What to Do If Your Bank Account Is Hacked

Know the Law Digital Rights bank account hacked UPI fraud India RBI guidelines unauthorized transaction Beginner
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
9 min read

If your bank account is hacked or money is stolen through unauthorised transactions, immediately call your bank to block your account and then call the cybercrime helpline at 1930 within 24 hours. Under RBI guidelines, if you report the fraud within 3 working days and you were not negligent, your liability is zero — the bank must reimburse the full amount. The faster you act, the higher the chance of recovery, because banks and police can freeze the fraudster's account before the money is withdrawn.

Why this matters

Digital banking fraud in India is growing at an alarming rate. UPI scams, phishing attacks, SIM swapping, remote access frauds, and card skimming cost Indian consumers thousands of crores every year. The RBI has put in place clear rules about customer liability in such cases, but most people do not know these rules exist. The difference between losing your money permanently and getting it back often comes down to how quickly you report the fraud and whether you follow the right steps.

Step-by-step: What to do immediately

1. Call your bank immediately — block everything

The moment you suspect your account is compromised, call your bank's 24/7 customer care number and:

  • Request immediate blocking of your debit card, credit card, and internet banking access
  • Request freezing of your bank account to prevent further transactions
  • Report the specific unauthorised transaction(s) — provide the date, time, and amount
  • Get a complaint reference number and the name of the person you spoke to

In practice: Every minute counts. Fraudsters often move stolen money through multiple accounts within hours. Blocking your account stops the bleeding. Keep your bank's helpline number saved in your phone.

Important: Under the RBI Master Direction on Digital Payment Security Controls (2021), banks must provide a 24/7 mechanism for customers to report unauthorised transactions and block their accounts. If the automated system does not work, try visiting your branch in person the next morning.

2. Call the cybercrime helpline — 1930

Call 1930 immediately after calling your bank. This toll-free helpline, operated by the Ministry of Home Affairs, routes your complaint to the relevant cyber police and banks in real-time. The system can flag the fraudster's account across banks and initiate a hold on the funds.

In practice: Have these details ready: your bank name and account number, the amount stolen, the date and time of the transaction, and the fraudster's UPI ID or account details (if available).

3. File a complaint on cybercrime.gov.in

Visit https://cybercrime.gov.in and file a complaint under "Financial Fraud." Upload:

  • Bank statements showing the unauthorised transactions
  • Screenshots of any phishing messages, fake UPI requests, or suspicious communications
  • Your bank complaint reference number
  • The 1930 helpline complaint number

In practice: The online complaint creates a formal record and triggers an investigation by the state cyber police. Track the complaint using your complaint number.

4. Report to your bank in writing within 3 days

Within 3 working days of the fraud, send a written complaint to your bank (email + registered post) documenting:

  • The unauthorised transaction details (date, time, amount, transaction reference)
  • That you did not authorise the transaction
  • That you have reported it to the cybercrime helpline and portal
  • A request for refund under the RBI's zero liability framework

In practice: The 3-day window is critical. Under RBI guidelines, if you report within 3 working days and the fraud was not due to your negligence, the bank must reimburse you fully. After 3 days, your liability increases.

5. File an FIR at the police station

Visit your nearest police station and file an FIR under:

  • Section 66, IT Act (computer-related offences)
  • Section 66C, IT Act (identity theft)
  • Section 66D, IT Act (cheating by personation using a computer resource)
  • Section 318, BNS (cheating)

In practice: Carry your bank statements, the cybercrime complaint receipt, and your written complaint to the bank. Keep the FIR copy — you will need it for the bank refund process and insurance claims.

6. Change all passwords and secure your devices

After reporting, immediately:

  • Change your internet banking password, UPI PIN, and email password
  • Enable two-factor authentication on all financial accounts
  • Check for any unauthorised apps or remote access software on your phone
  • Scan your devices for malware
  • Revoke access for any suspicious third-party apps linked to your bank account

Understanding RBI's liability framework

The RBI Circular dated July 6, 2017 (updated periodically) sets clear rules on customer liability for unauthorised electronic transactions:

Reporting Timeline Customer Liability Bank's Obligation
Within 3 working days Zero liability (if customer not negligent) Full reimbursement within 10 working days
4-7 working days Limited liability: max Rs 5,000-25,000 depending on account type Reimburse excess amount
After 7 working days As per bank's policy (higher liability) Bank decides based on investigation

Key condition: Zero liability applies only if the fraud was NOT caused by your negligence. If you voluntarily shared your OTP, PIN, or password with the fraudster, the bank may argue contributory negligence.

In practice: Never share your OTP, PIN, or password with anyone — including people claiming to be bank employees. Genuine bank staff will never ask for these details.

Important: If the bank does not reimburse within 10 working days of your complaint, interest accrues on the disputed amount at the bank's savings account rate from the date of the unauthorised transaction.

What if things go wrong

If your bank refuses to refund

Escalate in this order:

  1. Bank's Grievance Redressal Officer: File a formal complaint with the GRO (details on the bank's website)
  2. Banking Ombudsman (RBI): If not resolved within 30 days, file a complaint at https://cms.rbi.org.in
  3. Consumer forum: File a complaint under the Consumer Protection Act, 2019 for deficiency in service

The Banking Ombudsman scheme is free and can order compensation of up to Rs 20 lakh.

If the police do not act on your FIR

Escalate to the Superintendent of Police (SP) or approach the Judicial Magistrate under Section 175(3) of the BNSS. Also escalate through the cybercrime.gov.in portal.

If you shared your OTP with the fraudster

Even if you shared your OTP under deception (the fraudster impersonated a bank official), you still have legal remedies. The fraud itself is still a criminal offence. Report it fully and honestly — courts have acknowledged that sophisticated social engineering can deceive even careful people. Your liability may be higher, but you are not without options.

If the fraud happened through a SIM swap

Contact your telecom provider immediately to report the unauthorised SIM swap and request restoration of your number. File a complaint with the Telecom Regulatory Authority (TRAI). SIM swap fraud involves the telecom company's systems, and they may share liability.

Documents and resources you need

  • Bank's 24/7 helpline number — save it in your phone now
  • Cybercrime helpline: 1930 (toll-free)
  • National Cyber Crime Reporting Portal: https://cybercrime.gov.in
  • RBI Complaint Management System: https://cms.rbi.org.in
  • Bank statements — highlighting unauthorised transactions
  • Screenshots — of phishing messages, fake calls, or suspicious communications
  • FIR copy — from the police station
  • Bank complaint reference number — from your initial call

Common myths

Myth: If you shared your OTP, the bank has no obligation to help. Reality: Even cases involving OTP sharing are investigated. If the fraud involved sophisticated social engineering or the bank's security systems were inadequate, the bank may still be liable. Report it regardless.

Myth: Small amounts are not worth reporting. Reality: Every complaint helps. Fraudsters typically target hundreds of victims with small amounts. Your complaint, combined with others, can lead to the arrest of the entire network and recovery of funds.

Myth: Money lost through UPI cannot be recovered. Reality: UPI transactions can be traced. If reported quickly (within 24 hours), the receiving bank can freeze the funds. The 1930 helpline is specifically designed for rapid response to UPI and other digital payment frauds.

Myth: The bank will automatically refund if there is an unauthorised transaction. Reality: You must report the transaction to the bank within 3 working days and file a formal complaint. The bank will investigate and refund based on the RBI's liability framework. Automatic refunds happen only in limited circumstances.

The law behind this

Protection Legal Basis What It Does
Zero customer liability (3-day reporting) RBI Circular, July 2017 Bank must refund if customer not negligent
Criminal prosecution of fraudster IT Act Sections 66, 66C, 66D Up to 3 years imprisonment + fine
Banking Ombudsman RBI Integrated Ombudsman Scheme, 2021 Free dispute resolution, compensation up to Rs 20 lakh
Consumer protection Consumer Protection Act, 2019 Claim for deficiency in banking service
Cybercrime investigation BNSS + IT Act Police investigation and asset freezing

Frequently asked questions

How quickly do I need to report to get zero liability? Within 3 working days of the unauthorised transaction appearing in your account or of receiving a transaction alert — whichever is earlier. The sooner, the better.

Can I get my money back if I report after 7 days? It is more difficult but not impossible. The bank will assess the case individually. File a report regardless of the delay — late reporting reduces but does not necessarily eliminate your chances.

What if I did not receive any transaction alert from my bank? Banks are required to send transaction alerts (SMS/email) for all electronic transactions. Failure to send an alert is a banking system failure, which strengthens your case for zero liability.

Should I also file a complaint with the RBI? If your bank resolves the issue satisfactorily, an RBI complaint is not necessary. But if the bank refuses to refund or delays beyond 30 days, file a complaint with the RBI Integrated Ombudsman at https://cms.rbi.org.in.

Can I claim insurance for bank fraud? Some banks offer cyber insurance as part of premium account packages. Check your account type. Additionally, standalone cyber insurance policies are available from general insurance companies. Check whether your policy covers unauthorised banking transactions.

Related Content

Glossary Terms
unauthorized-transaction phishing banking-ombudsman
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.