₹1,000 crore is lost to UPI fraud every quarter in India. The first 30 minutes after the fraud are what decide whether you get the money back. This guide is your action plan.

• First step: dial 1930 (cyber-crime helpline) within minutes — this freezes the receiving account.
• Within 3 working days: write to your bank — under RBI's “limited liability” circular, you owe ₹0 if reported in time.
• File complaint at cybercrime.gov.in — get the acknowledgement number.
• Bank must reverse the entry within 10 working days if fraud is confirmed.
• Section 66D IT Act + BNS Section 318 (cheating by personation): legal basis for police action.
• NPCI ODR for UPI-specific disputes.
• Never share OTP, PIN, or scan a stranger's QR for “receiving” money — most common scam pattern.

• Information Technology Act, 2000 — Section 66D: cheating by personation using computer resource — up to 3 years jail + ₹1 lakh fine.
• Bharatiya Nyaya Sanhita, 2023 — Sections 318 (cheating), 319 (cheating by personation), 336 (forgery).
• RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017 — “Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”.
• NPCI Procedural Guidelines for UPI — dispute resolution timeline.
• Indian Cyber Crime Coordination Centre (I4C) under MHA runs cybercrime.gov.in and 1930.

The clock starts from the bank communication of the transaction (SMS / email).

• Freeze the receiving account by complaining to 1930 fast.
• Demand reversal in writing from your bank.
• File FIR + cybercrime.gov.in complaint in parallel — both needed.
• Approach the Banking Ombudsman if your bank refuses after 30 days.
• Approach NPCI ODR for UPI-specific disputes.
• Sue for compensation in consumer court for bank deficiency of service.

• Approach the receiving bank directly as a non-customer.
• Demand criminal recovery without an FIR.
• Get full refund automatically without reporting within 3 working days.
• Claim “I shared OTP under pressure” — voluntary OTP sharing is treated as customer negligence in many cases.

1. Take screenshots of every WhatsApp / SMS / call log / UPI debit message.
2. Call 1930 — give the UTR number from your debit SMS. The 1930 portal alerts the receiving bank within minutes to freeze the credit.
3. Get the acknowledgement / ticket number.

1. File on cybercrime.gov.in — choose “Financial Fraud / UPI Fraud”. Upload all screenshots. Note the portal acknowledgement number.
2. Email and visit your bank branch with a written complaint. Mention “unauthorised electronic banking transaction” and quote RBI Circular 6 July 2017.
3. Block your card / UPI / netbanking through the app.

1. File an FIR at the local police station, attaching the cybercrime portal complaint and bank acknowledgement.
2. Check your bank's response timeline: they have 10 working days to provisionally credit the disputed amount.
3. If no response in 10 working days, escalate to:
   • Bank's Internal Ombudsman / Nodal Officer
   • RBI Banking Ombudsman at cms.rbi.org.in (free, online)
   • NPCI ODR portal for UPI-specific issues at dispute.npci.org.in

1. If unresolved: consumer court (district forum, free for amounts up to ₹50 lakh after CPA 2019).

• Bank's debit SMS / email with UTR / RRN / Transaction ID.
• Screenshots of fraudster's UPI ID / VPA / phone number / WhatsApp chat.
• Screenshot of QR code if scanned.
• Call recordings (legal in India when one party records).
• 1930 ticket number.
• cybercrime.gov.in acknowledgement.
• Written bank complaint with seal.
• FIR copy.

• Fraudster: Section 66D IT Act (3 years + ₹1 lakh) + BNS Section 318/319 (up to 7 years).
• Bank (for delay or denial): RBI penalty + Banking Ombudsman compensation up to ₹20 lakh.
• You (if delayed > 7 days): partial or full loss as per bank policy.

UPI fraud is a central matter (RBI + NPCI + I4C). State cyber cells handle the police investigation. Maharashtra, Karnataka, Tamil Nadu, Telangana have dedicated cyber-crime police stations in major cities.

1. Calling the fraudster's number to “ask for the money back” — wastes the freeze window.
2. Not noting the UTR before deleting SMS.
3. Believing the bank when they say “complain to police first” — wrong. Bank complaint within 3 days is the legal anchor.
4. Sharing screen on AnyDesk / TeamViewer with a stranger.
5. Reading out the OTP “to confirm refund”.
6. Scanning a QR code that says “RECEIVING ₹XXX” — QR scans are for paying, never receiving.
7. Trusting fake bank apps delivered via WhatsApp APK.
8. Believing “customer care callbacks” asking for KYC — banks never ask for OTP.

Yes if reported within 3 days, but the bank can argue customer negligence. Outcome depends on circumstances (SIM-swap, social engineering). The 3-day filing is what matters legally.

Push back with RBI 6 July 2017 circular. If still refused, RBI Banking Ombudsman.

1930 + NPCI alert both banks within minutes. The receiving bank is required to freeze the suspect amount.

Yes — SIM swap, account takeover, malware. Treat exactly the same. Report immediately.

Yes. The IFSC + account number is on every UPI transaction. Police get it via the cybercrime portal in minutes.

Fraudsters route money through innocent people's accounts. If your account was used as a mule, it can be frozen — file FIR and prove no involvement.

Yes — all are NPCI-licensed Third-Party App Providers (TPAPs). Same rules.

If reported within 3 days and fraud is established, the bank must refund. Above 7 days, it depends on bank policy.

A common scam: fraudster sends a small UPI credit, then calls “by mistake, please return”. The original credit is reversible by the bank — you lose what you sent.

In consumer court, yes — limited compensation for harassment + costs.

• Save 1930 + your bank's 24×7 fraud number on speed dial.
• Within 30 minutes: 1930 + cybercrime.gov.in + bank email + screenshots.
• Get every acknowledgement number in writing.
• File FIR within 24 hours.
• Banking Ombudsman if no response in 30 days.
• Never share OTP, PIN, screen, or APK file.

• Information Technology Act, 2000 — Sections 43, 66, 66D.
• Bharatiya Nyaya Sanhita, 2023 — Sections 318, 319, 336.
• RBI Customer Protection Circular, DBR.No.Leg.BC.78/09.07.005/2017-18, 6 July 2017.
• National Cyber Crime Reporting Portal — cybercrime.gov.in.
• I4C Helpline 1930 — i4c.mha.gov.in.
• NPCI ODR Portal — dispute.npci.org.in.
• RBI Banking Ombudsman — cms.rbi.org.in.

• Police powers in India: what police can and cannot do — arrest rules, FIR rights, BNSS Section 35
• UPI fraud: what to do immediately, how to recover money — 1930 helpline, RBI 3-day rule
• Is cryptocurrency legal in India? — 30% tax, 1% TDS, FIU-IND rules
• Income Tax notice — what it means and what to do — 143(1) / 142(1) / 148 explained
• Is online gaming legal in India? — fantasy sports, rummy, poker (2026)
• File an RTI online in 12 steps · RTI Act, 2005 (full text) · Landmark CIC + SC rulings