Decorative image for cyber fraud
Posted inFraud Bharatiya Nayaya Sanhita Information Technology Act

What is cyber fraud and how to file a complaint against one 

No Comments

Learn how to spot, stop, and protect yourself from a cyberattack. From phishing and identity theft to ransomware and financial fraud, understand the threats that lurk online. Explore practical tips to protect yourself, know your legal rights, and find out how to report cybercrimes effectively. 

Introduction

“Dadi, put down that newspaper and listen to me for five minutes. This is important!”

My grandmother, who just learned to use WhatsApp to video call us, received a message that looked like it came from the bank. “Dear Customer,” it said, “Your account will be closed in 24 hours. Click here to verify your details immediately.” The message even had that bank’s logo and looked totally official.

Thank god she called me first instead of clicking that link.

“They are asking for my ATM PIN to verify my account. Should I give it to them?”

My heart skipped a beat. If she had clicked that link and entered her details, a large portion of her life savings would have vanished in minutes. 

This is not a one-off incident. Every day, we hear incidents about gullible people losing their money to someone claiming to be from a bank or police, etc. Just recently, my neighbour’s computer system got locked by cyber attackers who demanded Rs. 50,000 to unlock his family photos and business files.

“But I do not even understand these computer things properly. How am I supposed to know what is real and what is fake?” said my grandmother. 

That is exactly why I am writing this guide. 

See, it is endearing to see our parents and grandparents joining the digital world at lightning speed. But here is the scary part: In 2024 alone, India faced 95 major cyberattacks, making it the second most targeted country globally. Cyber-attackers are specifically targeting older adults because they know they are new to technology and more trusting. From the AIIMS hospital attack that disrupted medical services to the massive WazirX cryptocurrency heist worth Rs. 1,900 crores, these are not just numbers, they are real people losing real money.

“So what do we do? Stop using all these apps?”

No way! The solution is never to go backwards, but it is to move forward safely.

Think of this guide as me sitting with you over evening chai, explaining everything in simple terms. No tech language, no complicated processes. Just practical advice that anyone can follow, whether you are 25 or 75.

I will tell you exactly how these scams work (so you can spot them), what to do if something goes wrong, and most importantly, how to enjoy all the benefits of our digital world without any fear.

Now, let us dive straight into it. 

What are cyberattacks?

Think of your computer, phone, or any digital device as your house. A cyberattack is like a digital burglar trying to break into your house, but instead of stealing your cash or jewellery, they want your personal information, money, or they want to mess up your digital life.

Just like physical burglars, these digital criminals have different motives. Some want to steal your money directly from your bank account. Others want to collect your personal details (like your Aadhaar number, PAN card details, or phone number) to sell them to other attackers. Some just want to cause chaos by shutting down websites or computer systems.

The big difference between cyberattacks and traditional crimes? These digital burglars can attack you from anywhere in the world. A cyberattacker could be sitting in a cafe in Azerbaijan while emptying your bank account in Mumbai. And unlike breaking into a physical house, they can target thousands of people simultaneously.

Types of cyberattacks in India

Let me walk you through the most common tricks these digital criminals use, explained in simple terms with real examples:

1. Phishing attacks

  • What it is: Imagine getting a fake letter that looks exactly like it is from your bank, asking you to call a number and share your ATM PIN. Phishing is the digital version of this scam. 
  • How it works: You get an email, SMS, or WhatsApp message that looks like it is from a trusted source, your bank, the government, or even your employer. It asks you to click a link and enter your details on a fake website that looks real.
  • How to spot it: You need to know that a legitimate bank will never ask for your password, PIN, or OTP via email or SMS. When in doubt, call your bank directly using the number on your debit card or bank statement.
  • Real example

In 2023, thousands of Indians received emails claiming to be from the Reserve Bank of India asking them to update their KYC details. The emails looked so real that many people fell for them and lost lakhs of rupees. India recorded over 79 million phishing attacks that year! Unbelievable, right?!

2. Ransomware

  • What it is: Imagine someone locks your house and demands money to give you back the keys. Ransomware does this to your computer files.
  • How it works: Malicious software sneaks into your computer (usually through email attachments, links and infected websites) and locks all your files. You cannot open your photos, documents, or anything else until you pay the criminals, usually in cryptocurrency.
  • Prevention tip: Regularly back up your important files to an external hard drive or cloud storage that’s not connected to your main computer.
  • Real example

The 2022 AIIMS Delhi attack was a nightmare. Hackers locked the hospital’s entire computer system, including patient records and appointment systems. For weeks, doctors had to work without access to digital records, affecting thousands of patients. The hospital refused to pay the ransom and spent months recovering its systems.

3. Data breaches

  • What it is: It is like a sneaky neighbourhood aunty snooping on your medical reports, school report cards, WhatsApp chats which are open, etc. The only difference is that she does not steal and sell that information, but it is definitely a data breach. 
  • How it works: Hackers break into company databases and steal customer information – your name, phone number, email, Aadhaar details, PAN card, credit card numbers, medical data, etc.
  • What you can do: You cannot prevent companies from getting hacked, but you can limit the damage by using different passwords for different accounts and monitoring your bank statements regularly.
  • Real examples:
  1. In 2021, hackers stole personal details of over 40 lakh passengers travelling through Air India, including passport information and credit card details.
  2. In 2024, hackers leaked health records and personal data of millions of Star Health Insurance policyholders.

4. UPI and digital payment frauds

  • What it is: Scams targeting people using PhonePe, Google Pay, Paytm, and other digital payment apps with the help of common tricks such as: 
  1. Fake customer care calls: Someone calls claiming to be from PhonePe support, saying there’s a problem with your account and they need your UPI PIN to fix it.
  2. Wrong transaction scams: You get a call saying money was sent to your account by mistake, and you need to send it back immediately.
  3. QR code scams: Fraudsters share fake QR codes that, when scanned, steal money instead of receiving it.
  • Prevention tip: Never share your UPI PIN, OTP, or bank details with anyone over the phone, no matter how urgent they make it sound.
  • Real example: Very recently, I read up on how a Mumbai resident lost ₹2.5 lakh when someone called claiming to be from Paytm customer care, saying his account was compromised and they needed his UPI PIN to secure it.

5. Social media and WhatsApp scams

Ever got a message from your friend that she is in dire need of money and is seeking help? 

Or a message saying you have won a lottery or prize, but need to pay processing fees first 

Or a fake job offer asking for money upfront for “processing” or “training”. 

These are all instances of a social media scam. The attacker attacks you via the social media that you and I cannot live without- Instagram, Facebook, WhatsApp, X, etc.   

Real example

During COVID-19, thousands of people fell for fake messages claiming the government was giving Rs. 5,000 cash assistance, but you had to click a link and pay Rs. 200 as a “processing fee” first.

6. Cryptocurrency and investment frauds

First of all, what is cryptocurrency? asked my dadi. 

Cryptocurrency is like digital money; you cannot see or touch it like hard cash, but people use it to buy things or invest online. Here, the biggest issue is that there is no bank or government watching over it. So, if you are attacked, it is often difficult to get your money back. 

However, under the Prevention of Money Laundering Act, 2002, authorities can seize assets linked to crypto frauds, offering some hope for recovery in regulated exchanges like WazirX.

How it works: You are promised huge returns on cryptocurrency investments or trading apps. Initially, they might even show fake profits to build your trust, then disappear with your money.

Real example

The 2024 WazirX hack saw cyber attackers steal Rs. 1,900 crores worth of cryptocurrency, affecting millions of Indian investors. Many people lost their life savings.

Impacts of cyberattacks

Let me break down how cyberattacks can affect your life:

1. Financial losses

I think my grandmother understood the concept pretty well. 

She told me about her friend Mrs. Sharma, who spent 40 years of her life as a schoolteacher in Delhi. With retirement came peace and Rs. 12 lakh in savings that she hoped would see him through his golden years.

One morning, the phone rang.
“Ma’am, I’m calling from your bank’s fraud prevention team. We have detected suspicious activity.” The caller sounded official. Polite. Concerned. And he knew Mrs. Sharma’s account details. Reassured, Mrs. Sharma followed the steps to “secure” his account.

By the time she hung up, his life savings had vanished. Rs. 12 lakh in less than 2 minutes, and unfortunately, she was back to square one. 

2. Identity theft

Here is a story of my school friend, Radhika, a software engineer from Pune. She was over the moon when she finally decided to buy her own house. But her dream was shattered when the bank rejected her home loan.

“You already have three active personal loans worth ₹15 lakh,” the manager told her.

Shocked, Radhika dug deeper. Cyber attackers had stolen her Aadhaar and PAN details from a previous data breach. They used them to:

  • Open fake bank accounts in her name
  • Apply for loans using her high credit score
  • File false income tax returns with inflated income
  • Generate fake salary slips with her personal details. 

It took her 18 exhausting months and Rs. 2 lakh in legal fees to prove that none of it was her doing. And during that time, she could not even apply for any genuine credit.

3. Emotional stress

After the identity theft incident, Radhika, of course, suffered a financial blow. But she was in constant anxiety, sleepless nights, and the fear of losing control over her own life.

Every bank message made her heart race, and it made her feel helpless. Cybercrime did not just attack her finances, it shook her confidence and peace of mind.

4. Business disruption

Let me tell a story about my favourite restaurant, “Punjabi Tadka”. A thriving family-run restaurant chain with 5 outlets in Mumbai alone. The Diwali season was their busiest and thus, the most profitable time of the year.

Until one day, everything went dark.

A ransomware attack hit their systems. Every screen in every outlet displayed the same message: “Your data has been encrypted. Pay Rs. 30 lakh in Bitcoin to get it back.”

Their:

  • The online ordering system crashed
  • Salary payments to 200+ employees were frozen
  • Supplier transactions halted
  • The customer database of over 50,000 loyalty members was locked

The 15-day shutdown during peak festive time cost them a loss of Rs. 80 lakh in revenue. Even after recovery, 30% of their regulars had moved to competitors. The family had to take a loan just to survive.

This cyber attack nearly finished them. 

5. National security risks

Do you remember the 2022 AIIMS Delhi ransomware attack? It showed how cyberattacks can threaten lives, not just money. For a considerable period of time: 

  • 40,000+ daily patient records were inaccessible;
  • Doctors had to work with pen and paper, slowing treatment;
  • Critical surgeries were delayed due to a lack of digital records.
  • Emergency services were disrupted, and 
  • Research data worth years of medical work was at risk. 

The attack did not just affect AIIMS; it created fear about the security of all major hospitals in India, affecting millions of patients nationwide. 

How to respond to a cyber attack? 

If you think you have been attacked, here is your step-by-step, phasewise action plan:

Phase 1: What should you do in the first hour of the attack? 

1. Stay calm and don’t panic

  • Do NOT immediately shut down systems (this can destroy evidence)
  • Avoid clicking anything suspicious or trying to “fix” the problem yourself
  • Document everything you observe

2. Activate your incident response team

  • Contact your IT security team immediately
  • If you do not have one, contact your IT vendor or cybersecurity consultant
  • Designate one person to coordinate the response

3. Isolate the affected systems

  • Disconnect infected devices from the network (unplug ethernet cable)
  • Keep infected systems powered on for forensic analysis
  • Switch to backup systems if available

4. Preserve Evidence

  • Take photos of error messages or suspicious screens
  • Note the time of discovery and any unusual system behaviour
  • Don’t delete anything, even if it looks malicious

Phase 2: Assessment and documentation (1-6 Hours)

A. Next, determine the scope

1. Identify what is affected

  • Which systems, networks, or data have been compromised?
  • Are customer records, financial data, or personal information involved?
  • Has the attack spread to other connected systems?

2. Classify the incident type

  • Ransomware (files encrypted, ransom demand)
  • Data breach (unauthorised access to sensitive information)
  • Malware infection (suspicious software installed)
  • Phishing attack (credentials compromised)
  • DDoS attack (services unavailable)

3. Assess business impact

  • What critical business functions are affected?
  • Are customer services disrupted?
  • What’s the potential financial loss?
B. Mandatory reporting in India

CERT-In reporting requirement: All cybersecurity incidents must be reported to CERT-In within 6 hours of detection. This includes:

  • Data breaches affecting personal information
  • Ransomware attacks
  • Unauthorised access to systems
  • Defacement of websites
  • Malware infections
  • DDoS attacks

How to report:

Information to include:

  • Date and time of incident discovery
  • Type of incident and affected systems
  • Potential impact on operations
  • Initial assessment of data compromise
  • Contact details of the reporting person

Phase 3: Containment and damage control (6-24 Hours)

A. Stop the spread

1. Network segmentation

  • Isolate affected network segments
  • Block suspicious IP addresses or domains
  • Change all administrative passwords
  • Disable compromised user accounts

2. System hardening

  • Apply emergency security patches
  • Enable additional monitoring and logging
  • Implement emergency access controls
  • Review and update firewall rules

3. Communication management

  • Prepare internal communication for employees
  • Draft customer notification if personal data is involved
  • Coordinate with legal team on external communications
  • Monitor social media and news for mentions
B. For specific attack types

Ransomware response:

  • Do NOT pay the ransom immediately
  • Check if free decryption tools are available
  • Assess backup recovery options
  • Consider involving law enforcement

Data breach response:

  • Identify exactly what data was accessed
  • Determine if encryption was in place
  • Assess legal notification requirements
  • Prepare breach notification letters

Phishing attack response:

  • Reset all potentially compromised passwords
  • Enable multi-factor authentication
  • Review email security settings
  • Train employees on the attack method used

Phase 4: Recovery and restoration (1-7 Days)

  1. System recovery

1. Clean and rebuild

  • Scan all systems with updated antivirus
  • Rebuild infected systems from clean backups
  • Update all software and security patches
  • Implement additional security measures

2. Data recovery

  • Restore data from verified clean backups
  • Verify the integrity of restored data
  • Test all critical business functions
  • Validate that security controls are working

3. Enhanced monitoring

  • Implement enhanced logging and monitoring
  • Set up alerts for suspicious activities
  • Conduct vulnerability assessments
  • Review and update security policies
  1. Business continuity

1. Operational recovery

  • Restore critical business functions first
  • Communicate restoration status to stakeholders
  • Update customers on service availability
  • Document lessons learned

2. Financial assessment

  • Calculate direct costs (system restoration, lost productivity)
  • Assess indirect costs (reputation damage, customer loss)
  • Review insurance coverage and file claims
  • Plan for additional security investments

1. Personal data protection

  • Under the Digital Personal Data Protection Act (DPDP Act), organisations must notify affected individuals and authorities of personal data breaches
  • Timeline: As soon as possible, typically within 72 hours
  • Include: Nature of breach, data involved, potential consequences, remedial actions

2. Sector-specific regulations

  • Banking/Finance: SEBI requires notification within 6 hours for market infrastructure institutions
  • Healthcare: Follow HIPAA-equivalent guidelines for patient data
  • Government: Additional NCIIPC notification requirements

3. Law enforcement coordination

  • File an FIR with the local cybercrime police if criminal activity is suspected
  • Cooperate with investigation agencies
  • Preserve evidence as per legal requirements
  • Consider engaging forensic experts

Documentation requirements

1. Incident report documentation

  • Timeline of events and discovery
  • Technical details of the attack
  • Systems and data affected
  • Response actions taken
  • Lessons learned and improvements needed

2. Evidence preservation

  • Forensic images of affected systems
  • Network traffic logs
  • Communication records
  • Financial impact assessment
  • Regulatory compliance records

Emergency contact information

Key stakeholders to notify

  • Internal IT/security team
  • Legal counsel
  • Insurance company
  • Key customers and partners
  • Regulatory authorities (as required)
  • Law enforcement (if criminal activity is suspected)

Professional support

  • Incident response consultants
  • Digital forensics experts
  • Legal counsel specialising in cyber law
  • Crisis communication specialists
  • Cyber insurance providers

How to file a complaint

Here is a snapshot that will guide you through: 

Do not worry, you don’t need to become a legal expert, but here is what protects you:

  1. Information Technology Act, 2000 (Amended 2008)
  • Section 43 – Damage to computer systems
  • Section 66 – Computer-related offences and hacking
  • Section 66C – Identity theft
  • Section 66F – Cyber terrorism
  • Section 70 – Critical infrastructure protection
  1. Bharatiya Nyaya Sanhita, 2023
  • Section 318 – Cheating by impersonation
  • Section 336 – Forgery of electronic records
  • Section 356 – Cyber defamation
  1. Digital Personal Data Protection Act, 2023
  • Section 8 – Data breach prevention
  • Section 33 – Heavy financial penalties
  • Section 28 – Organisational accountability
  1. Bharatiya Sakshya Adhiniyam, 2023
  • Section 63 – Electronic evidence admissibility
  • Section 65B – Digital documents certification
  1. SEBI Cybersecurity Guidelines
  • Listed company compliance requirements
  • Incident monitoring and reporting
  • Market infrastructure protection
  1. RBI Cybersecurity Guidelines
  • Banking sector protection frameworks
  • Real-time IT monitoring requirements
  • Incident reporting timelines
  1. Telecom Commercial Communication Customer Preference Regulation (TCCCPR), 2018
  • Telecom fraud prevention
  • Consumer consent requirements
  • Commercial communication control
  1. CERT-In Guidelines, 2023
  • National incident response protocols
  • Mandatory vulnerability reporting
  • Cybersecurity awareness requirements

How to prevent cyberattacks in India

Here’s your practical guide to staying safe online:

1. Maintain digital hygiene

Keep everything updated:

  • Update your phone’s software when you get notifications
  • Update apps regularly through the Google Play Store or the App Store
  • Use antivirus software on your computer (Quick Heal is a good Indian option)

Use strong passwords:

  • Do not use the same password everywhere
  • Make passwords long and include numbers, letters, and special characters as instructed
  • Use your phone’s built-in password manager or apps like Google Password Manager. 
  • Enable two-factor authentication for your banking apps, email and social media. This means even if someone steals your password, they still can’t access your account without your phone.

2. Smart online behaviour

Email safety:

  • Don’t click links in emails from unknown senders
  • Be suspicious of urgent emails asking for personal information
  • When in doubt, call the company directly using their official phone number. 

Social media caution:

  • Don’t share personal details like your location, travel plans, or financial information
  • Be careful about friend requests from strangers
  • Don’t click on suspicious links shared by friends – their accounts might be hacked

UPI and digital payment safety:

  • Never share your UPI PIN with anyone
  • Don’t scan QR codes from unknown sources
  • Always double-check the recipient’s name before sending money
  • Set daily transaction limits on your UPI apps

3. What to do if you are targeted

If you receive a suspicious call:

  1. Don’t panic, even if they threaten you
  2. Don’t share any personal information
  3. Hang up and call the company directly using their official number
  4. Report the number to the National Cyber Crime Helpline: 1930

If you realise you have been scammed:

  1. Don’t feel embarrassed, it can happen to the smartest people, too
  2. Act quickly, time is crucial
  3. Follow the steps in the next section. 

Final thoughts

Living in digital India is amazing: you can pay for your chai with your phone, book a cab in seconds, and video call family across the world. But with these conveniences come risks that we all need to understand and prepare for.

The good news? Most cyberattacks can be prevented with simple precautions. Think of cybersecurity like wearing a seatbelt, it is a small effort that can save you from major harm.

Remember these key points:

  • Stay alert: If something seems too good to be true or too urgent, it probably is.
  • Keep learning: Scammers constantly change their methods, so stay updated.
  • Don’t panic: If you do fall victim, quick action can limit the damage.
  • Share knowledge: Help your family and friends stay safe, too. 

The criminals are getting smarter, but so are we. By following the advice in this guide and staying vigilant, you can enjoy all the benefits of Digital India while keeping yourself and your loved ones safe.

Just remember: When in doubt, always call 1930 or visit cybercrime.gov.in 

FAQs

  1. Can I report a cyberattack anonymously in India? 

Yes, the National Cyber Crime Reporting Portal allows anonymous reporting, especially for sensitive cases. However, providing your contact details helps police investigate better.

  1. What should I do if my bank account is hacked?
  • Immediately call your bank’s customer care (the number on your debit card)
  • Call 1930 for the cybercrime helpline
  • File a complaint on cybercrime.gov.in
  • Visit your nearest police station to file an FIR
  • Keep all transaction records and screenshots
  1. Are companies responsible if my data gets stolen from their systems? 

Under the new Digital Personal Data Protection Act, 2023, companies must protect your data and inform you if there is a breach. They can be heavily fined for negligence, though full enforcement is still pending.

  1. I’m a small business owner. How can I afford cybersecurity?
  • Start with basics: regular software updates and employee training
  • Use free antivirus and firewall software
  • Enable 2FA on all business accounts
  • Consider affordable cybersecurity services from Indian companies
  • Follow CERT-In guidelines for small businesses
  1. My elderly parents keep getting scam calls. What can I do?
  • Teach them to never share personal information over the phone
  • Set up call-blocking apps on their phones
  • Register their numbers on the Do Not Call registry
  • Set low daily limits on their UPI and banking apps
  • Report scam numbers to 1930
  1. Is it safe to use public WiFi in India? 

Public WiFi can be risky. If you must use it:

  • Avoid banking or shopping
  • Use a VPN app
  • Make sure websites start with “https://”
  • Turn off auto-connect to WiFi networks. 

Tags:
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *