How to Handle Credit Card Fraud and Unauthorised Transactions in India 2026
How to Handle Credit Card Fraud — Unauthorised Transactions and Your Liability
Last verified: April 2026, against RBI Customer Liability Framework, IT Act provisions on banking fraud, and major issuer fraud-handling procedures.
Credit card fraud in India is rising — RBI’s 2024 data shows ~15% year-on-year increase in card fraud reports. The good news: RBI’s Customer Liability Framework strongly protects cardholders if you act fast. Within 3 working days of fraud, your liability is zero. After 7 days, you bear full liability. This guide walks through the immediate steps, RBI rules, and practical fraud-handling.
Common credit card fraud types in India 2026
| Type | Description | Frequency |
|---|---|---|
| Phishing / Vishing | SMS, email, or call extracts OTP / CVV / PIN | Most common |
| Card skimming | Card details copied at compromised POS / ATM | Declining (chip cards stronger) |
| Online merchant fraud | Card details captured by malicious merchant or hacked website | Rising with e-commerce |
| SIM swap fraud | Fraudsters obtain duplicate SIM, intercept OTPs | Targeted attacks |
| UPI-related | Fake QR codes or “unblock UPI” scams | Common for new card users |
| EMI / loan-on-card scam | “Convert to EMI” call → OTP extraction | Targeted at older users |
| Lost / stolen card use | Physical card lost, used before block | Standard |
The RBI Customer Liability Framework — your protection
| Time after fraud noticed | Your liability |
|---|---|
| Within 3 working days | Zero — full refund |
| 4-7 working days | Limited — capped at ₹10,000 (or ₹25,000 for HNW segment) |
| After 7 working days | Full liability up to transaction amount |
| Negligence proven (you shared OTP/CVV) | Full liability regardless of timing (issuer’s view; can be challenged via Ombudsman) |
“Working day” excludes Sundays and bank holidays. Clock starts when the fraud is communicated to you (statement, SMS, app alert).
Speed is everything. Block within hours of noticing.
Step 1 — Block the card immediately
- Issuer app: Most apps have one-tap “Block Card” feature — fastest route
- Issuer helpline: 24/7 fraud reporting numbers
- SMS / IVR: Some issuers support SMS block (e.g., HDFC: send “BLOCKCARD” to 5676767)
- Branch: If app/phone unavailable
Get a “block reference number” — keep this for all subsequent communication.
Step 2 — File FIR (mandatory for fraud claim)
- Visit nearest police station or file online FIR (cybercrime portals: cybercrime.gov.in)
- Provide:
- Card details (last 4 digits)
- Disputed transaction list with dates and amounts
- Block reference number from issuer
- Evidence (suspicious SMS, screenshots, etc.)
- Get FIR copy or acknowledgement number
FIR is mandatory documentation for the issuer’s fraud claim process.
Step 3 — File the dispute with the issuer
- Login to issuer app or call
- Raise dispute on each fraudulent transaction
- Submit FIR copy + evidence
- Get dispute reference number
- Provide bank with new contact / address if compromised
Issuer typically issues provisional credit (refund) within 7 working days while investigation proceeds. See chargeback process guide.
Step 4 — Update your security posture
- Change all online banking passwords — issuer apps, net banking, email
- Enable 2FA wherever available
- Review other accounts for similar fraud patterns
- Update mobile and address with bank if compromised
- Pull free CIBIL report after 30 days to verify no rogue accounts opened in your name
- Check linked devices on issuer app — log out unfamiliar devices
- Review auto-debit / standing instructions on the card and migrate to new card
What constitutes “negligence” (and what doesn’t)
Issuer may attempt to deny fraud claim citing your “negligence.” RBI definitions:
Negligence (full liability):
- You shared OTP / CVV / PIN with anyone (including caller / family member)
- You wrote PIN on card
- You stored CVV digitally without encryption
- Documented gross carelessness
NOT negligence (RBI protection applies):
- Phishing email or SMS — you genuinely thought it was bank
- Compromised merchant website
- Card cloning at compromised POS
- Skimming at ATM
- Stolen physical card
- Family member fraud (varies; report immediately to claim)
If issuer claims “negligence” disputingly, escalate via Banking Ombudsman with documentation.
Phishing / vishing red flags
Common scam patterns:
- “Your KYC is expiring” → asks for card details / OTP
- “You won a free credit card upgrade” → extracts OTP
- “Suspicious transaction detected, share OTP to block” → fraudster’s transaction goes through
- “Pre-approved loan, click link to apply” → phishing site
- “Your bonus reward points expire today” → fake URL for OTP capture
Universal rule: Banks never call asking for OTP, CVV, PIN, or password. Hang up immediately on any such call. Use only the phone number on the back of your card to call back.
Linked deep-dives
- How to dispute credit card transaction
- How to read credit card statement
- How to use credit card abroad
- CC fees and charges decoded
- CC billing cycle and interest
- CIBIL improvement plan
FAQs
How quickly should I report credit card fraud?
Within 3 working days of noticing for zero liability. Within 24 hours is best practice. Block immediately; file FIR same/next day; file dispute within 3 days.
Is credit card fraud covered by insurance?
RBI Customer Liability Framework provides protection regardless of card insurance. Some premium cards (Infinia, Magnus, Amex Platinum) include credit card fraud insurance as additional protection.
Can I be held liable if I shared OTP with someone claiming to be from bank?
Issuer may claim negligence. RBI Ombudsman has overturned many such denials, especially when phishing was sophisticated. Pursue via Ombudsman if denied.
Do I need to pay the fraudulent amount in my next statement?
Pay only the legitimate (non-disputed) portion. The disputed amount sits as “under investigation” and won’t accrue interest. Bank’s provisional credit usually offsets the disputed charge during investigation.
What if the fraud happens during international travel?
Same procedure — block immediately via international helpline, file FIR (if possible at local police, otherwise on return to India), file dispute with issuer. Customer liability rules same.
Can I claim psychological damages or compensation beyond the disputed amount?
Generally no, in standard chargeback. Consumer Forum can award compensation for service deficiency, but typically requires significant negligence by the bank. Most cases resolve at refund-only stage.
Sources & references
- RBI Customer Liability Framework (Master Direction, 2017 + 2024 amendment)
- RBI Master Direction on Credit Card and Debit Card Issuance and Conduct
- Information Technology Act 2000 (cyber fraud provisions)
- Banking Ombudsman Scheme 2006 (and subsequent amendments)
Last verified: April 2026. Customer Liability Framework provisions stable; specific case handling varies by issuer.
