How to recover money from phishing scams using 1930 and RBI Ombudsman
Lost money to a fake KYC call or a phishing link? Here is how to use the 'Golden Hour' to freeze the funds and escalate to the RBI Ombudsman if your bank refuses to help.
Lost money to a fake KYC call or a phishing link? Here is how to use the 'Golden Hour' to freeze the funds and escalate to the RBI Ombudsman if your bank refuses to help.
You are halfway through a late-night assignment when you get an SMS: "Your HDFC account will be blocked today. Update KYC now at bit.ly/bank-secure-update." You are tired, you panic, and you click. You enter your CRN and the OTP that follows. Within seconds, your phone buzzes with a notification that ₹45,000 has been debited. Your stomach drops. You have just been phished.
In the next ten minutes, you will either become a statistic or a success story. The difference lies in how fast you move. Most young Indians think that once money leaves their account, it is gone forever. That is not true. If you act within the "Golden Hour"—the first two hours after the fraud—and use the specific legal routes provided by the Reserve Bank of India (RBI), you have a real shot at getting your money back. This is your playbook for fighting back.
The primary protection for victims of digital fraud is the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18 titled "Customer Liability in Unauthorised Electronic Banking Transactions." This circular is your most powerful weapon because it shifts the burden of loss from you to the bank under specific conditions.
According to the RBI, your liability is determined by how quickly you report the fraud:
On the criminal side, phishing is a punishable offence. Under Section 66D of the Information Technology Act, 2000, "cheating by personation by using computer resource" can lead to 3 years of imprisonment and a fine of up to ₹1 lakh. Under the Bharatiya Nyaya Sanhita (BNS), 2023, these acts are covered under Section 318 (Cheating) and Section 319 (Cheating by personation).
To bridge the gap between the crime and the recovery, the Ministry of Home Affairs (MHA) launched the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS). This system powers the 1930 helpline, which allows police to communicate with banks in real-time to freeze the "money trail" before the scammer can withdraw the cash at an ATM or move it to a crypto-wallet.
Finally, if your bank ignores your request or refuses to follow the RBI's liability rules, you have the RBI Integrated Ombudsman Scheme, 2021. This allows you to bypass the bank's internal bureaucracy and have a semi-judicial authority look at your case for free.
As soon as you see the unauthorised transaction, do not waste time calling your friends.
Even if you called 1930, you must formally inform your bank to stop further damage.
A phone call to 1930 is just the start; you need a paper trail for the RBI to take you seriously.
Banks often try to dismiss phone complaints. You must go to the branch.
If the bank doesn't reverse the money or give a satisfactory reply within 15 days, don't wait.
If 30 days pass and the bank hasn't helped, or if they reject your claim saying "it was your fault for clicking the link," use the Ombudsman.
If you need to verify if the police have actually started an investigation after your portal complaint, you can file an RTI online with the relevant State Police department. For more resources on staying safe, browse all civic-action guides.
Even with the law on your side, the "system" has a few classic ways of failing you. Here is how to navigate the most common roadblocks:
The "1930" line is busy or doesn't connect: In high-traffic states, the helpline can be overwhelmed. If you cannot get through within 5 minutes, stop calling. Go straight to cybercrime.gov.in and file the complaint online. The portal feeds into the same CFCFRMS system as the phone line. Every minute you spend on hold is a minute the scammer spends moving your money to a second or third "mule" account.
The Bank blames you for sharing the OTP: Banks love to cite "Customer Negligence" to close cases. They will argue that because you clicked a link or gave an OTP, they are not liable. The Workaround: Refer them to Paragraph 6(ii) of the RBI Circular DBR.No.Leg.BC.78/09.07.005/2017-18. Even if you were negligent, your liability is limited to the loss until the moment you reported it. If the bank failed to provide a 24/7 reporting mechanism (like a non-functional app or a busy helpline) or if transactions happened after your report, the bank is 100% liable.
The "Beneficiary Bank" is slow: Your bank (the "Remitting Bank") might say, "We sent the request, but the other bank didn't freeze the funds in time." The Workaround: This is a classic "not my problem" loop. In your complaint to the RBI Ombudsman, name both banks. The Ombudsman has the power to check the timestamps of when the alert was sent via the CFCFRMS and when the beneficiary bank actually acted. If there was a delay of more than a few hours on their end, the Ombudsman often rules in favour of the customer.
The 30-day "Cooling Period": You cannot go to the RBI Ombudsman on Day 1. You must first complain to your bank’s Internal Grievance Redressal (IGR) or Nodal Officer. The Workaround: File your bank complaint via email immediately after the fraud. Set a calendar alert for 30 days. If the bank doesn't resolve it or gives an unsatisfactory reply, file the Ombudsman complaint on Day 31. Do not wait for months; you only have one year from the bank's reply to approach the Ombudsman.
Have your transaction SMS and Aadhaar number ready.
"Hello, I am reporting a financial fraud that happened [X] minutes ago. My name is [Name], and ₹[Amount] was debited from my [Bank Name] account ending in [Last 4 digits]. The transaction reference number/UTR is [12-digit number]. The money was transferred via [UPI/IMPS/NEFT]. I have already blocked my card/account via the app. Please initiate a 'freeze' request on the beneficiary account immediately."
Subject: Urgent: Formal Complaint regarding Unauthorised Transaction - [Your Account Number] - [Transaction Date]
To, The Nodal Officer, [Bank Name],
I am writing to report an unauthorised electronic transaction of ₹[Amount] which occurred on [Date] at [Time].
Please note that as per RBI guidelines, the burden of proving customer negligence lies with the bank. I expect a resolution within 30 days, failing which I will escalate this to the RBI Integrated Ombudsman.
Regards, [Your Name] [Phone Number]
Yes, but it is harder. If you shared the OTP, the bank classifies it as "Customer Negligence." According to the RBI, you bear the entire loss until you report it to the bank. However, if the scammer continues to withdraw money after you have reported the fraud and asked the bank to block your account, the bank is liable for all subsequent transactions.
No. The RBI Integrated Ombudsman Scheme, 2021 is a completely free service. You do not need a lawyer. You can file the complaint yourself at cms.rbi.org.in. If anyone asks for money to "recover" your scammed funds, they are likely another scammer.
First, report it on the app itself, but remember that GPay/PhonePe are just "Third Party Application Providers" (TPAPs). The legal liability lies with the PSP Bank (the bank linked to your UPI) and the Remitter Bank (your bank). Your formal legal complaint must be filed with your bank, not just the app's customer support.
UTR stands for Unique Transaction Reference. It is a 12-digit number for UPI and IMPS transactions. You will find it in the SMS sent by your bank or in your "Transaction History" section of your banking app. The 1930 helpline and the Cybercrime portal cannot track your money without this number.
The 1930/Cybercrime portal acknowledgement acts as a "Preliminary Information Report." While some banks insist on a physical FIR for claims above ₹50,000, the Bharatiya Nyaya Sanhita (BNS) and the MHA guidelines state that an online complaint is valid. If the bank refuses to process your claim without a physical copy, visit your local Cyber Cell (not just the local police station) to get the online complaint converted into an FIR under Section 173 of the BNSS.
If the money is frozen in the scammer's account, it stays there. To get it back into your account, you usually need a court order from a Magistrate (under Section 503 of the BNSS, formerly Section 457 CrPC) directing the bank to release the funds. This can take 3–6 months. However, if the bank is found liable for a security lapse, the RBI mandates they must credit your account within 10 working days of the report.
Yes, but it is harder. If you shared the OTP, the bank classifies it as "Customer Negligence." According to the RBI, you bear the entire loss *until* you report it to the bank. However, if the scammer continues to withdraw money *after* you have reported the fraud and asked the bank to block your account, the bank is liable for all subsequent transactions.
No. The **RBI Integrated Ombudsman Scheme, 2021** is a completely free service. You do not need a lawyer. You can file the complaint yourself at [cms.rbi.org.in](https://cms.rbi.org.in). If anyone asks for money to "recover" your scammed funds, they are likely another scammer.
First, report it on the app itself, but remember that GPay/PhonePe are just "Third Party Application Providers" (TPAPs). The legal liability lies with the **PSP Bank** (the bank linked to your UPI) and the **Remitter Bank** (your bank). Your formal legal complaint must be filed with your bank, not just the app's customer support.
UTR stands for **Unique Transaction Reference**. It is a 12-digit number for UPI and IMPS transactions. You will find it in the SMS sent by your bank or in your "Transaction History" section of your banking app. The 1930 helpline and the Cybercrime portal cannot track your money without this number.
The 1930/Cybercrime portal acknowledgement acts as a "Preliminary Information Report." While some banks insist on a physical FIR for claims above ₹50,000, the **Bharatiya Nyaya Sanhita (BNS)** and the MHA guidelines state that an online complaint is valid. If the bank refuses to process your claim without a physical copy, visit your local Cyber Cell (not just the local police station) to get the online complaint converted into an FIR under **Section 173 of the BNSS**.
RTI templates, FIR scripts, real escalation ladders — the same kind of thing you just read. Sundays only. No spam.
We don't share your email. Unsubscribe any time.
If you or someone you know is an acid attack survivor, the law mandates a minimum ₹3 lakh compensation and free medical care. Here is how to navigate the DLSA and CMRF.
Learn how to report sexual assault of a minor in Andhra Pradesh, including mandatory reporting rules under POCSO and using the Disha app or 1098.
Someone hacked your account or is harassing you online? Don't just block them. Here is how to file an official complaint on the National Cyber Crime Reporting Portal.
If a minor is facing sexual assault, the law is on your side regardless of the perpetrator's gender. Here is how to use POCSO and BNS to report abuse and get protection.