Realizing you have fallen victim to online fraud is an incredibly stressful experience, but panicking will only cost you precious time. In the digital age, speed is your greatest weapon. The Indian legal framework—primarily driven by the Information Technology (IT) Act, 2000, and supported by the newly implemented Bharatiya Nyaya Sanhita (BNS)—provides specific, actionable remedies to freeze stolen funds and penalize cybercriminals.
Here is the exact, step-by-step legal blueprint you must follow to report online fraud and protect your rights in India.
1 The "Golden Hour" Protocol
Dial 1930 Now
If the fraud involves a financial loss (UPI, credit card, bank transfer), call 1930 immediately. This connects you to the Citizen Financial Cyber Fraud Reporting and Management System. Providing your transaction details can trigger an immediate alert to the banks involved to freeze the suspect's accounts.
Register on NCRP — cybercrime.gov.in
Visit cybercrime.gov.in and click "Report Financial Fraud." You will need: exact transaction details, screenshots of chats or SMS alerts, and the suspected phone numbers or URLs. This generates a formal complaint reference number — keep it safe for all future follow-ups.
Notify Your Bank in Writing
Contact your bank's fraud department and forward your 1930 complaint number. Under RBI guidelines, if you report unauthorized transactions within 3 working days, your liability is capped, and the bank must compensate you for the stolen amount.
Preserve All Digital Evidence
Do not delete the scammer's messages, call logs, or emails. Under Section 63 of the Bharatiya Sakshya Adhiniyam (BSA)—which replaced the Indian Evidence Act—electronic records are primary evidence. Take screenshots and back them up to a cloud drive immediately.
Convert to an e-FIR
If your loss is substantial or requires deep investigation, your NCRP complaint will be converted into an FIR under Section 173 of the BNSS by the jurisdictional cyber cell. You may be called to the station to physically sign the FIR within three days of its digital generation.
2 Your Rights Under the IT Act, 2000
When you file your complaint, the cyber police will register the case under specific sections of the IT Act, often paired with cheating provisions of the BNS. Knowing these sections helps you understand the gravity of the charges being pressed on your behalf:
| The Crime | The Law | What It Covers |
|---|---|---|
| Identity Theft | Section 66C, IT Act | Using your password, PIN, or digital signature to steal funds. Punishable by up to 3 years imprisonment. |
| Phishing / Spoofing | Section 66D, IT Act | Cheating by impersonating a legitimate entity (e.g., fake bank emails, fraudulent UPI handles). |
| Data Theft & Hacking | Sections 43 & 66, IT Act | Gaining unauthorized access to your computer or banking network. Civil remedy + criminal prosecution. |
| Organised Cyber Crime | Section 111, BNS | Groups running coordinated scam call centers or syndicate fraud. Attracts severe organized crime penalties. |
🌐 Extra-Territorial Jurisdiction — Section 75, IT Act
The IT Act operates beyond India's borders. Even if the scammer is operating from outside India, they can still be prosecuted under Indian law if the crime targeted a computer system or network located within India. This is a powerful tool against international cyber fraud networks.
3 If the Police Refuse to Register Your Case
While the digital portals have made reporting seamless, local police stations sometimes hesitate to register complex cyber cases. If your local station refuses to convert a valid complaint into an FIR, you have a clear legal escalation path:
Step 1: Local Police Station
File your written complaint in person. If refused, obtain a written refusal note (or document the refusal with witnesses).
Step 2: Superintendent / DCP of Police
Send your written complaint directly to the SP or Deputy Commissioner of Police (DCP) of your district via Registered Post with Acknowledgment Due. They are legally obliged to take cognizance.
Step 3: Jurisdictional Magistrate — Section 175, BNSS
If the SP does not act, you have the right to file a complaint directly with the Magistrate under Section 175 of the BNSS, who can legally order the police to investigate the matter. The court can direct registration of an FIR.
⚠️ Do Not Delete Evidence Before Going to Court
Courts handling cyber cases need digital evidence intact. Deleting, overwriting, or factory resetting your device before evidence is documented by a forensic expert can permanently destroy your case and lose you any chance of recovery.
4 RBI Zero-Liability Protection (Updated June 2026)
The Reserve Bank of India (RBI) operates on a strict framework designed to protect customers from bearing the financial brunt of digital fraud. In June 2026, the RBI significantly updated these rules under the "Responsible Business Conduct" directions, expanding protections and introducing a new compensation mechanism.
When Does Zero Liability Apply?
Bank Negligence
If the fraud happened due to a deficiency, security breach, or system malfunction on the bank's end, you are fully protected — regardless of when you report.
Third-Party Breach
If the fault lies with a payment gateway or telecom provider (not you, not the bank), report within 5 days of the transaction for full zero liability.
Bank Investigation Window
Banks must resolve domestic fraudulent transactions within 45 days. Cross-border transactions get 60 days.
2026 Small-Value Compensation
Losses up to ₹50,000 may qualify for compensation of 85% of net loss or ₹25,000 — whichever is lower.
Liability Rules: What If It Was Your Fault?
| Scenario | Your Liability | After Reporting? |
|---|---|---|
| Bank's security failure | Zero Liability | Fully covered immediately, no reporting deadline. |
| Third-party breach, reported within 5 days | Zero Liability | Bank absorbs the full loss. |
| You shared OTP/PIN (customer negligence) | Full Loss Until Reported | Transactions after you notify the bank are fully covered. |
| Shared credentials; delayed reporting (7+ days) | Full Loss | Bank may bear only partial liability at its discretion. |
5 The 2026 Small-Value Compensation Rule
A major addition to the June 2026 RBI framework is a safety net specifically for victims of smaller digital frauds. If you suffer a gross loss of up to ₹50,000, you may be eligible for the following:
2026 RBI Small-Value Fraud Compensation
✅ Mandatory Reporting Channels
To qualify, you must report to both your bank and either the NCRP portal (cybercrime.gov.in) or the 1930 helpline within five calendar days of the unauthorized transaction.
6 How to Claim Your Money Back — Step by Step
To activate your protections and secure a refund under the RBI guidelines, you must act swiftly and follow this exact sequence:
Call 1930 & Register on NCRP
Call the National Cyber Crime Helpline at 1930 and register a formal complaint on cybercrime.gov.in. This is a mandatory prerequisite for claiming compensation under the 2026 updated rules. Save your complaint reference number.
Notify Your Bank in Writing
Contact your bank's fraud reporting channel (mandated to be available 24/7) and report the unauthorized transaction. Provide your NCRP complaint number. Doing this within five calendar days triggers your zero-liability protection for third-party breach scenarios.
Request a Shadow Reversal
If the fraud occurred on a credit card, the bank is legally required to provide a "shadow reversal" (a temporary credit of the disputed amount) within five calendar days of receiving your notification. This ensures you don't pay the fraudulent amount while the investigation is ongoing.
Monitor the Bank's Investigation
The bank must investigate and determine liability—with the burden of proving customer negligence lying entirely on them. The bank has a maximum of 45 calendar days (domestic) or 60 days (cross-border) to resolve the case. Once your eligibility is confirmed, the temporary credit becomes final.
