Net Banking Fraud – Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

🏦 NET BANKING FRAUD — OVERVIEW

India has over 300 million active net banking users — and online banking has become the most targeted avenue for cyber fraud. Criminals exploit weak passwords, phishing portals, OTP interception, SIM swapping and social engineering to gain unauthorised access to bank accounts and drain funds within minutes. Net banking frauds range from phishing emails that trick users into entering credentials on fake bank websites, to SIM swap fraud where the fraudster ports your number to intercept OTPs, to vishing calls where impersonators pose as bank officials to extract account details. The shift to digital banking — UPI, IMPS, NEFT, RTGS — combined with low digital literacy among a large segment of users has given cybercriminals an enormous opportunity. Most net banking fraud victims lose money within seconds of the OTP being compromised. Net banking frauds are prosecutable under the IT Act 2000 and Bharatiya Nyaya Sanhita 2023.

₹1,750 Cr+

Lost to Net Banking Fraud (2023)

8.5 Lakh+

Net Banking Fraud Complaints (2023)

67%

Frauds via OTP & Phishing

1930

National Cyber Helpline 24×7

⚠️ How Net Banking Frauds Are Carried Out

Sending phishing emails with fake bank login links to steal credentials
Creating pixel-perfect clones of SBI, HDFC, ICICI, Axis net banking portals
Calling victims posing as bank KYC / RBI officials to extract OTPs
SIM swap fraud — porting victim's mobile number to intercept all OTPs
Keylogger malware recording net banking passwords as they are typed
Man-in-the-browser attacks injecting fake transaction pages into real banking sites
Fake "bank refund" or "KYC update" SMS with malicious links
Unauthorised beneficiary addition using stolen credentials before draining account

✅ How to Protect Yourself from Net Banking Fraud

Always type your bank's URL directly — never click links in emails or SMS
Verify the padlock icon and "https://" before entering any banking credentials
Never share OTP, CVV, PIN or password with anyone — banks never ask for these
Enable transaction alerts on SMS and email for every debit — even small amounts
Use a strong, unique password for net banking — change it every 3 months
Enable 2-factor authentication and set a daily transaction limit in your bank account
Never do net banking on public Wi-Fi or shared computers
Register for RBI's "1930" alert to freeze money movement immediately if defrauded

🔍 Types of Net Banking Frauds

🎣

Phishing — Fake Bank Website / Email Fraud

Fraudsters send emails, SMS or WhatsApp messages that appear to come from a genuine bank — warning the victim of "account suspension," "KYC expiry" or "suspicious activity." The link leads to a fake banking portal identical to the real site. When the victim enters their User ID and password, credentials are instantly captured and used to access the real account and transfer funds.

📱

OTP Fraud — Vishing / Social Engineering

Fraudsters call victims posing as bank officials, RBI representatives or payment gateway executives — claiming the account needs "KYC update," "debit card renewal" or "reward points redemption." They ask for account number, debit card number, CVV and OTP — completing unauthorised transactions as the victim reads out the OTP in real time. This is India's single most common net banking fraud method.

🔄

SIM Swap / SIM Cloning Fraud

Fraudsters obtain the victim's personal details through data breaches or social engineering, then visit a telecom store or use a fraudulent customer service call to port the victim's mobile number to a new SIM card. Once ported, the victim's phone loses signal while the fraudster receives all incoming SMS OTPs — using them to access net banking, reset passwords and drain accounts completely.

🦠

Banking Malware / Keylogger Trojan

Malicious software secretly installed on computers or phones via phishing emails, infected USB drives or drive-by downloads — recording every keystroke including net banking User IDs, passwords and OTPs as they are typed. Banking trojans specifically overlay fake transaction confirmation pages on top of real banking websites — showing the victim a normal confirmation while redirecting the actual transaction to the fraudster's account.

🖥️

Man-in-the-Browser (MitB) Attack

A sophisticated attack where malware installed on the victim's browser intercepts and modifies transactions in real time — while the banking website shows the victim their intended transaction. The victim approves sending ₹10,000 to a family member, but the malware silently changes the beneficiary account number to the fraudster's account and the amount to ₹1,00,000 — the bank processes the altered transaction, not the one the victim authorised.

👤

Fake Bank Customer Care Fraud

Fraudsters register fake customer care numbers for banks on Google, Justdial and similar platforms. Victims who search for "SBI customer care number" or "HDFC helpline" find these fake numbers and call — believing they are speaking with their actual bank. The fraudster then requests remote access, OTP sharing or "test transactions" to allegedly resolve the issue — draining the account instead.

📲

UPI / IMPS Fraudulent Transaction via QR Code

Fraudsters send QR codes claiming they are for receiving money — but scanning a QR code in UPI apps initiates a payment, not a receipt. Victims are told "scan this to receive your refund / prize / payment" and unknowingly authorise a payment to the fraudster. Also includes fraudulent payment request links that look like genuine UPI payment notifications but actually request money from the victim.

🏧

Unauthorised Beneficiary Addition Fraud

Once a fraudster obtains net banking credentials through phishing or social engineering, they log in and add themselves as a beneficiary — then wait for the mandatory cooling period (30 minutes to 4 hours depending on the bank) before transferring funds. Victims receive OTP alerts for beneficiary addition but are often tricked into sharing these or have already been deceived into doing so earlier in the scam.

📧

Account Takeover via Email Compromise

Fraudsters first compromise the victim's email account — the same email linked to their net banking. They then use "Forgot Password" on the bank portal to reset the net banking password to email. With full email access, they intercept the reset link, change the banking password and mobile number linked to the account — locking the victim out completely before transferring all funds.

💼

Fake RBI / Income Tax Refund Fraud

Fraudsters call or email victims claiming to be from RBI, Income Tax Department or TRAI — announcing a refund, subsidy or compensation that requires "verification" of bank account details, net banking credentials or OTP. Once credentials are obtained, the account is emptied. Victims are often high-income earners who expect genuine IT refunds and are caught off-guard by the official-sounding communication.

🚨 OTP FRAUD — SPECIAL ALERT — INDIA'S #1 BANKING SCAM

The OTP Fraud via Vishing Call is India's most widespread net banking fraud — accounting for over 67% of all digital banking losses. Fraudsters are highly scripted, professional and psychologically sophisticated. Here is exactly how it unfolds:

📞

Step 1 — The "Official" Call

Victim receives a call from what appears to be the bank's official number (fraudsters spoof caller ID). The caller claims to be a senior bank official and mentions the victim's name and partial account details — creating immediate trust and credibility.

⚠️

Step 2 — Creating Urgency / Fear

The caller states: "Your account will be blocked in 2 hours unless KYC is updated," or "Your debit card has been used in a fraud — we need to block and re-issue it immediately." Urgency and fear prevent the victim from verifying independently.

🔑

Step 3 — Extracting Credentials

The caller asks to "verify" account number, registered mobile number, debit card number and CVV — claiming these are needed for "KYC verification" or "blocking the fraudulent card." The victim, believing it's the bank, complies fully.

💸

Step 4 — OTP Extraction & Account Drained

Using the extracted details, the fraudster initiates a transaction on the bank website. An OTP is sent to the victim's phone. The fraudster says: "You will receive a verification OTP — please share it to complete the security update." Victim shares the OTP. Account is emptied within seconds.

⚠️ YOUR BANK WILL NEVER CALL AND ASK FOR OTP, CVV, PIN OR NET BANKING PASSWORD. ANYONE ASKING FOR THESE IS A FRAUDSTER — DISCONNECT IMMEDIATELY AND CALL YOUR BANK'S OFFICIAL HELPLINE.

🔒 SIM SWAP FRAUD — WARNING SIGNS & HOW TO DETECT IT

SIM Swap fraud is one of the most technically sophisticated net banking frauds. The fraudster hijacks your mobile number — and with it, every OTP sent by your bank. Recognising the warning signs early can save your life savings.

📵

Phone Suddenly Loses Signal

Your phone shows "No Service" or "SIM not registered" unexpectedly. This is the most critical warning sign — your number may have been ported to another SIM by a fraudster.

🚨 CALL YOUR TELECOM IMMEDIATELY

💬

Stop Receiving SMS / Calls Suddenly

If you stop receiving SMS messages and calls without any reason, especially OTPs from your bank, your number may be active on another SIM in the fraudster's hands.

🚨 EXTREMELY DANGEROUS — ACT IMMEDIATELY

📞

Telecom Asks to Confirm SIM Swap Request

If you receive a message or call from your telecom asking to confirm a SIM swap request you did not initiate — someone is attempting to port your number. Deny immediately.

⚠️ DENY THE REQUEST IMMEDIATELY

🏦

Unexpected Bank Alerts for Transactions

Receiving alerts for transactions you did not make, or net banking access alerts for logins you didn't perform — indicates your credentials and OTPs are already compromised.

⚠️ CALL BANK TO BLOCK ACCOUNT INSTANTLY

🔐

Net Banking Password Reset SMS Received

Receiving password reset notifications or login OTPs you did not request is a direct sign that someone has your net banking User ID and is attempting to access your account.

⚠️ LOCK YOUR ACCOUNT IMMEDIATELY

📋

Verification Call from Telecom Came Days Before

Fraudsters often call posing as telecom executives to collect the last 4 digits of your Aadhaar and SIM number — framing it as a "service continuity check." This data is then used to port your number.

⚠️ NEVER SHARE AADHAAR / SIM DETAILS ON CALLS

✉️

Email Password Reset Requests You Didn't Make

Fraudsters often first target your email account, then use "forgot password" on net banking. Unsolicited password reset emails to your banking-linked email are a serious warning sign.

⚠️ SECURE EMAIL ACCOUNT IMMEDIATELY

💳

Micro-Transactions Appearing in Account

Fraudsters often test stolen credentials with ₹1–₹5 micro transactions before attempting large transfers. Check your account statement regularly — even tiny debits you didn't make are fraud.

⚠️ REPORT EVEN SMALL UNAUTHORISED DEBITS

🚩 RED FLAGS — HOW TO IDENTIFY A NET BANKING FRAUD ATTEMPT

🔴

Caller Claims to Be from Bank and Asks for OTP, CVV or Password

No bank employee, RBI official or government representative will ever ask you to share your OTP, CVV, net banking password or PIN over phone or email. This is a universal, non-negotiable banking security rule. Anyone asking for these details — regardless of how official they sound — is a fraudster. Disconnect immediately.

🔴

Email or SMS with Link to "Update KYC" or "Prevent Account Blocking"

Banks do not send account suspension warnings or KYC update requests via SMS links or email links. Any message threatening account blocking, freeze or cancellation unless you "click here to update KYC" is a phishing attempt. Always go directly to your bank's official website by typing the URL — never via links.

🔴

Bank Website URL Looks Slightly Different from the Real One

Phishing websites use URLs like "onlinesbi.com.in.security-update.com" or "hdfcbank-netbanking.co" instead of the real "onlinesbi.sbi" or "hdfcbank.com." Always check the complete URL carefully, especially the domain. One misspelling or extra word means it's fake. Bookmark your bank's official URLs and use only those.

🔴

"Bank Customer Care Number" Found on Google is Unverified

Fraudsters pay to rank fake customer care numbers on Google search results and Google Maps. Never trust customer care numbers found through a general Google search. Always get your bank's helpline number from the back of your debit card, your original bank account documents or the bank's official website.

🔴

Caller Says "Your Money is at Risk — Transfer to a Safe Account"

No bank or government agency will ever ask you to transfer money to a "safe account," "RBI custodian account" or "temporary secure account" to protect it from fraud. This is a well-documented fraud script where panic causes victims to willingly transfer their own savings to the fraudster's account.

🔴

Unexpected "Beneficiary Added" or "New Device Logged In" Notification

If you receive an SMS saying a new beneficiary has been added, or a new device has been registered to your net banking account — but you did not do this — your credentials have been compromised. Contact your bank immediately to block the beneficiary and change your password from a secure device.

🔴

QR Code Sent as "Receive Payment" When It Actually Initiates Payment

In UPI, scanning a QR code initiates a payment FROM you — not TO you. No legitimate person sending you money will ever share a QR code. If someone says "scan this code to receive your refund or payment," it is fraud. Receiving money via UPI requires only sharing your UPI ID or VPA — no code scanning.

🔴

Screen Sharing Request to "Process Refund" or "Fix Banking Issue"

Any caller asking you to install AnyDesk, TeamViewer or QuickSupport to help with a "banking issue" or "process a refund" is a fraudster. Once screen sharing is active, they can see your entire screen including OTPs as they arrive, navigate your banking app, change settings and transfer money — all while appearing to help you.

🚨 If You Have Been a Victim of Net Banking Fraud

Immediately call your bank's 24×7 helpline and request account freeze and card block
Call National Cyber Helpline 1930 within minutes — faster reporting = higher chance of fund recovery
Change your net banking password and MPIN from a clean, secure device immediately
Visit the bank branch in person with your ID proof to report and file a formal written complaint
If SIM swap occurred — call your telecom operator's helpline and block the fraudulent SIM immediately
File complaint at cybercrime.gov.in — select "Online Financial Fraud" — provide all transaction details and dates
Preserve all evidence — bank transaction SMS alerts, call logs of the fraudster's number, screenshots
File FIR at nearest police station or Cyber Crime Cell with all evidence — include bank reference numbers
Under RBI guidelines, banks are liable for unauthorised transactions if reported within 3 working days — do not delay
Check if funds are still in transit — IMPS / NEFT transfers can sometimes be recalled if reported within the same day

📰 REAL NET BANKING FRAUD CASES — INDIA

2024 — Noida — OTP Vishing Fraud

Senior Doctor Loses ₹87 Lakh in KYC Update Call — Entire Life Savings Gone

A retired government doctor in Noida received a call from someone claiming to be an SBI senior manager warning that her account would be blocked in 2 hours unless KYC was updated. The caller knew her full name, account number and partial debit card details — creating complete trust. Over a 45-minute call, the caller walked her through a process that extracted her net banking credentials and OTP. ₹87 lakh was transferred in 7 transactions to 4 different accounts across banks. Despite calling 1930 within 30 minutes, only ₹12 lakh was frozen. Investigation revealed the caller operated from Jharkhand's "Jamtara cyber fraud zone" using spoofed bank caller IDs purchased online.

2023 — Mumbai — SIM Swap Fraud

Business Owner Loses ₹1.42 Crore After Mobile Goes "No Service" for 3 Hours

A Mumbai textile merchant's phone showed "No Service" for 3 hours one afternoon. He assumed it was a network issue. In those 3 hours, fraudsters who had obtained his net banking credentials through a phishing email weeks earlier activated a fraudulent SIM in his name using forged documents at a telecom outlet in Rajasthan. With live access to OTPs via the new SIM, they added 3 beneficiaries and transferred ₹1.42 crore from his current account in 9 transactions. He discovered the fraud when network restored and he received 23 undelivered SMS alerts simultaneously. Partial recovery of ₹34 lakh was made after swift reporting.

2024 — Delhi — Fake RBI Official Call

Government Officer Transfers ₹15 Lakh to "RBI Safe Account" on Official's Instructions

A Delhi government employee received a call from someone claiming to be a Deputy Governor of RBI — stating that his account had been flagged for a "suspicious ₹4 crore transaction" that he must disown immediately. The caller instructed him to "secure his funds by transferring to an RBI custodian account" until the investigation was complete. Terrified, he transferred ₹15 lakh in 3 transactions. The caller then demanded ₹5 lakh more as "processing fee" — at which point he grew suspicious and called his bank. Police traced the fraudster to a cyber fraud gang in West Bengal operating RBI impersonation calls on spoofed government VoIP numbers.

2023 — Bengaluru — Phishing Website Fraud

IT Engineer Loses ₹2.4 Lakh via Fake SBI YONO Website Found on Google

A Bengaluru-based software engineer searched "SBI YONO login" on Google and clicked the first sponsored result — which led to a nearly identical copy of the SBI YONO portal. He entered his User ID, password and the OTP that arrived — immediately receiving a "maintenance in progress" message. Within 4 minutes, ₹2.4 lakh was transferred from his savings account. The irony noted in the case — the victim was an IT security professional who later acknowledged he failed to check the URL and that the phishing site was hosted at "sbi-yono-onlinelogin.com." He recovered ₹90,000 after filing within 2 hours.

⚖️ APPLICABLE LAWS

IT Act Sec 43 IT Act Sec 66 IT Act Sec 66C IT Act Sec 66D BNS Sec 318 BNS Sec 316 BNS Sec 319 RBI Circular on Customer Liability DPDP Act 2023 Payment & Settlement Systems Act 2007

IT Act Section 43: Unauthorised access to any computer or network — including a victim's net banking account — causing wrongful loss is actionable for compensation up to ₹1 crore. This civil remedy is available to all net banking fraud victims without waiting for criminal proceedings. Covers phishing-based credential theft and any unauthorised access to banking systems.

IT Act Section 66: Dishonestly or fraudulently accessing net banking accounts, transferring funds without authorisation and creating fake banking portals — imprisonment up to 3 years or fine up to ₹5 lakh or both. The criminal counterpart to Section 43 and the primary cybercrime provision for net banking fraud prosecutions.

IT Act Section 66C — Identity Theft: Using stolen net banking credentials, OTPs, passwords or digital signatures to fraudulently access and operate a victim's bank account — imprisonment up to 3 years and fine up to ₹1 lakh. Specifically applicable to OTP fraud, phishing credential theft and SIM swap fraud enabling OTP interception.

IT Act Section 66D — Cheating by Impersonation Using Computer Resources: Posing as bank officials, RBI representatives or government officers via phone calls, emails or fake portals to fraudulently extract banking credentials — imprisonment up to 3 years and fine up to ₹1 lakh. The precise statutory provision for vishing / OTP fraud calls and fake bank portal fraud.

BNS Section 318 — Cheating: All fraudulent schemes that deceive victims into surrendering money — including the full range of banking fraud scripts — imprisonment up to 7 years and fine. The primary criminal provision for organised net banking fraud gangs operating from Jamtara, Mewat and other cyber fraud hubs across India.

BNS Section 316 — Criminal Breach of Trust: Where bank insiders assist fraudsters by sharing customer data for targeting — imprisonment up to 7 years and fine. Applicable to cases where the precision of the fraud suggests inside information was used to identify and target specific high-value account holders.

BNS Section 319 — Cheating by Personation: Fraudsters falsely claiming to be RBI officials, bank officers or government representatives — specifically applicable to vishing calls where official impersonation is used to extract credentials and OTPs. Imprisonment up to 3 years and fine.

RBI Circular on Customer Liability in Unauthorised Electronic Banking Transactions (2017): A victim is entitled to zero liability for unauthorised transactions if reported within 3 working days — the bank must reverse the amount within 10 days. Liability increases to ₹5,000 or full transaction amount (whichever is lower) if reported between 4–7 days. Zero liability applies when the breach is on the bank's side. All victims must report immediately and insist on this circular during dispute resolution.

Payment and Settlement Systems Act 2007: Governs the operation of payment systems in India. Fraudulent UPI transactions, fake payment gateways and manipulation of IMPS / NEFT transfers are prosecutable under this Act. The RBI has authority to penalise payment system operators who fail to implement adequate fraud prevention safeguards — making this relevant for victims whose fraud occurred through regulated payment channels.

📝 Report This Crime

📝 Report Net Banking Fraud to ABCSS

Cyber Links

Important Links