You receive an urgent call. The caller claims to be from your bank, mobile carrier, or a government department. They sound confident. They know your name. They alert you to account blockage, suspicious activity, or failed transactions.
Then comes the fatal moment. You share an OTP.
Within minutes, money disappears from your account. No warning. No confirmation. Just panic.
OTP scams have become one of the most common forms of cyber fraud in India. Every day, thousands of people, students, professionals, senior citizens, and even business owners, lose money this way.
In 2025, cybercriminals in India are more sophisticated than ever, and so are the laws. With the DPDP Act 2023 (backed by the 2025 Rules) and RBI’s updated fraud‑prevention circulars, your protections are stronger, but recovery still depends on one thing: how fast you report the fraud.
The biggest question victims ask is: “Can I get my money back legally?”
This blog answers that honestly, practically, and legally, without false hope, but without fear either.
What Exactly Is an OTP Scam?
An OTP (One Time Password) scam happens when a fraudster tricks you into sharing a confidential OTP generated by your bank, UPI app, wallet, or card.
Once the OTP is shared, the fraudster completes a transaction, often instantly.
Common OTP scam methods in India include:
- Fake bank verification calls
- KYC update scams
- UPI collects request fraud
- SIM swap-based OTP interception
- Fake customer care numbers from Google search
Important to understand: OTP is treated as your digital signature.
The “Golden Hour”: Why the First 60 Minutes Matter
In the world of cybercrime, the “Golden Hour” is the first hour after the fraud occurs. This is the window when the funds are typically held in a “mule account” before being withdrawn or converted into crypto. If you report the fraud within this window, the National Cyber Crime Reporting Portal (NCRP) can trigger an emergency “freeze” on the recipient’s account.
- Call 1930 immediately: This is the national helpline for financial cyber fraud.
- Report on cybercrime.gov.in: Provide the transaction ID, the scammer’s phone number, and screenshots.
- Inform Your Bank Immediately: Call your bank’s fraud helpline and report unauthorised transactions. Ask for a complaint number.
- Block Your Account / Card / UPI: Stop further damage. Block access immediately.
Can Victims Get Money Back After an OTP Scam?
The honest legal answer is: It depends on timing, the bank’s response, and the circumstances.
There is no automatic rule that OTP scam money is unrecoverable. Indian law looks at:
- How quickly the victim reported the fraud
- Whether bank systems failed
- Whether due diligence was followed
- Whether the transaction violated RBI norms
In many cases, victims can get their money back. But only if the correct steps are taken quickly and legally.
The RBI’s Zero Liability Policy (Updated 2025)
Under the RBI’s Master Directions, your liability is determined by how quickly you report and where the security gap occurred:
| Scenario | Victim’s Liability |
|---|---|
| Contributory fraud by the Bank (e.g., technical glitch) | Zero Liability (Full Refund) |
| Third-party breach (Neither bank nor customer at fault) reported within 3 days | Zero Liability |
| The victim shared the OTP but reported it within 3-7 working days | Limited Liability (Depends on transaction value) |
Note: Even if you were tricked into sharing an OTP, if you can prove that the bank’s “Risk-Based Authentication” failed to flag a highly unusual transaction (e.g., a sudden transfer of ₹5 Lakhs to a new account at 3 AM), you may have a case for “Deficiency of Service” under the Consumer Protection Act.
Often, scammers know your name, bank account, and recent purchases because this data may have been leaked in a personal data breach.
Under the Digital Personal Data Protection Act, 2023, a company (Data Fiduciary) that fails to implement reasonable security safeguards to prevent a violation may be fined up to ₹250 crore per breach by the Data Protection Board of India.
If you suspect that a shopping app or service provider has leaked your data, you can first use its grievance redressal mechanism and, if your issue is not resolved within the prescribed time, escalate a complaint to the Data Protection Board.
Separately, action under the DPDP Act works alongside (not instead of) your usual cyber‑fraud recovery routes, such as bank/RBI mechanisms, consumer fora, and criminal complaints.
Step-by-Step Legal Process After OTP Fraud
Step 1: File Cyber Crime Complaint
File a complaint at: https://cybercrime.gov.in
Mention:
- Date and time of fraud
- Amount lost
- Bank details
- Phone numbers used by fraudsters
This step is mandatory for any legal recovery.
Step 2: Register FIR (If Amount Is Significant)
For amounts above a certain threshold or bank non-cooperation, file an FIR at your local police station. Cyber cells take FIR seriously when documentation is proper.
Step 3: Submit Written Complaint to Bank
Send a written complaint to:
- Bank branch
- Bank grievance officer
Mention the RBI guidelines and demand an investigation.
What RBI Guidelines Say About OTP Fraud
RBI has issued multiple guidelines on unauthorised electronic banking transactions and cyber fraud.
Key principle: Customer liability declines sharply when fraud is reported promptly.
If:
- Fraud is reported within 3 working days → the customer has no liability if the fault lies with the bank or a third‑party breach, as per RBI’s “limited liability” rules.
- If bank systems failed or RBI norms were not followed, → the bank may have to bear the loss, even if a fraudster used OTP‑based transactions.
Banks cannot mechanically reject every claim just by saying “OTP was shared”; they must investigate, follow RBI’s customer‑protection framework, and consider possible system or process failures.
What if the bank refuses a refund?
If the bank rejects your claim:
- Escalate to the bank’s grievance cell
- File a complaint with the RBI Banking Ombudsman
- Approach the Consumer Court
Consumer courts have jurisdiction even for digital fraud cases.
Common Mistakes Victims Make
- Delaying complaint
- Only calling customer care, not writing
- Not filing a cyber complaint
- Accepting bank rejection without escalation
Legal recovery fails mainly due to inaction, not law.
How to Protect Yourself from OTP Scams
- Never share OTP, even with “bank officials.”
- Banks never ask for OTP on calls
- Do not Google customer care numbers blindly
- Enable transaction alerts
- Educate family members, especially elders
— — —
Disclaimer:
This article is published for general legal awareness and informational purposes only, and should not be construed as legal advice or a solicitation to act.
About the Author:
Joginder Poswal is an advocate enrolled with the Bar and practising law, specialising in cyber law, criminal law, and corporate compliance.
For more information, please refer to the contact details provided on this website.