I've become a victim of identity theft. What should I do?
Updated · 6 July 2026
How do I report identity theft to law enforcement?
Identity theft response is time-sensitive — funds are often freezable if reported within hours, and moving in parallel across channels matters more than sequencing them perfectly.
Call Cyber Crime Helpline 1930 immediately for any financial fraud. Alongside, file a detailed complaint at the National Cyber Crime Reporting Portal (cybercrime.gov.in) under the appropriate category — financial fraud, social media impersonation, identity theft or hacking — upload screenshots, bank statements and communications as evidence, and note the acknowledgement number for online tracking.
Then file an FIR at your local police station citing Section 66C IT Act, and Sections 319 and 318 BNS. Bring ID proof, an affidavit of identity theft, bank statements showing fraudulent transactions, loan documents for anything opened in your name, the CIBIL report showing fraudulent accounts, and any communications from the fraudster. If police refuse, use the Zero FIR procedure or move a Magistrate under Section 175(3) BNSS. Most cities have specialised cybercrime cells — Bangalore, Mumbai, Delhi and others — that are usually more receptive than general stations.
For Aadhaar-related theft, lock biometrics at uidai.gov.in, file a UIDAI grievance, and pursue prosecution under Section 38(a) Aadhaar Act. For PAN misuse, report to the Income Tax Department via the e-Filing portal and check Form 26AS for fraudulent entries. For social media impersonation, report to the platform (Meta, X, LinkedIn) first, file at the cybercrime portal in parallel, and notify connections to disregard the fake profile. Maintain a detailed log of timestamps, reports and reference numbers throughout — it becomes central evidence later.
How do I freeze fraudulent accounts and loans opened in my name?
Once the theft is reported, the priority is stopping further damage. Pull credit reports immediately from all four bureaus — CIBIL (cibil.com, free annual report), Experian, Equifax and CRIF — and identify every fraudulent loan, credit card and account.
For each fraudulent account, send a legal notice to the lender explaining the identity theft and demanding write-off, attach the FIR copy and identity proof, file a dispute with the CIC (see our CIBIL dispute guide), demand the lender investigate its own KYC compliance, and claim compensation for credit-score damage. For genuine accounts that were compromised, freeze internet banking and cards, change all passwords, update the mobile number and email registered with the bank, and apply for new card numbers.
For compromised Aadhaar or PAN, lock Aadhaar biometrics, watch Form 26AS for unauthorised PAN usage, file rectification for any false ITRs, and — rarely — apply for a new PAN. For SIM swap or mobile compromise, block the SIM through the telco, demand investigation and a new connection — our SIM swap guide covers the drill. For RBI customer liability protection, notify the bank in writing within 3 working days for zero liability (see the UPI fraud guide).
For property fraud, publish a public notice in an English and vernacular newspaper disclaiming fraudulent transactions in your name — useful evidence in later disputes. For tax fraud, notify the Income Tax Department, file rectification for false ITRs and inform the Commissioner. Documentation across all of this is critical; engage a reputable, specialised cyber-crime / banking lawyer for substantial losses.
Can I recover money lost to identity theft?
Recovery depends on speed of reporting and the specific circumstances of the fraud.
The RBI Customer Liability Framework is decisive for bank-account fraud: zero liability if you report third-party fraud within 3 working days, limited liability of ₹5,000-₹25,000 for reports at 4-7 working days, and full liability beyond 7 working days (with bank discretion for relief). See our UPI fraud guide. For fraudulent loans opened in your name, you are not liable if the lender didn't perform proper KYC — the lender must write off the loan, the CICs must remove the entry, and compensation for credit-score damage is available.
Escalate unresolved bank disputes to the Banking Ombudsman free online at cms.rbi.org.in — the Ombudsman can award up to ₹20 lakh plus ₹1 lakh for mental agony. The Consumer Forum handles deficiency of service by banks, lenders or CICs and can award substantial compensation (see our consumer complaint guide). A civil suit for damages can be pursued against the identified perpetrator, the negligent institution (bank, lender, KYC processor), or both — covering actual loss and emotional distress.
Cyber cell investigation can trace transactions through the bank chain, freeze money in downstream accounts and return it; recovery rates for Indian-source fraud run around 30-50%, much lower for foreign fraud. For property fraud recovery, file a civil suit for cancellation of fraudulent transactions — the Sub-Registrar can re-examine if you notify before the transaction completes (our real estate lawyer guide helps here).
Typical compensation ranges: bank fraud — full refund if RBI rules followed; fraudulent loans — written off plus ₹50,000-₹5 lakh damages; identity-based reputation harm — ₹1-10 lakh; property fraud — full restoration plus damages. Engage a reputable, specialised cyber / banking lawyer; don't accept a lender's 'partial settlement' offer without legal review.
How can I prevent identity theft going forward?
Prevention is largely hygiene, and every layer you add makes fraud harder.
Aadhaar protection — lock biometric authentication at uidai.gov.in and unlock only when needed, use the Virtual ID (VID) instead of your Aadhaar number for most KYC, use masked Aadhaar where full ID isn't required, watermark any Aadhaar photocopy 'For Specific Purpose Only', and periodically review your Aadhaar authentication history. PAN safety — check Form 26AS quarterly for unauthorised entries, don't share PAN unless legally required, and use Form 60 where PAN isn't strictly needed.
Mobile safety — enable SIM lock with a PIN, refuse unsolicited 'SIM upgrade' offers, and turn on the telco's caller ID verification (see our SIM swap guide). Bank security — strong unique passwords via a password manager, two-factor authentication, transaction alerts on every account, daily transaction limits, monthly statement review, and international transaction blocks unless travelling. Credit monitoring — take free annual reports from all four CICs, consider paid real-time monitoring, and watch for unfamiliar entries.
Phishing defence — never share OTP, PIN or password, verify any caller by calling the official helpline back, and don't click links in unsolicited messages (see our phishing guide). On social media, keep profiles private, limit sharing, don't post PAN, Aadhaar or date of birth publicly, and don't broadcast information that could enable security-question bypass.
Document disposal — shred bank statements and ID copies before discarding, and be careful with rented offices or hotels that photograph documents. Email security — strong password plus 2FA on your primary email, properly secured recovery email and phone, and no password reuse. Document scans — watermark Aadhaar and PAN copies with 'For [Specific Purpose] Only' and specific dates, and keep a record of who received each copy.
What if a family member or known person committed the theft?
Identity theft by family members, household staff or trusted people is legally serious even though it feels different — the same legal framework applies and the relationship doesn't reduce culpability.
Common insider scenarios include a family member (parent, spouse, sibling) taking loans in your name, household staff with document access, employees at your CA / bank / employer office, an estranged spouse during divorce proceedings, and a co-applicant or guarantor exceeding authority. Procedurally, an FIR can be filed against family, Section 218 BNSS sanction does not apply to civilians, and offences like Sections 318 (cheating for small amounts) and 319 BNS are compoundable with court permission — larger or aggravated forms are not.
Nuances vary by relationship. Spouses: joint accounts have different rules with both spouses authorised, but unauthorised use of one spouse's individual account is theft; in divorce contexts, restraining orders can prevent further misuse. Parents have no automatic authority over an adult child's documents and face criminal liability for unauthorised loans, though family courts may show some leniency in genuine misunderstanding. Employees: office records and CCTV are often decisive, and vicarious liability may attach to the employer for security lapses. Children using parents' identity is usually treated as a civil family matter unless escalated.
Try soft remedies first — mediation through family or community elders, a written acknowledgement and undertaking from the perpetrator, a repayment schedule in writing, or a Lokpal-style family settlement. Hard remedies follow if soft fails — FIR, civil suit for recovery, DV Act protection where a female victim faces a family male perpetrator (see our DV protection guide).
Whatever route you choose, document the theft contemporaneously, preserve evidence (account documents, IDs, communications), consult a lawyer in confidence, and resist family pressure to 'forgive' before you understand your options. Sometimes complete recovery is unrealistic — calculate the civil damages claim carefully; sometimes the only practical remedy is to clear your name with the CICs and accept the loss. For sensitive family-internal matters, engage a reputable, specialised family / criminal lawyer who can advise on the most pragmatic path.
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.