My phone network was swapped without my consent (SIM Swap). What do I do?
Updated · 6 July 2026
Block your mobile banking immediately, dial 1930, lodge a cybercrime FIR, and sue the telecom operator for deficiency of service under the Consumer Protection Act, 2019.
What is a SIM swap fraud and how does it happen?
A SIM swap fraud is when a criminal causes your telecom operator to issue a duplicate SIM in your number to the criminal, instead of you. Once active, the new SIM intercepts your OTPs, allowing the criminal to:
(1) Log into your bank account, mutual funds, and demat;
(2) Reset passwords on email and social media;
(3) Authorise UPI and IMPS transfers;
(4) Access government services tied to your number (Aadhaar, DigiLocker).
The fraudster typically obtains your KYC information via phishing, data leaks, or social engineering, then approaches a telecom store or call centre with forged documents. The original SIM is deactivated the moment the duplicate is activated — the first sign for the victim is sudden loss of mobile signal.
(1) Log into your bank account, mutual funds, and demat;
(2) Reset passwords on email and social media;
(3) Authorise UPI and IMPS transfers;
(4) Access government services tied to your number (Aadhaar, DigiLocker).
The fraudster typically obtains your KYC information via phishing, data leaks, or social engineering, then approaches a telecom store or call centre with forged documents. The original SIM is deactivated the moment the duplicate is activated — the first sign for the victim is sudden loss of mobile signal.
What is the bank's liability under RBI rules?
The bank is also liable, in parallel with the telecom operator. The RBI Master Direction on Customer Liability dated 6 July 2017 gives you zero liability for fraud caused by third-party breaches if you report within 3 working days. A SIM swap is a quintessential third-party breach.
Additionally, the bank's own due-diligence obligations apply:
(1) Risk-based authentication — banks must use multi-factor authentication beyond SMS OTP for high-value transactions;
(2) Velocity and pattern checks — sudden large transfers to a new beneficiary should trigger fraud alerts;
(3) Mobile number change verification — banks should re-verify identity if the registered mobile changes recently.
If the bank skipped any of these, that's a separate ground for liability beyond the customer-liability rule. See our companion UPI fraud guide.
Additionally, the bank's own due-diligence obligations apply:
(1) Risk-based authentication — banks must use multi-factor authentication beyond SMS OTP for high-value transactions;
(2) Velocity and pattern checks — sudden large transfers to a new beneficiary should trigger fraud alerts;
(3) Mobile number change verification — banks should re-verify identity if the registered mobile changes recently.
If the bank skipped any of these, that's a separate ground for liability beyond the customer-liability rule. See our companion UPI fraud guide.
What are the immediate steps after a SIM swap attack?
Time is critical. In order:
(1) Call the telecom operator's helpline from a friend's phone — request immediate suspension of the active SIM (the new one issued to the fraudster);
(2) Call your bank's customer care — freeze internet banking, debit/credit cards, and UPI;
(3) Dial 1930 — the cyber fraud helpline. Funds may still be in the beneficiary account and freezable;
(4) File a complaint on the National Cyber Crime Reporting Portal;
(5) File an FIR at the local police station — see our Zero FIR guide if jurisdiction is an issue;
(6) Send a written notice to the telecom operator demanding the records of the SIM swap request, the documents submitted, and the verification steps performed. This evidence is critical for liability;
(7) Notify your bank in writing within 3 working days for zero-liability protection.
(1) Call the telecom operator's helpline from a friend's phone — request immediate suspension of the active SIM (the new one issued to the fraudster);
(2) Call your bank's customer care — freeze internet banking, debit/credit cards, and UPI;
(3) Dial 1930 — the cyber fraud helpline. Funds may still be in the beneficiary account and freezable;
(4) File a complaint on the National Cyber Crime Reporting Portal;
(5) File an FIR at the local police station — see our Zero FIR guide if jurisdiction is an issue;
(6) Send a written notice to the telecom operator demanding the records of the SIM swap request, the documents submitted, and the verification steps performed. This evidence is critical for liability;
(7) Notify your bank in writing within 3 working days for zero-liability protection.
Can I sue both the bank and the telecom operator?
Yes — and you should, because liability is often joint and several. Two parallel routes:
(1) RBI Integrated Ombudsman for the bank — file at cms.rbi.org.in. Can direct refund up to ₹20 lakh plus compensation up to ₹1 lakh;
(2) Consumer Commission for both — file via E-Daakhil against the bank AND the telecom operator as co-defendants for deficiency of service. The Commission can award the full loss plus compensation. See our consumer complaint guide.
For amounts above ₹2 crore, file at the National Commission. For substantial losses or systemic patterns, also send a complaint to the TRAI (telecom regulator) and the RBI for regulatory action.
Engage a reputable, specialised cyber/banking lawyer to coordinate parallel proceedings — settled cases typically recover 80-100% of losses when both the bank and the telecom operator have skipped due diligence.
(1) RBI Integrated Ombudsman for the bank — file at cms.rbi.org.in. Can direct refund up to ₹20 lakh plus compensation up to ₹1 lakh;
(2) Consumer Commission for both — file via E-Daakhil against the bank AND the telecom operator as co-defendants for deficiency of service. The Commission can award the full loss plus compensation. See our consumer complaint guide.
For amounts above ₹2 crore, file at the National Commission. For substantial losses or systemic patterns, also send a complaint to the TRAI (telecom regulator) and the RBI for regulatory action.
Engage a reputable, specialised cyber/banking lawyer to coordinate parallel proceedings — settled cases typically recover 80-100% of losses when both the bank and the telecom operator have skipped due diligence.
Reference Citation: Telecommunications Act, 2023; Consumer Protection Act, 2019; RBI Master Direction, 2017
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.