I Got Scammed, How Do I Get My Money Back?

By Shweta Patel In Mumbai : As a fraud prevention expert, I get this question a lot.

Others in the fraud-fighting domain like me, also probably receive similar questions from people who have been a victim to online scams or cybercrime. So, I wanted to write this article, almost as a PSA. Do, remember to book mark this page, like the post, connect with us so you have this list handy or on your timeline, since anybody you care for may need this kind of help, anytime.

Recently I received a heart-breaking message from one of our customers, where he wrote something to the effect that “I don’t want to file an FIR because I am scared of the police.” I happen to know many people like this. They may have not killed a fly, but the thought of going to the police is intimidating, other than for routine things like police verification for a passport application etc. And that is exactly why the law enforcement agencies have created easier and less intimidating options. So read on.

So let me break this article down into distinct segments to make it easier for you. First you need to know whether you can recover the full money from your bank or not. If not, then you need to know what process you need to follow. The process for UPI frauds. And finally, if all else fails what your options are. So, lets begin with the first question.

When should your bank make you whole?

You should know when you are fully entitled to get your money back from your bank. As per RBI’s 2017 notification on this (RBI/2017-18/15 DBR.No.Leg.BC.78/09.07.005/2017-18) there are three possible situations.

1. When there is an element of contributory fraud, negligence or deficiency on the part of the bank. In this scenario the customer will have zero liability. Regardless of the whether the fraudulent transaction has been reported by the customer or not. Please note many cases have been won in consumer court on the basis of deficiency of service on the part of the bank.
2. When the responsibility lies with neither the bank nor the customer, but lies elsewhere in the system, such as a third-party breach, there are three further sub-scenarios laid out here:

a: If the customer reports within three working days of receiving the communication from the bank regarding the fraudulent transaction. In this case, again the customer has to bear zero liability.

b: If the customer reports the fraud within four to seven working days of receiving the communication from their bank about the said transaction. The liability per transaction is capped (transaction amount or limit, whichever is lower) as per the table below depending on the type of account:

c: Further, if the delay exceeds seven working days of the communication received from the bank, the customer liability is determined as per the bank’s board approved policy. The details of which should be made available to all existing customers, to new customers at account opening and be displayed on a public domain.

3: In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

All along please note one important point. As per the RBI circular mentioned above “The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.” However, in the same breath I should mention that the Banking Regulation Act of 1949 is apparently silent on the issue.

There are further details on timelines and complaint handling and other specifics around the burden of interest. I have deliberately omitted these to make this post more readable to cover broader questions. For further details specific to your case, you can directly look up the circular on the RBI website for further details.

 ALSO READ: How To Protect Your Devices, Like a Pro

What is the process you should follow, after you uncovered the fraud?

These are some steps to follow that will maximize your chances of getting your money back, in case of unauthorized fraud on your bank account. I have listed these below:

1. Notify your bank the moment you notice an unauthorized transaction. This is important because your liability caps are determined by this in some cases as noted above.
2. The bank will in turn notify the insurance company where applicable to limit your liability.
3. In fact, if you can go to the branch where your account was opened (home branch) or to the nearest branch, then you may have much better chances of getting your account secured. Some banks may not have strong call centers or longer wait times.
4. Additionally, secure all your accounts. If you have the banking app or via internet banking, make sure to update your password, lock your debit card/credit card and/or other compromised elements.
5. You many also choose to run an antivirus scan on your computer if you suspect you may have been a target to any malware or hacking. Remove any recent unknown apps you may have installed on your phone at the behest of a stranger.
6. File an online complaint by dialling 1930. You can also fill out a complaint on the portal cybercrime.gov.in.
7. On that hotline, they will most likely instruct you to fill a form anyway and a complaint will get registered. The form will likely ask for many details, its in your interest to fill as many details and screenshots as possible.
8. Meanwhile, go to your nearest police station and quickly file an FIR. (The operative word here is ‘quickly’). The sooner you file the FIR the higher the chances that the funds would not have left the destination (wrongdoer’s account). You will need to submit all the necessary proofs of the fraudulent transaction. The police will confirm the transaction and they may potentially ask the victim (that is you) for a court order.
9. Do give the police as much information as you can. The police have many resources at their disposal, for example they may be able to triangulate the location of a criminal based on the phone number. So, do cooperate with the agencies and supply as much information as is available with you regarding the scammer.
10. Go to a good lawyer and they can arrange a court order for you. The police can only then freeze the respective accounts, so the money can’t be moved out. This is an important step.
11. Submit the court order to the police once you have it. This might take a few days.
12. Retain a copy of all the key evidence, screenshots, account numbers, UPI IDs, phone numbers etc. to help the police successfully track the cyber criminals. This is imperative to preserve until the investigation is over and the case is closed.
13. Keep following up. Remember at any point of time there is a sea of cyber crime cases for the law enforcement agencies to wade through, you have no choice but to follow up so your case bubbles up to the top.
14. One additional way is to form a group of victims that may be impacted by the same set of fraudsters (for example all victims to the same Crypto or Ponzi scheme). Note this may help you jump the line if the total size of the case is substantial.
15. I know some folks who have also contacted the receiving account’s bank and raised an alert on the suspect account. This may not be the normal protocol, but it does make sure you’ve covered all angles if they choose to freeze the account if multiple victims have reached out.

ALSO READ: Step By Step Guide: How To File Cybercrime Complaint Online In India

What if it is a UPI fraud?

16. In addition to the above, in the case of UPI fraud, RBI guidelines suggest that you inform the UPI service provider (GPay, PhonePe, Paytm) about the fraudulent transaction immediately.
17. Moreover, you should flag the fraudulent transaction and request a refund through the UPI service providers’ support mechanisms.
18. If the UPI service provider is unresponsive then you can raise a complaint on the NPCI (National Payments Corporation of India) portal directly at npci.org.in

How can I escalate further?

19. If this issue persists for longer than the stipulated 30 days, then approach the Banking Ombudsman or the Ombudsman for digital complaints. Some people have taken this step even prior to the lapse of 30 days in the cases where the bank has sent them a case closure notification without success.
20. Open an official ticket with the Ombudsman following the guidelines for digital transactions. This is a great centralized mechanism for escalation and yes, the website and process are fairly seamless.
21. You may do this online at the Complaint Management System portal here : https://www.cms.rbi.org.in or you could also send an email to the Banking Ombudsman at crpc@rbi.org.in
22. You can also track your complaint on the same portal for updates in the case status. Some people I know have received at least half of what they lost through this complaint redressal mechanism. But remember this could take time, not days but months.

ALSO READ:  All You Need To Know About Password and Authentication Best Practices

Does it help to go to consumer courts?

23. There have been several cases where the victim has moved the consumer court and recovered substantial losses and sometimes additional damages from the bank for deficiency in service, only if it can be proved. There have been multiple cases such as one in which the Navsari Consumer Disputes Redressal Commission (CDRC) ruled in favour of a UPI fraud victim and ordered SBI to reimburse Rs 39K. In another case in Delhi, the commission ruled in favour of the complainant and directed PNB to pay the victim Rs 10K plus interest and additional Rs 25K compensation for mental harassment.
24. For amounts up to Rs 50 Lac, one can approach the District Consumer Redressal Commission.
25. For amounts between Rs 50 Lac- Rs 2 Crore, one can approach the State Consumer Redressal Commission. And for greater than Rs 2 Crore approach the National CDRC.
26. You can seek out legal counsel and hire a good lawyer to go through with the steps that include sending a legal notice, drafting a complaint etc.

Is there any other way to recover my money?

27. Some people ask me, “Should they hire a hacker, or forensic investigator?” In fact, I have myself seen these gigs posted on some forums, for sizeable sums to recover lost crypto currency etc. I am deliberately limiting my recommendations though, to only the above official options, regulatory escalation channels and legal recourse. But I just wanted to include this to make the list exhaustive. However, when it comes to privately hiring such investigators, there is a high level of risk that one should be aware of and hence we would like to reserve comment.

At the end of the day, this is no six-sigma process and there is no 100% guarantee, despite all this that you will get 100% of your money back. But many people have recovered lacs of rupees lost to fraud. Sometimes the process can be high effort and frustrating but never give up.

That said, I am no lawyer or legal expert. But I have reviewed realms and realms of cases and FIRs. And I have put this together based on my reading and mostly official RBI sources of data and what I have gleaned as good options to pursue to maximize your success in loss recovery. I wish you good luck, and hope you get your lost money back!

ALSO READ:  12 Typologies Of Crypto Scams To Watch Out For

Always better to be safe, than sorry

Some of the ways to stay alert and vigilant and prevent cyber frauds are as below. Do follow these tips, so you never have to be the victim in the first place –

• Do not share any personal information or credentials with anyone on the phone that is unknown to you.
• Always use MFA on all your accounts, even if they are social handles and seem like a low-risk account. Even they can get taken over.
• Never use common passwords, or particularly reuse your banking password anywhere and make sure the password is strong.
• Never click on unknown links or open websites that you don’t trust.
• Never install apps from .apk files, only get them from trusted sources and official app stores.
• Never look up phone numbers, websites etc. of official banking and other trusted services on search engines.
• Pro tip – As a hygiene practice always check any stranger’s phone, Skype ID, emails, websites, UPI or any other social handle of such unknown person(s) for previously reported fraud on the app called Phishbowl. It has a huge collection of fraudster information based on community reporting and other mechanisms. You may choose to use the web version here https://www.phish-bowl.in

Stay safe.

Shweta Patel, Cofounder, Phishbowl Solutions Pvt. Ltd

About The Author: Shweta Patel, Cofounder, Phishbowl Solutions Pvt. Ltd