📚Personal Safety

How to recover money from phishing scams using 1930 and RBI Ombudsman

Lost money to a fake KYC call or a phishing link? Here is how to use the 'Golden Hour' to freeze the funds and escalate to the RBI Ombudsman if your bank refuses to help.

HowToHelp Editorial
11 min read
#phishing scam recovery india#1930 cybercrime helpline#rbi ombudsman complaint#bank fraud refund rbi#cybercrime.gov.in guide#unauthorised bank transaction#zero liability rbi#phishing link recovery

Hook

You are halfway through a late-night assignment when you get an SMS: "Your HDFC account will be blocked today. Update KYC now at bit.ly/bank-secure-update." You are tired, you panic, and you click. You enter your CRN and the OTP that follows. Within seconds, your phone buzzes with a notification that ₹45,000 has been debited. Your stomach drops. You have just been phished.

In the next ten minutes, you will either become a statistic or a success story. The difference lies in how fast you move. Most young Indians think that once money leaves their account, it is gone forever. That is not true. If you act within the "Golden Hour"—the first two hours after the fraud—and use the specific legal routes provided by the Reserve Bank of India (RBI), you have a real shot at getting your money back. This is your playbook for fighting back.

What the law says

The primary protection for victims of digital fraud is the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 titled "Customer Liability in Unauthorised Electronic Banking Transactions." This circular is your most powerful weapon because it shifts the burden of loss from you to the bank under specific conditions.

According to the RBI, your liability is determined by how quickly you report the fraud:

  1. Zero Liability: If the fraud happened due to a "contributory fraud, negligence or deficiency" on the part of the bank, you have zero liability, regardless of when you report it. More importantly, if there is a "third-party breach" (where neither the bank nor you are at fault, but the system is compromised) and you report it within 3 working days, you are not liable for a single rupee.
  2. Limited Liability: If the fraud happened because you were negligent (e.g., you shared your OTP or clicked a phishing link), you are liable for the loss until you report it to the bank. Any transaction that happens after you report it is the bank's responsibility. If you report a third-party breach within 4 to 7 working days, your liability is capped (usually at ₹5,000 for basic savings accounts and ₹10,000 to ₹25,000 for others).
  3. Beyond 7 Days: If you wait more than a week, your recovery depends entirely on your bank's board-approved policy.

On the criminal side, phishing is a punishable offence. Under Section 66D of the Information Technology Act, 2000, "cheating by personation by using computer resource" can lead to 3 years of imprisonment and a fine of up to ₹1 lakh. Under the Bharatiya Nyaya Sanhita (BNS), 2023, these acts are covered under Section 318 (Cheating) and Section 319 (Cheating by personation).

To bridge the gap between the crime and the recovery, the Ministry of Home Affairs (MHA) launched the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS). This system powers the 1930 helpline, which allows police to communicate with banks in real-time to freeze the "money trail" before the scammer can withdraw the cash at an ATM or move it to a crypto-wallet.

Finally, if your bank ignores your request or refuses to follow the RBI's liability rules, you have the RBI Integrated Ombudsman Scheme, 2021. This allows you to bypass the bank's internal bureaucracy and have a semi-judicial authority look at your case for free.

Step-by-step playbook

Step 1: The 1930 "Golden Hour" Call

As soon as you see the unauthorised transaction, do not waste time calling your friends.

  • Action: Dial 1930 (the National Cyber Crime Helpline).
  • What to say: Keep your transaction SMS ready. The operator will ask for your name, mobile number, the bank name, the Transaction ID (12-digit UTR for UPI or reference number for IMPS), the amount, and the date/time.
  • The Goal: The operator enters this into the CFCFRMS portal. This sends an automated alert to the "Beneficiary Bank" (the bank where the scammer sent your money) to put a "hold" on that specific amount. If the money is still in the scammer's account, it gets frozen instantly.

Step 2: Block and Report to the Bank

Even if you called 1930, you must formally inform your bank to stop further damage.

  • Action: Call your bank’s 24/7 emergency helpline (available on the back of your debit card or the official app). Ask them to block your debit/credit card and freeze your Net Banking access.
  • Evidence: Take a screenshot of the call log showing you called them immediately. Ask the agent for a Complaint Reference Number.

Step 3: File a Formal Cybercrime Complaint

A phone call to 1930 is just the start; you need a paper trail for the RBI to take you seriously.

  • Action: Visit cybercrime.gov.in and click on "Report Women/Child Related Crime" or "Other Cyber Crime" (select the latter for financial fraud).
  • What to upload:
    1. Screenshot of the phishing SMS or email.
    2. The URL of the fake website (if you clicked one).
    3. Bank statement showing the fraudulent debit.
    4. Your ID proof.
  • Timeline: Complete this within 24 hours. Once submitted, you will receive a PDF acknowledgement. Save this; it is as good as a Zero FIR.

Step 4: Submit a Written Dispute to the Bank

Banks often try to dismiss phone complaints. You must go to the branch.

  • Action: Visit your home branch. Write a formal letter addressed to the Branch Manager. State clearly: "I am reporting this unauthorised transaction within [X] hours/days under RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18."
  • What to bring: A copy of your Cybercrime Portal acknowledgement and your bank statement with the transaction highlighted.
  • Crucial Step: Get a "Received" stamp and date on a photocopy of your letter. This is your proof of reporting for the "3-day window."

Step 5: Escalate to the Nodal Officer

If the bank doesn't reverse the money or give a satisfactory reply within 15 days, don't wait.

  • Action: Search for your bank’s "Principal Nodal Officer" (PNO) on their website. Email them your previous complaint reference number and the stamped letter from the branch.
  • Timeline: The bank has a total of 30 days to resolve your issue from the date of your first complaint.

Step 6: File with the RBI Ombudsman

If 30 days pass and the bank hasn't helped, or if they reject your claim saying "it was your fault for clicking the link," use the Ombudsman.

  • Action: Go to the RBI CMS Portal.
  • Process: Select "File a Complaint." You will need to upload your initial bank complaint, the bank’s rejection letter (if any), and your ID. Mention that the bank is violating the RBI's Customer Liability circular.
  • Cost: ₹0. You do not need a lawyer.
  • Timeline: The Ombudsman usually takes 30–90 days to pass a decision. Their decision is binding on the bank unless the bank appeals.

If you need to verify if the police have actually started an investigation after your portal complaint, you can file an RTI online with the relevant State Police department. For more resources on staying safe, browse all civic-action guides.

Where it usually breaks

Even with the law on your side, the "system" has a few classic ways of failing you. Here is how to navigate the most common roadblocks:

  1. The "1930" line is busy or doesn't connect: In high-traffic states, the helpline can be overwhelmed. If you cannot get through within 5 minutes, stop calling. Go straight to cybercrime.gov.in and file the complaint online. The portal feeds into the same CFCFRMS system as the phone line. Every minute you spend on hold is a minute the scammer spends moving your money to a second or third "mule" account.

  2. The Bank blames you for sharing the OTP: Banks love to cite "Customer Negligence" to close cases. They will argue that because you clicked a link or gave an OTP, they are not liable. The Workaround: Refer them to Paragraph 6(ii) of the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18. Even if you were negligent, your liability is limited to the loss until the moment you reported it. If the bank failed to provide a 24/7 reporting mechanism (like a non-functional app or a busy helpline) or if transactions happened after your report, the bank is 100% liable.

  3. The "Beneficiary Bank" is slow: Your bank (the "Remitting Bank") might say, "We sent the request, but the other bank didn't freeze the funds in time." The Workaround: This is a classic "not my problem" loop. In your complaint to the RBI Ombudsman, name both banks. The Ombudsman has the power to check the timestamps of when the alert was sent via the CFCFRMS and when the beneficiary bank actually acted. If there was a delay of more than a few hours on their end, the Ombudsman often rules in favour of the customer.

  4. The 30-day "Cooling Period": You cannot go to the RBI Ombudsman on Day 1. You must first complain to your bank’s Internal Grievance Redressal (IGR) or Nodal Officer. The Workaround: File your bank complaint via email immediately after the fraud. Set a calendar alert for 30 days. If the bank doesn't resolve it or gives an unsatisfactory reply, file the Ombudsman complaint on Day 31. Do not wait for months; you only have one year from the bank's reply to approach the Ombudsman.

Templates / script

Script: Calling the 1930 Helpline

Have your transaction SMS and Aadhaar number ready.

"Hello, I am reporting a financial fraud that happened [X] minutes ago. My name is [Name], and ₹[Amount] was debited from my [Bank Name] account ending in [Last 4 digits]. The transaction reference number/UTR is [12-digit number]. The money was transferred via [UPI/IMPS/NEFT]. I have already blocked my card/account via the app. Please initiate a 'freeze' request on the beneficiary account immediately."


Template: Formal Email to the Bank’s Nodal Officer

Subject: Urgent: Formal Complaint regarding Unauthorised Transaction - [Your Account Number] - [Transaction Date]

To, The Nodal Officer, [Bank Name],

I am writing to report an unauthorised electronic transaction of ₹[Amount] which occurred on [Date] at [Time].

  1. I have already reported this on the National Cyber Crime Portal (Acknowledgement No: [Number]) and via the 1930 helpline.
  2. I am reporting this within [Number] hours of the incident, falling within the 'Zero/Limited Liability' window as per RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18.
  3. I request you to: a) Reversal the amount to my account as per the 'Shadow Credit' (provisional credit) policy mentioned in Paragraph 8 of the aforementioned circular. b) Provide the 'Transaction Trail' and confirmation of when the freeze request was sent to the beneficiary bank.

Please note that as per RBI guidelines, the burden of proving customer negligence lies with the bank. I expect a resolution within 30 days, failing which I will escalate this to the RBI Integrated Ombudsman.

Regards, [Your Name] [Phone Number]


FAQs

1. What if I shared my OTP? Can I still get my money back?

Yes, but it is harder. If you shared the OTP, the bank classifies it as "Customer Negligence." According to the RBI, you bear the entire loss until you report it to the bank. However, if the scammer continues to withdraw money after you have reported the fraud and asked the bank to block your account, the bank is liable for all subsequent transactions.

2. Is there a fee for complaining to the RBI Ombudsman?

No. The RBI Integrated Ombudsman Scheme, 2021 is a completely free service. You do not need a lawyer. You can file the complaint yourself at cms.rbi.org.in. If anyone asks for money to "recover" your scammed funds, they are likely another scammer.

3. I lost money via a UPI app (GPay/PhonePe). Who do I complain to?

First, report it on the app itself, but remember that GPay/PhonePe are just "Third Party Application Providers" (TPAPs). The legal liability lies with the PSP Bank (the bank linked to your UPI) and the Remitter Bank (your bank). Your formal legal complaint must be filed with your bank, not just the app's customer support.

4. What is a UTR number and where do I find it?

UTR stands for Unique Transaction Reference. It is a 12-digit number for UPI and IMPS transactions. You will find it in the SMS sent by your bank or in your "Transaction History" section of your banking app. The 1930 helpline and the Cybercrime portal cannot track your money without this number.

5. The police are asking me to file a physical FIR. Is that necessary?

The 1930/Cybercrime portal acknowledgement acts as a "Preliminary Information Report." While some banks insist on a physical FIR for claims above ₹50,000, the Bharatiya Nyaya Sanhita (BNS) and the MHA guidelines state that an online complaint is valid. If the bank refuses to process your claim without a physical copy, visit your local Cyber Cell (not just the local police station) to get the online complaint converted into an FIR under Section 173 of the BNSS.

6. How long does the recovery take?

If the money is frozen in the scammer's account, it stays there. To get it back into your account, you usually need a court order from a Magistrate (under Section 503 of the BNSS, formerly Section 457 CrPC) directing the bank to release the funds. This can take 3–6 months. However, if the bank is found liable for a security lapse, the RBI mandates they must credit your account within 10 working days of the report.

Frequently Asked Questions

1. What if I shared my OTP? Can I still get my money back?

Yes, but it is harder. If you shared the OTP, the bank classifies it as "Customer Negligence." According to the RBI, you bear the entire loss *until* you report it to the bank. However, if the scammer continues to withdraw money *after* you have reported the fraud and asked the bank to block your account, the bank is liable for all subsequent transactions.

2. Is there a fee for complaining to the RBI Ombudsman?

No. The **RBI Integrated Ombudsman Scheme, 2021** is a completely free service. You do not need a lawyer. You can file the complaint yourself at [cms.rbi.org.in](https://cms.rbi.org.in). If anyone asks for money to "recover" your scammed funds, they are likely another scammer.

3. I lost money via a UPI app (GPay/PhonePe). Who do I complain to?

First, report it on the app itself, but remember that GPay/PhonePe are just "Third Party Application Providers" (TPAPs). The legal liability lies with the **PSP Bank** (the bank linked to your UPI) and the **Remitter Bank** (your bank). Your formal legal complaint must be filed with your bank, not just the app's customer support.

4. What is a UTR number and where do I find it?

UTR stands for **Unique Transaction Reference**. It is a 12-digit number for UPI and IMPS transactions. You will find it in the SMS sent by your bank or in your "Transaction History" section of your banking app. The 1930 helpline and the Cybercrime portal cannot track your money without this number.

5. The police are asking me to file a physical FIR. Is that necessary?

The 1930/Cybercrime portal acknowledgement acts as a "Preliminary Information Report." While some banks insist on a physical FIR for claims above ₹50,000, the **Bharatiya Nyaya Sanhita (BNS)** and the MHA guidelines state that an online complaint is valid. If the bank refuses to process your claim without a physical copy, visit your local Cyber Cell (not just the local police station) to get the online complaint converted into an FIR under **Section 173 of the BNSS**.

📮

One civic-action playbook a week

RTI templates, FIR scripts, real escalation ladders — the same kind of thing you just read. Sundays only. No spam.

We don't share your email. Unsubscribe any time.

Recover money from phishing scams: 1930 & RBI Ombudsman · HowToHelp