTI for FIR not registered]].
 +  * The 1930 / cybercrime.gov.in case shows "closed" without your knowing why — RTI to the **SP, Cyber Cell** of your district for the closure report and reasons.
 +  * You want similar-fraud trend data (useful for class-action / advocacy / media) — RTI to RBI for fraud-trend reports under §27 of the Banking Regulation Act.
 +
 +**RTI does NOT help here when:**
 +
 +  * You want your money back **today**. RTI gives information, not a refund. The right forum for the refund itself is your bank → CGRO → **RBIOS**.
 +  * The bank has decided the case in its 90-day window and you simply disagree — file at RBIOS, not RTI.
 +  * You want the fraudster identified — that's a police / cyber-cell job, not RTI; the police get the call records via §94 BNSS, you cannot get them via RTI (third-party personal information bar under §8(1)(j)).
 +  * The transaction was clearly authorised by you (you typed the UPI PIN voluntarily, no impersonation involved) — RBI circular does not cover voluntary transfers.
 +
 +===== FAQs =====
 +
 +**Q. The fraudster is calling again threatening to "report me". What do I do?**\\
 +Block the number, screenshot every threat, add it to your existing cybercrime.gov.in case as a fresh upload, inform the IO. Threats from a fraudster trying to discourage your complaint are a separate offence under BNS §351 (criminal intimidation).
 +
 +**Q. I shared the OTP. Will I still get a refund?**\\
 +Yes — if you were deceived (social engineering) and you reported within 3 working days, the RBI circular gives you zero liability irrespective of whether you "shared" the OTP. The bank's standard "OTP shared = your fault" line is not law. Fight it at RBIOS with the //Hare Ram Singh// and similar Ombudsman precedents.
 +
 +**Q. The 1930 number was busy. Is there a backup?**\\
 +Yes — immediately file at https://cybercrime.gov.in (the same backend as 1930) and call your bank's fraud line. Document the busy-1930 attempts (call log screenshot) — it strengthens your "reported in time" claim.
 +
 +**Q. My account is with a small co-operative bank that doesn't have a 24x7 fraud line. What do I do?**\\
 +Call 1930 first (still works — co-operative banks are on the NCRP rail too), then call the co-op bank's branch manager. UCBs are regulated by RBI since the 2020 amendment to the Banking Regulation Act, so the Limited Liability Circular and RBIOS both apply.
 +
 +**Q. I lost ₹4 lakh on a fake share-trading WhatsApp group. Is it covered?**\\
 +That's investment fraud, not pure UPI fraud — but the same 1930 + cybercrime.gov.in route applies. Recovery rates here are lower because you typed the UPI PIN voluntarily; the angle is "cheating by inducement" under BNS §318 + IT Act §66D. Also report to **SEBI's SCORES** portal (scores.sebi.gov.in) and tag the broker (if any).
 +
 +**Q. Can the bank refuse the DRC form?**\\
 +No. RBI's Master Circular on Customer Service makes it mandatory to accept and acknowledge any written grievance. If a branch refuses, email the Principal Nodal Officer the same day and complain to RBIOS (refusal-to-receive itself is a deficiency in service).
 +
 +**Q. How long after the Ombudsman award before I get my money?**\\
 +The bank has **30 days** from the date of the award to comply, failing which the RBI can impose a penalty. Most awards are honoured in 2-3 weeks.
 +
 +**Q. Is the RBI Ombudsman award final?**\\
 +The bank can appeal within 30 days to the **Appellate Authority** (a Deputy Governor of RBI). The customer can also appeal — but you can also choose to go to **Consumer Forum** for parallel relief, especially if you also want compensation for mental harassment.
 +
 +===== Related on RTI Wiki =====
 +
 +  * [[:file-cybercrime-complaint-2026|How to file a cybercrime complaint — full 2026 guide]]
 +  * [[:rti-for-fir-not-registered|RTI when the police refuse to register your FIR]]
 +  * [[:rti-for-beginners|RTI in 12 simple steps — for first-time filers]]
 +  * [[:helplines:start|All Indian government helplines — one master directory]]
 +  * [[:forms:start|RTI forms + state-wise fee chart]]
 +
 +//Last reviewed: 26 April 2026 by RTI Wiki editorial team. RBI circulars and bank helplines change — verify on rbi.org.in / cms.rbi.org.in / cybercrime.gov.in or write to admin@bighelpers.in if you spot a stale figure.//
 +
 +{{tag>upi-fraud cyber-fraud 1930 cybercrime-helpline rbi-limited-liability-circular zero-liability banking-ombudsman rbios it-act-66d bns-318 npci-odr drc-form fir-cyber-crime citizen-guide help-first 2026}}
  

Use this page

Turn the guidance into a filing-ready request, appeal, or reply review.

Open RTI drafting tool

Popular help

Quick links