₹2,000 Crore Cyber Fraud in Mumbai:During the whole last five-year period (2020–2025), the city of Mumbai has been grappling with the spread of cyber-financial crimes of which about 20,000 instances have been recorded leading to a loss of over ₹ 2,000 crore. These situations are not separate; the crimes are actually a range of different types, such as card cloning and OTP-based scams to SIM-swap frauds, fake calls, and other digital traps.
₹2,000 Crore Cyber Fraud in Mumbai
While quite a lot of money has been stolen, only very little has been retrieved back. Just within a single grouping of cases, i.e., credit/debit card fraud, ATM fraud, SIM swap, cloning, and so on, the total loss was approximately ₹ 161.5 crore; however, the amount of around ₹ 4.8 crore was recovered.
Moreover, a few months ago, just to give an example of the never-ending trend, a municipal employee lost money worth ₹ 3.9 lakh because he installed a fraudulent app after receiving a fake bank call. And not many days before that, a person was defrauded of ₹ 3.80 lakh after sharing an OTP with a caller who pretended to be a bank employee.
What is drawn from the information is a solid case: cyber-fraud is not a seasonal affair anymore but an endemic one, taking advantage of both technology and human nature’s weaknesses.
How these frauds typically work?
Criminals manage to get hold of card data (in most cases, by using ATM skimmers for capturing data or if the data has been leaked) through which they can perform illegal transactions without the knowledge of the card owner and sometimes even the real card holder might not have the idea of the transaction.
Scammers try to convince victims that they are bank officials. They do this by using tricks to change the number on the caller ID or by simply calling and faking that the purpose is to “activate” or “verify” the card. Under this “new” reason, they lure the targets into giving away card numbers, CVVs, and OTPs. After that, the money is sucked off very quickly.
By forcibly taking over a user’s mobile number (in a manner such as faking credit-card offers, stealing identities or making forged documents), the perpetrators who then have the ability to receive all those bank security numbers will also be the ones receiving all the alerts which notify they have committed the transaction without the owner’s knowledge.
Victims are tricked into installing bogus “bank apps” and once installed, these apps access sensitive data or generate fraudulent transactions.
What’s alarming is how ordinary calls or messages often appearing legitimate can lead to losses of lakhs in minutes, affecting professionals, senior citizens, retirees, business owners and regular citizens alike.
Who pays when fraud happens?
If a fraud transaction is reported within three working days, and the customer has not been negligent (i.e. hasn’t shared PIN/OTP voluntarily), the customer’s liability is zero, the bank should bear the loss.
If reported after three days but within seven days, liability may be capped at ₹ 10,000–₹ 25,000, depending on the card’s transaction limit.
However, if the customer is found negligent (e.g. voluntarily shared card details, OTP, PIN, or downloaded a suspicious app), then they bear full liability for the loss.
Banks are required to initiate a “shadow reversal” within 10 working days of reporting and resolve disputes within 90 days.
In theory, this framework offers protection. But in practice, many victims even those who report quickly complain of banks refusing reimbursement. According to a recent report, although about 4,132 FIRs were filed for card-related frauds over the five-year period, recoveries were negligible. Experts argue that banks often shift blame onto customers, even when underlying causes are systemic: ATM-skimming, data leaks, flawed verification or weak authentication protocols.
A cyber-security expert quoted in a report says: “Pinning blame on users for OTP disclosures is misplaced, as most incidents trace back to foundational lapses like porous databases and lax authentication protocols.”
Thus, in many cases the real burden falls on the victims not just financially, but emotionally too as they fight legal notices, denial from banks, recovery calls, and bureaucratic inertia long after the fraud has occurred.
World’s Biggest Bitcoin Fraud: How Zhimin Qian Built a $6 Billion Bitcoin Scam
What victims and banks must do?
Never share CVV, PIN, OTP or other sensitive information over phone or WhatsApp, no legitimate bank call would ask for this. This is the first golden rule.
If you notice unauthorised transactions, report them to your bank immediately, ideally within three working days. This ensures “zero liability” under RBI guidelines.
Block compromised cards immediately, lodge an FIR and report to the official cyber-crime helpline (if available). Delaying increases risk of further unauthorized transactions.
Monitor bank statements and SMS/email alerts regularly so suspicious activity is noticed early.
Discard cards received physically if you are unsure of delivery chain; use only ATMs from trusted/diligently monitored banks. Avoid shady merchants or suspicious POS.
From the banking and regulatory side: banks must ensure stronger authentication (multi-factor), patch security gaps (ATM-skimmers, data leaks), better fraud-detection systems; law enforcement and telecom regulators must clamp down on SIM-swap fraud; and public awareness campaigns must be stepped up to educate citizens about evolving fraud tactics.
