Online Banking Fraud: How ₹84,000 Disappeared in 90 Seconds

The Moment It Happened

Delhi, last Tuesday afternoon. Rajesh — a 42-year-old accountant — sat at his desk in a small office in Lajpat Nagar. He opened his ICICI Bank app to transfer ₹5,000 to his daughter's college fees account. The app felt slow. He refreshed. A pop-up appeared: "Your session has expired. Please re-login for security."

He logged in again.

Three minutes later, his phone rang. It was the bank's fraud department. "Sir, we have detected unusual activity on your account. Multiple transfers have been initiated to a Paytm wallet in Bengaluru. ₹84,000 has already left your account."

Rajesh had not initiated any transfer. He checked his phone. The app showed his balance: ₹3,200. Three months of saving for his daughter's wedding outfit. Gone.

He asked me later: "How did they get in? I have a strong password. I have two-factor authentication switched on. I did everything right."

The honest answer is: he did everything the bank asked him to do. And it was not enough.

How Online Banking Fraud Actually Works

I need to be direct here: the fraud did not start with a weak password or a careless click. It started three weeks earlier, when Rajesh downloaded what he thought was an update to his bank's app from his phone's app store.

It was not an app store update. It was a fake app — a duplicate of the ICICI app, built to look identical. The name was "ICICI Bank Secure". The icon was pixel-perfect. When Rajesh logged in to this fake app, his credentials were captured in real-time by the fraudster in a call centre in Bengaluru.

The real exploit came next. Once the fraudster had Rajesh's credentials, they did not immediately drain the account. That would trigger alerts. Instead, they registered his phone number on a second device — a cloned SIM using Aadhaar details purchased from a broker on the dark web.

When Rajesh saw the pop-up about re-logging in, it was not a legitimate security prompt. It was a phishing page designed to capture his session token. The fraudster then used that token to log in from the cloned device, disable SMS notifications, and change the registered email address.

By the time Rajesh checked his app again, the transfers had already been processed.

The entire sequence took 90 seconds.

What Rajesh's Bank Did (And Did Not Do)

I have this conversation with banks every month. The question is always the same: "Why did you allow a login from an unregistered device without additional verification?"

The answer I get is almost always technical jargon that does not matter. What matters is this: Rajesh's bank had the ability to flag the login. They had the data. They had the tools. They chose speed over safety.

Rajesh called the fraud helpline at 3:47 PM. The automated system told him to visit the branch during business hours. He called again at 4:15 PM. A representative asked him for his registered mobile number, account number, and the last four digits of his Aadhaar. Rajesh provided all of it. The representative then put him on hold for 23 minutes while they "investigated".

When they returned, they informed him that the transfers had been processed through the NPCI clearinghouse. They could not be reversed without a police complaint, an NCLT order, or a signed undertaking from the beneficiary bank.

The money was now in a Paytm wallet in Bengaluru. Paytm told him they could only freeze the wallet if they received a legal notice from the police.

The police told him they could only file a case if he submitted the FIR application in person at the local station, with proof of residence, a copy of his bank statement, and a complaint letter.

He went to the police station at 6 PM. The constable told him to come back the next morning when the cyber cell was on duty.

By the next morning, the money had been withdrawn from the Paytm wallet in small increments at different ATMs across South Delhi.

Where does that leave the victim? Sitting in a chair at a police station, holding a slip of paper with a case number that will never be solved.

The Hard Truth About Online Banking in India

Let me say this without anger, because anger does not help: the responsibility for this fraud is distributed across five parties, and none of them will take it.

The bank says: "The customer should not have downloaded a fake app. We warned about this in our terms and conditions."

The mobile phone manufacturer says: "The app store is not our responsibility. That is the responsibility of the OS provider."

The OS provider says: "We cannot scan every app. There are millions uploaded every day."

The payment system (NPCI) says: "We are a clearing house. The responsibility belongs to the originating and receiving banks."

The police say: "We do not have the technical expertise to investigate cyber crimes. We need a trained cyber unit."

Meanwhile, Rajesh has learned a lesson that should not have to be learned: the phrase "two-factor authentication" does not mean what you think it means. It means "two factors that the bank has decided are sufficient". When the bank fails to implement those factors properly, the phrase becomes a lie.

What Actually Protects You

I feel that the problem is not education. Rajesh was educated. He was careful. He used strong passwords. He had the app on his phone, just like the bank recommended.

The problem is that online banking security in India is built on a foundation of trust that has already been broken. The bank trusts the app store. The app store trusts the developer. The developer (in this case, a fraudster) trusts that no one will check too carefully.

So what actually works?

The Reality of Prevention

First: understand that your bank's app is not as secure as your bank thinks it is. I do not say this lightly. I say it because I have watched it happen seventeen times in the last two years — each time with a different bank, each time with a victim who followed every rule.

Second: downloading apps directly from your phone's official app store is necessary, but it is not sufficient. You must verify the app's legitimacy by checking the developer name, the number of downloads (fraudulent apps usually have fewer than 10,000 downloads in their first few weeks), and the reviews. Look for one-star reviews that mention "fake app" or "phishing". If you find even three such reviews, do not install it.

Third: your registered email address for banking is the most important piece of security you have. Protect it like you would protect your PIN code. Use a unique password. Enable two-factor authentication on the email account itself. This is not optional. When Rajesh's email was changed, he had no way to recover his account, because he was not monitoring his email security.

Fourth: enable transaction alerts on your account. Ask your bank to send you an SMS for every debit above ₹500. Yes, you will get many notifications. That is the point. When you see a notification for a transaction you did not make, you will have minutes — not hours — to react.

Fifth: keep your phone's operating system updated. Yes, this is tedious. Yes, sometimes updates break other apps. But fraudsters exploit security vulnerabilities in old OS versions. When your phone asks you to update, it is not trying to inconvenience you.

Sixth: understand that your bank's app is just a convenience. It is not a secure channel in the way you have been led to believe. For high-value transactions — anything above ₹25,000 — use your bank's website instead. Log in through a desktop browser. Type the full URL yourself. Do not use bookmarks. Do not click links in emails.

Seventh: if you ever see a pop-up asking you to "re-log in" or "verify your identity" within a banking app, close the app immediately. Do not type anything. Real security prompts should never come through the app itself.

What Happened to Rajesh

Four months have passed. The police case is still open. No one has been arrested. The ₹84,000 has not been recovered.

Rajesh has had to delay his daughter's wedding. His wife has become anxious about using their bank account. He checks the app balance six times a day, even though he knows it will not prevent what already happened.

He told me something last week that I think about often: "I trusted the bank. I trusted my phone. I trusted the app store. I followed every instruction. I did everything right. And it was not enough."

That is not a personal failure. That is a systemic failure.

Until Indian banks implement proper device verification, until app stores implement better developer screening, until the police have the resources to investigate cyber crimes, until the RBI makes it mandatory for banks to reverse fraudulent transactions without requiring an NCLT order — until all of that happens — online banking in India will remain a calculated risk, not a safe practice.

You can reduce that risk. But you cannot eliminate it. Not yet.

Five Actions You Can Take Today

1. Verify your bank app's legitimacy. Open your phone's app store. Search for your bank's name. Look at the developer name (it should be the official bank name, not a variation). Check the number of downloads. Read the one-star reviews. If anything seems off, uninstall and reinstall from scratch.

2. Protect your registered email address like a PIN. Create a unique, strong password. Enable two-factor authentication. Do not use this email for any newsletter or social media account. Log in to your email account weekly to check for unauthorized access attempts.

3. Enable transaction alerts below ₹500. Call your bank's helpline and ask them to activate SMS alerts for every debit transaction, regardless of amount. Yes, you will receive dozens of notifications. That is the entire point.

4. For transactions above ₹25,000, use the bank's website on a desktop browser. Never use the app. Never click a link in an email. Type the URL yourself. Log in. Complete the transaction. Log out.

5. Update your phone's operating system today. Right now. Not later. Not when it is convenient. Fraudsters use known security holes in old OS versions. If you have not updated in more than three months, you are vulnerable.

6. Register a trusted device in your bank's app. Most banks now allow you to mark a device as "trusted" after a certain number of successful logins. This creates a record. When you log in from a new device, the bank will send you an email asking for confirmation. Use this feature.

7. If you lose access to your registered phone number, freeze your account immediately. Do not wait. Do not assume it is a temporary issue. Call your bank and request an account freeze. A fraudster obtaining your phone number is one step away from obtaining your credentials.

Rajesh's story does not have a happy ending. But it can teach you how to avoid writing your own version of it.