Online Scams and Phishing in India 2026 — Legal Protections Under the IT Act

Advocate Akhil Singh phishingonline scamidentity theftit act section 66csection 66dcybercrime helpline 1930cybercrime.gov.inlucknowuttar-pradeshindia

This article is for educational and legal awareness purposes only. It does not constitute legal advice or solicitation. Please consult a qualified advocate for advice on specific legal matters.

Introduction

Phishing — the practice of tricking a person into revealing sensitive information such as passwords, OTPs, banking credentials, or KYC details by impersonating a trusted entity — is among the most prevalent cyber-crimes affecting Indian citizens. Closely associated are SMS phishing (“smishing”), voice-call frauds (“vishing”), fake QR codes, fraudulent investment apps, and impersonation of government officials or bank staff. The Information Technology Act, 2000 (IT Act), the Bharatiya Nyaya Sanhita, 2023 (BNS), and the directions of the Reserve Bank of India (RBI) together provide the legal scaffolding for prevention, prosecution, and recovery in such cases.

Statutory Provisions Under the IT Act, 2000

Section 66C — Identity Theft

Section 66C of the IT Act punishes any person who, fraudulently or dishonestly, makes use of the electronic signature, password, or any other unique identification feature of another person. The punishment is imprisonment up to three years and fine up to Rs. 1 lakh. In a phishing case, the unauthorised use of stolen credentials — banking passwords, OTPs, UPI PIN, or even a victim’s email — squarely attracts this provision.

Section 66D — Cheating by Personation Using Computer Resource

Section 66D punishes whoever, by means of any communication device or computer resource, cheats by personation. The punishment is imprisonment up to three years and fine up to Rs. 1 lakh. This is the principal provision invoked in cases where the fraudster impersonates a bank, a delivery company, a regulatory authority, a relative, or any other person to deceive the victim into transferring money or revealing information.

Other Relevant IT Act Provisions

  • Section 43 — civil liability for unauthorised access, downloading, or causing damage to computer systems; the affected person may seek compensation.
  • Section 66 — punishment for computer-related offences referred to in Section 43, where committed dishonestly or fraudulently.
  • Section 67 — punishment for publishing or transmitting obscene material in electronic form.

Bharatiya Nyaya Sanhita, 2023 — Concurrent Offences

A phishing or online scam typically also attracts offences under the BNS that have replaced corresponding sections of the Indian Penal Code, 1860:

  • Section 318 BNS — cheating, including cheating by personation (corresponds to Sections 415, 416, and 420 IPC).
  • Section 319 BNS — cheating by personation specifically.
  • Section 336 BNS — forgery and related offences, where the fraud involves forged electronic records.

The IT Act provisions and the BNS provisions may be invoked simultaneously, since the IT Act is a special law dealing with electronic offences while the BNS deals with the substantive criminal liability for cheating and forgery.

Common Modus Operandi

  • Smishing / vishing: A message or call claims to be from a bank, KYC authority, electricity provider, or courier company, asking the victim to click a link or share an OTP.
  • Fake customer-care numbers: Search-engine results show fraudulent numbers; victims calling these numbers are walked through screen-sharing apps or asked to install remote-access software.
  • UPI collect-request fraud: A “collect” request is sent to the victim disguised as a payment receipt; entering the UPI PIN debits the account.
  • Investment and trading scams: Fake mobile apps or WhatsApp groups promise high returns; deposits cannot be withdrawn.
  • Job offer fraud: A fake offer letter is followed by a request for “training fee” or “registration fee”.
  • Sextortion and digital arrest: Fraudsters posing as police or central agencies threaten the victim into transferring money.

How to Report — Step-by-Step

The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs operates the central infrastructure for cyber-fraud reporting.

  1. Call 1930 immediately. The toll-free national cyber-crime helpline is available 24x7. Reporting within the so-called “golden hour” (the first one to two hours after the fraud) gives the police a meaningful chance to digitally freeze the funds before the fraudster transfers them onward.
  2. File a complaint on cybercrime.gov.in. After calling 1930, the complainant receives an acknowledgement number and is required to submit a formal complaint on the National Cybercrime Reporting Portal at https://cybercrime.gov.in within 24 hours, attaching transaction details, screenshots, bank statements, and any other evidence.
  3. Inform the bank. Under the RBI circular “Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” dated 6 July 2017, a customer who reports an unauthorised transaction within three working days bears zero liability where the fraud is due to a third-party breach and the bank’s negligence is not involved. Reporting between four and seven working days attracts limited liability subject to specified caps. Reporting must be in writing to the bank’s home branch or through the bank’s reporting mechanism.
  4. File an FIR. For fraud amounts that are substantial, a First Information Report should also be lodged at the local police station or cyber crime cell. In Lucknow, the Cyber Crime Police Station, Gomti Nagar, handles such cases for the district.
  5. Preserve evidence. All SMS, WhatsApp messages, call records, screenshots, transaction IDs, and bank statements should be preserved.

Key Case Law

Shreya Singhal v. Union of India, (2015) 5 SCC 1

The Supreme Court struck down Section 66A of the IT Act for being vague and overbroad. The judgment is significant for cyber-crime jurisprudence in India because it clarified the constitutional limits on speech-related offences in cyberspace, while leaving Sections 66C, 66D, and similar provisions intact.

Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473

The Supreme Court laid down the conditions for the admissibility of electronic evidence under Section 65B of the (then) Indian Evidence Act, 1872. Compliance with the certification requirement is essential for relying on electronic records — chat logs, server records, CCTV footage — in cyber-crime trials. The corresponding provision now appears as Section 63 of the Bharatiya Sakshya Adhiniyam, 2023.

Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1

The Supreme Court reaffirmed and clarified the certification requirement for electronic records, holding the Section 65B certificate to be mandatory.

RBI Guidelines on Customer Liability

The RBI’s customer-protection framework places obligations on banks to provide secure systems and customer-friendly grievance redressal:

  • Zero liability — where the unauthorised transaction is due to contributory fraud or negligence of the bank, or due to a third-party breach where neither the bank nor the customer is at fault and the customer reports within three working days.
  • Limited liability — where the customer’s negligence (such as sharing payment credentials) caused the loss; or where reporting is delayed beyond three working days.
  • Bank’s duty — to credit the disputed amount to the customer’s account within 10 working days of the customer’s notification, and to resolve the complaint within 90 days.

Important Points to Remember

  • Never share an OTP, UPI PIN, CVV, or net-banking password with anyone — including persons claiming to be bank staff, police, or government officials.
  • Government and bank officials do not request remote-access app installation, UPI PINs, or digital arrest deposits over phone.
  • The first one to two hours after the fraud are critical; calling 1930 immediately maximises the chance of recovery.
  • A written complaint to the bank within three working days protects the customer’s right to zero liability under the RBI circular.
  • All evidence — messages, screenshots, transaction IDs, call records — should be preserved in original form for trial.
  • An FIR may be lodged at the local police station or at the cyber crime police station; the police cannot refuse to register an FIR for a cognisable offence.
  • Cyber crime is not limited to financial loss — sextortion, defamation, stalking, and child exploitation are equally prosecutable under the IT Act and BNS.

Useful Resources

Disclaimer: The information provided on this website is for general legal awareness and educational purposes only. It does not constitute legal advice, advertisement, or solicitation. No reader should act or refrain from acting based on this information without seeking professional legal counsel. Advocate Akhil Singh and this website are not liable for any actions taken based on the content provided herein.

Share this article
Back to Blog