legalanswers.in logolegalanswers.in
Cyber Law, AI & Digital Rights

I was tricked by a phishing email or scam call. What can I do?

Updated · 6 July 2026

Call 1930 immediately, report on the cybercrime portal within the 'Golden Hour', file an FIR, and pursue the bank for a zero-liability refund under RBI rules if you report within 3 working days.

What counts as 'phishing' under Indian law?

Phishing is any deceptive technique used to obtain credentials, personal information or payment from victims. It shows up in several common forms.

Email phishing — fake emails purporting to be from your bank, e-commerce platform, employer or government agency, often linking to fake login pages. Vishing (voice phishing) — phone calls impersonating bank officials, government officers or telecom support, asking for OTPs, KYC updates or fake refund procedures. Smishing — text messages with malicious links. Spear phishing — targeted phishing using personal information often from a prior data breach.

QR code phishing — scanning fraudulent QR codes that initiate UPI payments out of your account, not in. Fake job offers demanding 'registration fees' or 'training fees'. Loan scams — fake loan apps that demand a processing fee then disappear. Romance scams on matrimonial or dating sites leading to financial requests. Fake delivery / shipping messages with malicious links. Tech support scams claiming your computer is infected and demanding payment for fake fixes.

All variants are punishable under BNS Section 318/319 and IT Act Section 66D. The medium — email, phone, WhatsApp — doesn't change the legal characterisation.

What should I do immediately after falling for a phishing scam?

Time is everything after falling for a phishing scam. Complete all these within hours.

Call 1930 — the Cyber Fraud Helpline. The faster you call, the better the chance of freezing funds in the beneficiary account before they're withdrawn or shuffled to mule accounts. File on cybercrime.gov.in with transaction details, your bank account, beneficiary details, screenshots of the phishing email or SMS, and call records. Notify your bank in writing via email and helpline call — the written communication starts the RBI customer-liability clock.

Block all linked cards and freeze internet banking via your bank's app or helpline. Change passwords on the breached account and on any other account using the same or similar password. Disable UPI temporarily if UPI credentials were involved. Take screenshots of the fraudulent transaction, the phishing communication and the call log.

Check email for forwarders or filters that the scammer may have set up to hide further activity. Enable 2FA on email, banking and social media if not already active. For UPI fraud-specific procedure, see our UPI fraud guide.

How is my bank liability calculated under RBI rules?

The RBI Master Direction dated 6 July 2017 sets a clear framework for customer liability.

Zero liability applies when the fraud is due to bank's deficiency (regardless of when you report) or when the fraud is due to a third-party breach (phishing, SIM swap, malware) and you report within 3 working days of receiving the transaction alert.

Limited liability (₹5,000-₹25,000) applies when you report within 4-7 working days. The exact cap depends on the account type: Basic Savings Account ₹5,000; regular Savings, Salary, Pension and FD accounts ₹10,000; current accounts and credit cards ₹25,000.

Full liability applies when you report after 7 working days, or where the fraud arises from your gross negligence (sharing OTP, PIN or CVV with a caller). Even here, banks retain discretion to provide relief based on circumstances.

Critical timing: the clock starts when the bank notifies you of the transaction (typically the SMS or email alert), not when you discover it later. Set up real-time transaction alerts on all accounts. The 'Golden Hour' for fund recovery is the first 1-2 hours; the legal deadline for full protection is 3 working days.

How do I file an FIR for online cheating?

File an FIR methodically for online cheating.

Step 1 — gather evidence before going to the police: the phishing email or SMS with full headers, saved as .eml or PDF; call records of fraudulent calls (date, time, number, duration); bank transaction receipt with beneficiary details and IFSC; communication trail with bank customer care; and the cybercrime portal reference number if already filed.

Step 2 — visit the police station with jurisdiction over your residence. If the station refuses citing 'jurisdiction is where the fraudster is' — a common excuse — use the Zero FIR procedure under Section 173 BNSS.

Step 3 — insist on FIR registration citing: Section 66D IT Act (cheating by personation using computer), Section 318 BNS (cheating), Section 336 BNS (forgery for fake emails impersonating brands), Section 65 IT Act (tampering with computer source documents), plus additional sections on the facts.

Step 4 — demand a free copy of the FIR under Section 173(2) BNSS. Step 5 — if police refuse: approach the Superintendent of Police, then move a Magistrate under Section 175(3) BNSS, or file a High Court writ. Step 6 — follow up with the cyber cell — online fraud investigations take 3-12 months but can result in recovery if mule accounts are identified.

How can I prevent future phishing attacks?

Prevention runs on consistent security hygiene.

Never share OTP, PIN, CVV or password over phone, email or SMS — no legitimate bank, government or company will ask. Verify caller identity by hanging up and calling the official helpline (not numbers given by the caller). Hover over email links to check the actual URL before clicking — banks and government rarely use shortened URLs. Check sender email domain carefully — sbi-india.com is not sbi.co.in; rbiindia.org is not rbi.org.in. Type URLs directly rather than clicking links in emails or SMS.

Enable two-factor authentication on all critical accounts — app-based preferred. Use unique passwords for each account (password manager recommended). Update software regularly — operating system, browser, anti-virus. Set bank transaction limits appropriate to your usage. Enable real-time SMS and email alerts on every transaction.

Be skeptical of urgency — scammers create panic ('your account will be blocked in 24 hours'). Report phishing to CERT-In at incident@cert-in.org.in. Educate vulnerable family members — especially seniors, who are heavily targeted.

For broader online safety, see our SIM swap guide and data breach rights guide.

Reference Citation: Section 66D, IT Act, 2000; Sections 318, 319, 336, BNS, 2023; RBI Master Direction, 2017

Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.