Banking fraud

Online Banking Scams: Legal Recourse for a Victim

-Advocate Puneet Bhasin, Cyber Law Expert, Cyberjure Legal Consulting

online banking fraud

 If you are a victim of an online credit card scam, then you can seek redress and relief under cyber laws.  In the recent judgement of December 2014 by Adjudicating Officer, Information Technology Act, 2000 in the case of Bal Kishen Rai.v. PNB & Ors., the Court held , that even if a victim divulges his own password by mistake in a phishing scam to a cyber criminal, in case on internet banking, he is still protected by law, and in the light of the Indian Banker’s Code 2014 read along with recent RBI Guidelines  and the principles of the US Banker’s Code, in cases of Internet Banking Frauds and Credit Card frauds a victim’s liability is restricted to Rs. 10,000 only and the loss has to be borne by the Bank. This is a principle of US Internet Banking Law which in this landmark judgement for the first time has laid the foundation of Indian Internet Banking Liability which is pro-consumers and completely protects their interests in cyber crimes.

Meaning of Online Banking Scams:

  1. Where your bank account is debited by an unauthorised online transaction.
  2. Where your credit card has been used without your authorisation for any transaction.
  3. Where you have given your transaction password to a scammer in response to a Phishing scam, which means you receive an email which resembles an email from a bank asking for your bank account details.
  4. Where you have divulged your OTP in a Vishing scam. A vishing scam is one where a person personates a banking official and contacts you to obtain your credit card information on the pretext of generating a new PIN for you, and in the process undertakes online transactions using your credit card data and cheats you into divulging your OTP so that he can complete the transaction.
  5. Where a cyber criminal uses a duplicate SIM card of your registered mobile number, and using your credit card data and due to duplicate SIM has access to OTP also.
  6. Where your SIM card is cloned. SIM card cloning can happen in hotels, shops and any place where you use your credit card for a transaction, and your credit card data is stolen and a cloned credit card is made.

If you are a victim of Online Banking, then you have legal recourse under the provisions of Section 43 of the Information Technology Act, 2000 which deals with Unauthorised Access along with legal recourse against the Bank under Section 43A of the Information Technology Act for failure to protect your sensitive information and passwords, with claim for compensation upto Rs. 5 Crores.

A victim can file a complaint of the cyber crime in the prescribed format before the Adjudicating Officer, Information Technology Act, 2000 with the prescribed application fees of Rs. 50 and requisite court fees. The duration for the disposal of cyber law matters is speedy and  is within 6 to 9 months of filing the complaint.

Disclaimer: The content of this article does not constitute legal advice, and does not create an Attorney-Client relationship between the author and the reader. Rights to Photo in article belong to


  – Advocate Puneet Bhasin, Cyber Lawyer (Cyberjure Legal Consulting)


Online banking revolutionized banking transactions, whereby money could be transferred at a single click. It has been a  time saver and has been an extremely convenient method to undertake commercial transactions. However, it has lead to a slew of litigation against banks. With online banking came phishing emails.

Phishing emails in these cases are those emails which purport to have been sent by the bank and have the look and feel of a legitimate email from a bank. They require the user to enter their username and password to reconfirm their accounts, invariably threatening that if such confirmation is not made immediately the account would be frozen. In many cases these emails are spoofed also whereby a third party sends an email using the email id of the bank, and this can be easily identified by reading the complete header of the email.

Many users panic on receiving such an email and immediately give out their personal sensitive data like banking passwords to third parties purporting to be representing the bank.  They realize that they have been duped only when money is drawn out by such third parties from their bank accounts.

There has been a slew of litigation against banks whereby, the victims of phishing scams file complaints against the banks under the Information Technology Act, 2000.  The grounds on which such complaints are filed is Section 43, Section 43A and Section 72 A pf the Information Technology Act.

Section 43 of the Information Technology Act deals with Unauthorised Access, and the Complainant in most cases alleges violation of Section 43 (a) which is accessing or securing access to a computer, computer system or computer network without permission of owner or person in charge. However, banks have a very strong legal defence to this because the unauthorised access is by a third party who sent the phishing email and not the bank. The banks on receipt of any information from a online banking services user that his account has been wrongfully debited, must ask him if he responded to any email asking for his password and must ask him to submit documentary proof of that email to the bank. If the user admits that he has replied to such phishing email, the bank must require him to submit a letter to the bank to that effect in order to enable the bank to freeze his account, whereby further unauthorised money transfer should not happen from his account.  The bank should intimate the user by an official letter to file a complaint with the cyber crime cell, and the bank should also file  an FIR against the beneficiary account holders in whose accounts the money has been unauthorisedly credited. This is important to prove the proactive efforts of the bank in a litigation by a victim against the bank under the Information Technology Act.

Section 72 A of the Information Technology Act reads as under:

Punishment for Disclosure of information in breach of lawful contract.- Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.”

The main contention of the complainant would be that the bank has access to his password and misused it. However, as per RBI norms all banks have 128 bit encryption of passwords and the bank does not have any access to the same.

The Complainants in most cases attempt to bring the bank within the definition of an “Intermediary” under the Information Technology Act,; however, the exceptions to intermediary liability under Section 79 of the Information Technology Act, 2000, apply to a bank in this case because of the following reasons:

1. the function of the bank  is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored.

2. the bank does not-

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission
(c) the bank observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

The banks are required to maintain ISO 27001 standards because they handle confidential and sensitive personal data of users of their services.

In brief, the banks need to undertake the following steps in order to be able to succeed in any litigation against them:

1. They should provide a handbook to the online banking services users at the time they apply for such services. The handbook should mention directions for safe use of online banking and should also contain complete information about phishing emails and scams, including information on how users can protect themselves from such phishing attacks.

2. The Online Banking Services Application should have an Indemnity clause, whereby the user indemnifies the bank.

3. The Terms and Conditions of Online Banking should contain Indemnity clauses with respect to password of the user, online transactions and use of bank’s services.

4. There should be a security tips page which warns users of phishing emails each time they log in for online banking.

5. There should be cyber security and cyber law compliance panel. This panel should comprise of cyber security experts who should ensure that proper cyber security measures are always in place and the cyber lawyer in the panel should ensure that the online banking user agreement clauses  are up-to-date to restrict the bank’s liability in an environment where new cyber crimes get added each day.

6. The online user should be made to agree to indemnify the bank with respect to his usage of his password and online banking transactions with each log in.

7. There should be a well drafted Privacy Policy whereby the bank’s liability is reduced to a negligible level.

8. The cyber security and cyber law compliance panel should send emails on a routine basis to all users of online banking about the latest cyber crimes and safe guard measures. This helps show the banks active role in prevention of cyber crimes and shows the bank in positive light in cyber crime litigation against the bank.

9. The Online Banking Services Agreement should have a well drafted Alternative Dispute Resolution Clause. This clause is very important as it helps preserve the image and reputation of a bank, which can get damaged when the bank is accused in such matters involving litigation.

10. The bank should actively follow-up the case investigation after filing the FIR.

In the current scenario most cases where the victim in phishing scams files a complaint against the bank manages to succeed in getting compensated for his losses.

These are a few guidelines which can help a Bank succeed in litigation faced by them due to phishing scams.