Cyber fraud in India: how it works, how to protect yourself, and what to do if you are targeted

Cyber fraud in India has grown significantly in volume and sophistication. The National Cyber Crime Reporting Portal receives millions of complaints annually. The schemes range from relatively simple UPI scams to elaborate multi-layer investment frauds, OTP frauds, job offer scams, and increasingly, AI-assisted impersonation. Understanding how these schemes work — and what the legal system can do when they succeed — is useful both as prevention and as a response guide.

The most common cyber fraud schemes

UPI and banking fraud remains the largest category by volume. This includes calls impersonating bank officials, fraudulent "KYC update" requests, and screen-sharing scams where the victim is talked into sharing their screen and then their OTPs. Investment fraud — fake trading apps, impersonation of SEBI or exchange officials, fraudulent cryptocurrency platforms — has grown dramatically and typically involves larger amounts.

Sextortion and digital arrest fraud are a more recent and particularly distressing category: the victim is either threatened with the release of intimate images, real or fabricated, or told by impersonators claiming to be police or customs officials that they are under "digital arrest" and must pay to clear themselves. These are entirely fabricated — Indian law recognises no such thing as "digital arrest."

Job offer scams targeting professionals and recent graduates, loan app fraud using illegally accessed contact lists to shame borrowers, and fake customer service numbers that intercept people looking for help from real companies complete the main picture.

Practical protection: what actually reduces risk

The most effective protection against most cyber fraud is a very simple principle: no legitimate institution will ever ask for your OTP, PIN, password, or CVV over the phone or through a link. Banks do not call to request this information. Police do not conduct arrests over video calls. SEBI does not call to warn you about a pending enforcement action. If someone claims to be from any of these institutions and is asking for money or credentials, it is fraud.

Beyond this, two-factor authentication on all financial accounts, keeping bank notifications active, using separate devices or profiles for financial transactions, and being extremely sceptical of investment opportunities that arrive unsolicited through social media or WhatsApp groups are all effective risk-reduction measures.

What to do immediately if you are defrauded

Speed matters. The 1930 helpline (or the NCRP portal at cybercrime.gov.in) allows immediate reporting of cyber fraud and, critically, can trigger a hold on the fraudulently obtained funds before they are moved further. The faster a complaint is filed, the higher the chance that some or all of the funds can be frozen and potentially recovered.

Contact your bank simultaneously to report the transaction and request a chargeback or recall where possible. Preserve all evidence — screenshots, transaction IDs, phone numbers, messages, and call logs. Do not delete anything, even if it is embarrassing. Evidence is essential for both the police complaint and any subsequent legal action.

Legal remedies: what the law provides

The Information Technology Act 2000, the Bharatiya Nyaya Sanhita 2023, and the Bharatiya Nagarik Suraksha Sanhita 2023 all contain provisions relevant to cyber fraud. Offences include identity theft, cheating by impersonation, criminal breach of trust, and the specific IT Act offences relating to computer fraud and unauthorised access. Complaints can be filed with the cyber crime police station, and in appropriate cases, the matter can be escalated through a private complaint before a Magistrate if the police do not register an FIR.

Civil remedies — including suits for recovery of the defrauded amount — are also available, though they are more useful where the fraudster can be identified and has reachable assets. In organised fraud cases, multiple victims sometimes find it effective to pool resources and proceed collectively.

In cyber-fraud matters, Vikram Singh Kushwaha has handled rapid-response situations involving compromised accounts, digital transactions, and urgent complaints to the appropriate authorities.

A strong response is both legal and practical: preserve proof, report quickly, keep correspondence consistent, and avoid steps that weaken later recovery or defreezing efforts.