Skip to main content
GT Legal AssociatesAdvocates & Legal Counsel
GT Legal Associates office
Cyber Fraud Response

Cyber Fraud: Immediate Legal Response Guide

Immediate legal and forensic response steps for cyber fraud incidents, including evidence preservation, reporting, bank escalation and recovery strategy.

Published 15 February 20267 min readBy GT Legal AssociatesLast updated 15 February 2026
Main Article

Cyber fraud has emerged as one of the fastest-growing categories of financial crime in India. The Indian Cyber Crime Coordination Centre (I4C) recorded over 1.5 million cybercrime complaints in 2023 alone, with financial fraud accounting for the overwhelming majority. When an organisation or individual falls victim to a cyber fraud incident, the first seventy-two hours are decisive both for containing the damage and for building a legally defensible evidentiary record. This guide sets out the immediate legal and forensic steps that counsel and clients should take in the critical window following discovery of an incident.

Cyber fraud in India is prosecuted under multiple overlapping statutes. The Bharatiya Nyaya Sanhita, 2023 (BNS) addresses offences including cheating (Section 318), criminal breach of trust (Section 316), and forgery, while the Information Technology Act, 2000 (IT Act) covers identity theft (Section 66C), cheating by personation using a computer resource (Section 66D), and hacking (Section 66). Understanding this statutory matrix is essential before lodging a complaint, because the jurisdiction and route of escalation depend on the specific offence characterisation.

The First Seventy-Two Hours: Evidence and Containment

The single most important action a victim can take immediately after discovering a fraud is to preserve all digital evidence in its native, unaltered form. This means capturing and hashing screenshots, transaction logs, email headers, SMS records, bank statements, call logs, and any communication associated with the fraudulent transaction. Evidence should be preserved using write-blocking tools where possible, and forensic copies should be made before any attempt is made to recover access or remediate systems. Altering or deleting data even inadvertently in the course of system recovery can undermine the evidentiary value of what remains.

Counsel should advise clients to document the incident chronologically: when the fraud was first noticed, what information or access may have been compromised, which accounts or systems were affected, and which personnel had knowledge of the event. This contemporaneous record becomes the foundation of both the police complaint and any subsequent civil action for recovery.

Reporting to Authorities and Regulators

India's primary portal for cybercrime reporting is the National Cyber Crime Reporting Portal (cybercrime.gov.in), maintained by I4C under the Ministry of Home Affairs. All financial cybercrimes including UPI fraud, phishing, business email compromise, and investment scams should be reported at this portal within the earliest possible timeframe. The portal feeds directly into the Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS), which enables rapid flagging of suspect accounts for freezing by nodal officers at banks.

For frauds involving banking or payment system infrastructure, a separate complaint to the relevant bank's fraud desk, the Reserve Bank of India's Sachet portal, and the National Payments Corporation of India (NPCI) helpline (18001201740) should follow immediately. RBI's master directions on customer protection require banks to credit the complainant's account with the disputed amount within ten working days if the fraud arose from a bank-side negligence. This reversal is unavailable if reporting is delayed beyond the prescribed timelines, making prompt action essential.

If the fraud involves a listed entity, information systems, or data of significant scale, CERT-In (the Indian Computer Emergency Response Team) must be notified within six hours of detection under the CERT-In Directions of 28 April 2022. Failure to notify CERT-In within the prescribed window carries separate regulatory consequences under the IT Act.

Filing the FIR and Engaging Specialised Units

A first information report (FIR) should be filed at the jurisdictional cybercrime police station or at the local police station under Sections 318 and 66C/66D as appropriate, citing the specific transaction details, account numbers, and digital evidence preserved. In cases involving inter-state fraudsters which is the norm in organised cyber fraud the FIR will typically be transferred to or coordinated with the State Cyber Cell or specialised units such as the Cyber Crime Investigation Cell (CCIC). Counsel should ensure that the complaint specifically requests a transit remand order and a Section 94 of the Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS) notice to the bank for production of account records.

Where the amount in question is significant, parallel civil action an application for an injunction to freeze suspect accounts under Order 39 of the Code of Civil Procedure can be filed before a civil court with jurisdiction over the defendant's bank branch. Courts have in recent judgments granted ex parte ad interim injunctions within hours in cases of documented financial fraud, making this avenue a viable complement to the criminal route.

Recovery Strategy and Ongoing Legal Management

Recovery of fraudulently transferred funds is possible but time-sensitive. Once suspect accounts are flagged through CFCFRMS, nodal officers at the receiving banks can place a hold on the balance. However, fraudsters routinely layer transactions through multiple mule accounts, often converting funds to cryptocurrency or withdrawing cash within hours. Counsel should accordingly file a complaint with the Financial Intelligence Unit (FIU-IND) if cryptocurrency exchanges are involved and request the relevant Enforcement Directorate zonal office to consider action under the Prevention of Money Laundering Act, 2002 (PMLA) where the fraud involves proceeds of scheduled offences.

Beyond recovery, organisations must assess whether the incident triggers any disclosure obligations to their board, to regulators, to business partners, or under the Digital Personal Data Protection Act, 2023 to the Data Protection Board if personal data of data principals was compromised as part of the fraud. Early legal counsel helps map these obligations before they become defaults.

Key Takeaways

  • Preserve all digital evidence in native, unaltered form within the first hours of discovery do not attempt system recovery before forensic copies are secured and hash-verified.
  • Report immediately to cybercrime.gov.in, the affected bank, and CERT-In within six hours for covered entities delayed reporting forfeits statutory entitlements to bank credit reversal under RBI master directions.
  • Parallel civil action an urgent injunction application to freeze suspect accounts substantially increases the probability of fund recovery and should be filed without delay alongside the criminal complaint.
  • Where cryptocurrency exchanges are involved, a complaint to FIU-IND and coordination with the Enforcement Directorate under the PMLA is a critical additional step to trace and recover layered proceeds.
  • Assess whether the incident triggers disclosure obligations under the DPDP Act 2023 or sector-specific RBI directions before any public or regulatory communication is made.

Article Tags

Digital Evidence Indian Law Forensic Advisory Compliance
How GT Legal Can Assist

Suffered a cyber fraud and need to act quickly?

The hours immediately following a cyber fraud incident are critical. Whether you need to freeze a fraudulent transaction, file a complaint with the cybercrime portal, preserve digital evidence for enforcement purposes, or coordinate with your bank on a reversal request, our team can provide immediate legal guidance. We also advise on regulatory reporting obligations, civil recovery strategy, and the steps needed to protect your position in any enforcement or insurance proceedings that follow.

Book Consultation

References

  • Information Technology Act, 2000 Sections 43, 66, 66C, 66D: Ministry of Electronics & Information Technology, India Code (indiacode.nic.in).
  • Bharatiya Nyaya Sanhita, 2023 Sections 316 and 318: Ministry of Law & Justice, India Code.
  • Bharatiya Nagarik Suraksha Sanhita, 2023 Section 94 (production of documents): Ministry of Law & Justice, India Code.
  • CERT-In Directions on Cyber Security Incident Reporting, 28 April 2022 Ministry of Electronics & IT, CERT-In.
  • RBI Master Direction on Customer Protection Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, RBI/2017-18/15 (as updated).
  • Prevention of Money Laundering Act, 2002 and PMLA Rules 2005 Ministry of Finance, India Code; Financial Intelligence Unit-India: fiuindia.gov.in.
  • National Cyber Crime Reporting Portal I4C, Ministry of Home Affairs: cybercrime.gov.in.

Disclaimer

This article is for general information only and does not constitute legal advice, solicitation or an advocate-client relationship. Readers should obtain advice based on their specific facts before acting on any legal, regulatory or forensic advisory issue.

Related Articles

Continue reading from our insights.

View All Insights
Data Privacy
22 Feb 2026 · 9 min read

Data Breach Legal Obligations in India

CERT-In 6-hour reporting requirements, DPDP Act obligations, and managing regulatory exposure after a personal data breach.

Read Article
Cyber Law
29 Mar 2026 · 9 min read

Cyber Extortion Response Playbook

Step-by-step legal and operational response when your business faces ransomware, DDoS threats, or data extortion demands.

Read Article
Cyber Law
3 May 2026 · 9 min read

Ransomware Incidents: Legal Considerations

Regulatory reporting obligations, ransom payment risks, and legal liability management after a ransomware attack in India.

Read Article