Online Banking Fraud: How It Happens and Why Your Bank Won't Call You Back

The Call That Never Ends

Bangalore, 2019. A man I know — let's call him Rajesh — received a call from someone claiming to be his bank's fraud prevention team. "We detected unusual activity on your ICICI account. A withdrawal of ₹45,000 from a branch in Gurugram just now. Did you authorize this?"

Rajesh had not. His hands started shaking.

The caller — polite, Hindi-accented, patient — asked for his account number to "verify" the fraud. Rajesh gave it. Then the caller asked for his debit card details to "block the card immediately and prevent further loss." Rajesh, rattled and trusting the caller's institutional air, gave those too. By the time the call ended, the caller had walked him through downloading TeamViewer, which gave the caller full remote access to his desktop.

Three hours later, Rajesh discovered the real fraud: ₹2.8 lakhs transferred via NEFT to an account he had never seen.

This is online banking fraud in India. Not the kind you read about in headlines about "mega breaches." The kind that happens to someone you know, on a Tuesday, at 3 p.m., because a scammer understood one fact better than Rajesh did: Your bank will never call you asking for your card details. But you will believe it does, because the voice on the other end sounds like they work there.

How This Actually Works

Online banking fraud in India has evolved past the crude phishing emails of 2010. Today, it is layered. Choreographed. It does not always begin online.

The scammer gets your phone number — from a WhatsApp breach, a hospital database, a telecom carrier's leak, or simply by buying a list from the dark web for ₹500. They call. They claim to be from your bank, or your mobile provider, or NPCI, or the RBI itself. They sound institutional because they have learned the script: bank name, your account number (which they have), recent transactions (which they have), your branch name (which they have). By the time they ask you to "verify" your OTP, you are already nodding along.

Or it begins differently. You receive an SMS: "Your account has been flagged for suspicious activity. Click here to verify your identity." The link looks like your bank's — icici-security.verify.co instead of icici.com. You click. You log in with your username and password. The scammer now has both. Within minutes, your linked UPI is compromised. Within hours, your savings account is emptied through NEFT transfers to mule accounts — accounts opened in someone else's name and sold to the scammer for ₹500 per account.

Why does it work so consistently? Because your bank has made security a performance, not a practice. The OTP system assumes the attacker is outside your phone. It does not assume the attacker has already borrowed your phone, or convinced you to read the OTP aloud, or — most commonly — that you have already given them your password and will now walk them through every step of the online banking portal while they control your desktop.

The Bank's Silence

I say this not from theory but from watching what happens after.

Rajesh called his bank immediately. The customer service representative took his report with the tone of someone filing a noise complaint. "Sir, we will initiate a fraud investigation. This can take 45 days."

Rajesh asked for an emergency reversal. The answer was no. "Once the amount has left our system through NEFT, we cannot recall it. The receiving bank must cooperate."

The receiving bank — a small private lender in Mumbai — informed him that the account holder was not available and the funds had already been withdrawn in cash.

The RBI's framework for banking fraud resolution is clear: disputes must be raised within 30 days of the transaction, and the bank has 45 days to investigate. But in practice, what does this mean? It means Rajesh must prove he did not authorize the transaction. It means the bank will demand evidence from the receiving bank. It means the receiving bank will drag its feet because it profits from keeping the investigation vague. It means Rajesh will spend three months calling, emailing, and visiting the branch, only to be told, "Sir, we are unable to recover the amount. Please approach the police."

The police? In Bangalore, the cyber-crime cell receives roughly 2,000 complaints per month. They will register an FIR. They will not recover your money. The conviction rate for cyber-fraud in India is below 10%.

Where does that leave the victim? Usually, with ₹2.8 lakhs gone and a growing suspicion that the entire system is designed to protect itself, not him.

Why Your Bank Calls You (and It Is Never Your Bank)

Here is what I want you to understand: A bank does not call to ask you for your password, OTP, debit card number, or PIN. Not in India. Not anywhere. This is the single most important fact. Tattoo it on your brain.

Yet every week, we receive reports from victims who have given all of these to someone on the phone. Why? Because the scammer has done something your bank did not: they have made the call feel urgent and personal. They have used your recent transaction history — which is public enough if you have ever used the same phone number for multiple apps — to build false credibility. They have called at a time when you are alone and tired. They have created a crisis in your mind.

The scammer's script is precise. "Sir/Madam, I am calling from the fraud prevention department of [your bank]. We have detected an unauthorized transaction of ₹15,000 to [real merchant you purchased from recently]. Did you authorize this?" When you say no (or hesitate), the scammer's follow-up is immediate: "Do not panic. We are blocking your card right now. For this, I need to verify a few things. First, your account number — which I see is [correct account number]. Now, your debit card number for verification purposes."

At this point, 70% of victims comply. Why? Because their own bank's number is on their recent statement. The scammer's call is coming from a spoofed number that shows the bank's name on your phone's caller ID.

Technology has outpaced institutional trust. The scammer is more credible because the scammer is trying harder.

The Complications

Yes, the RBI has issued circulars mandating that banks implement two-factor authentication for all critical transactions.

No, this does not stop the fraud I described, because the scammer has already obtained both factors — your password and your phone.

Yes, CERT-In has released advisories about never sharing your OTP.

No, most victims do not read CERT-In advisories. They read WhatsApp messages from their mother-in-law's cousin and trust calls from numbers that match their bank's caller ID.

Yes, some banks offer fraud liability protection if you report within 24 hours.

No, this almost never works in practice. The bank's definition of "unauthorized" is so narrow that most cases fail the initial assessment. "You logged in from your own device. Therefore, you authorized the transaction" — even if the scammer had your password.

Yes, you can freeze your credit with CIBIL to prevent identity theft.

No, this does nothing if someone has already stolen your UPI or your online banking credentials.

The fact is that online banking fraud in India works because the system has three players — the victim, the bank, and the police — and none of them want to be responsible. The victim says, "The bank failed to secure my account." The bank says, "The victim shared their password." The police say, "This is a matter for the bank." Meanwhile, the scammer is in another country, the mule account holder is in another state claiming ignorance, and the money is already converted to cryptocurrency and sent to a dark web exchange.

What Actually Protects You

I have spent enough time inside this mess to know what works and what does not.

It is not a password manager — though that helps.

It is not biometric authentication — though that is better.

It is a single understanding: You are the first and final line of defense. Your bank will not save you. The police will not find your money. You must not give anyone anything.

This sounds simple. It is not, because the scammer will make you feel like an idiot for doubting them. They will say, "Sir, if you do not verify now, your account will be locked." Your fear will tell you to comply. Your instinct, if you are lucky enough to have it, will tell you something is wrong.

Trust the instinct.

Action Steps

1. Never give your OTP, password, or PIN to anyone — even if they call claiming to be your bank. If the call feels urgent, hang up, wait 5 minutes, and call your bank's official customer service number from their website.

2. Enable login notifications on your online banking app. If someone logs in from a different device, you will see it immediately. Log them out.

3. Set a daily transaction limit on your UPI and NEFT. Most scammers work fast; a ₹50,000 daily limit means maximum damage is bounded.

4. Do not click links in SMS or email claiming to be from your bank. Instead, open your bank's app directly and navigate to the security section yourself.

5. Register a formal complaint with your bank in writing (email with read receipt) within 24 hours of discovering the fraud. This timestamps your claim and forces the bank into an official investigation.

6. If the bank refuses to investigate, escalate to the Banking Ombudsman. The Ombudsman is free, faster than courts, and actually listens to victims. Contact details are on the RBI website.

7. File a cyber-crime complaint with your local police or at cybercrime.gov.in, even if recovery seems unlikely. This creates an official record and, in some cases, helps CERT-In track and block scamming infrastructure.