Compliance

How Founders Spot a Fake DPDP Notice in 2026

Fake Data Protection Board scams already cost a Thane businessman INR 1.25 crore in 2025. How Indian SaaS founders spot a fake DPDP notice in 2026.

SS&AK
Sai Samarth & Ashok Kamat
Cyber Secify
10 min read

A Data Protection Board cold call in May 2026 is always fake. The real Data Protection Board of India was legally established in November 2025, but the Chairperson and Members have not yet been appointed, and DPDP Act penalties are not enforceable until May 14, 2027 per MeitY’s three-phase rollout schedule. The Board operates as a digital office under Rule 20 of the DPDP Rules 2025: complaints and notices flow through an online portal, never via phone calls or WhatsApp. If a SaaS founder gets a call demanding immediate payment to avoid a DPDP fine, hang up and report it.

Who this is for

Founders and CTOs running AI-first and API-first SaaS startups in India, especially those who have started preparing for DPDP compliance and would respond to a notice that looks legitimate. The post applies equally to small business owners and any working professional who handles personal data and might receive a call claiming to be from a regulator.

Why this matters now

The DPDP Rules 2025 were notified on November 13, 2025 via MeitY Gazette Notification G.S.R. 846(E). Within weeks of that notification, scammers had already started impersonating the Data Protection Board.

The first publicly reported case: a 64-year-old businessman in Naupada, Thane lost INR 1.25 crore between November 11 and December 3, 2025 to a caller posing as an officer of the Data Protection Board of India. The caller claimed a SIM had been illegally issued in the victim’s name, then handed off to fake Nashik police who invoked the National Security Act and money laundering charges. Over 23 days the victim transferred funds across multiple accounts. (The Tribune coverage, The420.in coverage)

The script combines two things scammers know work in India:

  1. A new regulator that most people barely understand. DPDP is real, the headlines are everywhere, but the actual enforcement structure and timeline are rarely communicated outside of legal newsletters.
  2. The same digital arrest playbook that has driven thousands of crores in losses across India in 2025: kept on continuous video call, threatened with NSA or money laundering, isolated from legal counsel.

For a SaaS founder who has spent the last 12 months preparing for DPDP compliance, a Data Protection Board notice arriving by call or email feels plausible. That is exactly what the scammers are counting on.

What real DPDP enforcement looks like in 2026

The DPDP Rules 2025 follow a three-phase enforcement schedule, confirmed via MeitY’s official notification and tracked publicly by leading law firms (Shardul Amarchand Mangaldas summary).

PhaseDateWhat goes live
Phase 1November 14, 2025Definitions and Sections 18 to 26: the Data Protection Board is legally established
Phase 2November 14, 2026Consent manager provisions become operational
Phase 3May 14, 2027Substantive Data Fiduciary obligations and the penalty regime become enforceable

As of May 2026, only Phase 1 has taken effect. The Board exists on paper. But three things follow from this:

  • The Chairperson and Members are not yet appointed. A search and selection committee chaired by the Cabinet Secretary is still running (Mondaq summary on Board status). Any communication citing a specific Board officer name as of May 2026 is suspect by definition.
  • Penalties cannot be levied. The penalty Schedule in the DPDP Act 2023, including the INR 250 crore cap under Section 8(5) for security safeguard failures, only activates when Phase 3 is notified.
  • The Board operates as a digital office. Rule 20 of the DPDP Rules 2025 requires that proceedings, complaints, and notices happen via online or digital modes through the official Board portal, not by phone or video call.

In short: nobody can legally fine you under DPDP today. And when fines do start in 2027, they will not arrive via a phone call.

How the fake notice scam actually works

The Thane case is a clean template. The pattern repeats across reports tracked by industry watchers (VARINDIA advisory, N-Pav advisory).

Step by step:

  1. The cold call. A caller introduces themselves as an officer of the Data Protection Board of India, often with a name that sounds official. They cite a fake reason: a SIM in your name was used for illegal activity, your Aadhaar was used to send vulgar content, your company’s data handling has been flagged.
  2. The handoff. Once the victim engages, the call is transferred to a second person posing as Mumbai or Nashik police, sometimes a third posing as ED or CBI. The story escalates: NSA, money laundering, drug trafficking.
  3. The isolation. The victim is kept on continuous video call. They are told not to consult lawyers, not to inform family, not to leave the room. The room becomes a digital arrest.
  4. The drain. Money is requested in tranches as verification deposits or settlement fees to specific accounts. The Thane victim transferred funds across 23 days. The amounts grow as the victim becomes psychologically committed.
  5. The vanish. When the victim runs out of funds or finally consults someone, the scammers stop responding. The accounts that received the money are mule accounts, already drained by the time anyone can act.

What makes this scam especially dangerous for SaaS founders: it weaponizes a real concern (DPDP compliance) to bypass the usual skepticism a founder might apply to a generic phishing call.

5 verification steps for any DPDP notice

If you receive any communication claiming to be from the Data Protection Board, run through these checks before doing anything else.

1. Is this arriving by phone, WhatsApp, or video call?

If yes, it is fake. The Data Protection Board does not contact Data Fiduciaries (companies) or Data Principals (citizens) by phone. Rule 20 mandates digital office procedure. A real notice arrives at a registered email associated with your company’s Data Protection Officer, or via the Board’s online portal.

2. Does the sender domain match an official Government of India address?

Real Government of India email addresses end in .gov.in or .nic.in. They do not end in dataprotectionboard.in, dpbi.org, protect-data.in, or any lookalike domain. They never come from Gmail, Yahoo, Outlook, or any consumer email service.

3. Does the notice cite a section the Act actually contains?

The DPDP Act 2023 has 44 sections. If a notice cites Section 89 or Section 102, it does not exist. If a notice claims an immediate fine of INR 50 lakh or an arrest warrant under DPDP, neither thing exists in the Act. The Act has a penalty Schedule under Section 33, and even then the maximums are crore-level civil fines that go through the Board, not arrest powers.

4. Are the Chairperson and Members named on official sites?

As of May 2026 there are no appointed Members of the Board. If a notice or call cites a specific officer name, cross-check it against PIB releases and MeitY’s official page before responding. If the name does not appear in any official appointment notification, the caller is impersonating the Board.

5. What is the demand?

The DPDP Act does not allow officers to demand immediate cash transfers, demand cryptocurrency, freeze your bank account by verbal instruction, or arrest you over a phone call. If the communication ends in transfer this amount in 30 minutes or you will be arrested, it is a scam regardless of how official the rest of it sounded.

What to do if you got a fake call

  1. Hang up immediately. Do not engage. The longer the call lasts, the more control scammers have.
  2. Do not transfer money. Even a small verification deposit confirms you as a viable target and triggers escalation.
  3. Save evidence. Caller number, time of call, any WhatsApp messages, screenshots of email threads. Save the caller ID screenshot and any voicemail.
  4. Report to cybercrime.gov.in or call the national cybercrime helpline at 1930. Banks can sometimes freeze recipient accounts within hours if reported fast enough.
  5. Notify your team. If the call came on a corporate line, alert your Data Protection Officer, finance team, and security lead. Scammers often try the same number again with a different angle.
  6. If you already paid: report to your bank within minutes, file a complaint at 1930 the same day, and reach out to your local cybercrime cell. Speed of reporting is the single biggest factor in fund recovery.

Got a DPDP notice? Send it to us, we verify free

If you received a call, email, WhatsApp message, or letter claiming to be from the Data Protection Board of India and want a sanity check before you respond, send it to us privately.

WhatsApp / Call: +91 99644 43350

Send a screenshot, audio recording, sender number, or whatever details you have. We tell you whether it is a real DPDP communication or a scam, and what to do next.

What we do:

  • Cross-check the sender domain against known Government of India address patterns
  • Check the named officer (if any) against PIB and MeitY appointment records
  • Look for the standard scam-script tells: NSA invocation, urgent transfer demand, video-call coercion, account-freeze threat
  • Tell you whether it is real or fake, in plain language

What we do not do:

  • Charge you for the verification
  • Ask for your bank details, OTPs, or UPI PIN
  • Pretend to be the Data Protection Board ourselves

Verification is free. You only pay if you want deeper engagement: audit, breach response, or legal escalation.

We also publish a related guide on digital arrest scams and police impersonation for the broader audience these scammers target.

Need help beyond verification?

If you have already paid a scammer, your company is mid-incident, or you want a real DPDP audit before Phase 3 enforcement begins in May 2027, we offer paid engagements:

  • DPDP audit and remediation support for AI-first and API-first SaaS startups, Seed to Series B, primarily based in Bengaluru
  • Breach response covered by the DPDP Breach Response Playbook, including the 6 hour CERT-In and DPDP notification timelines
  • Compliance preparation per the DPDP Compliance Checklist for Indian SaaS Platforms: data inventory, lawful basis, vendor data processing agreements, grievance redressal, and Significant Data Fiduciary impact assessment
  • Founder-led Security on Demand for INR 9,999, 4 hours of work, fully refundable if we cannot help

This is paid work. WhatsApp +91 99644 43350 or contact Cybersecify to discuss the engagement that fits your stage. See our audit and compliance services page for the full scope.

Frequently asked questions

Is the Data Protection Board of India calling me in May 2026?

No. As of May 2026 the Data Protection Board has no Chairperson or Members appointed, and DPDP Act penalties are not enforceable until May 14, 2027 per MeitY’s three-phase rollout. Any caller claiming to be a Data Protection Board officer right now is impersonating the Board.

How do I verify a real DPDP notice?

A real notice from the Board arrives via the official online portal under Rule 20 of the DPDP Rules 2025. The Board operates as a digital office and does not contact citizens by phone, WhatsApp, or email demanding payment. Cross-check any notice via the Board’s portal and your registered Data Protection Officer email.

Are DPDP penalties enforceable now?

No. The penalty regime, including the INR 250 crore cap under Section 8(5), is part of Phase 3 of the DPDP Rules rollout, scheduled for May 14, 2027. Phase 1 (Nov 14, 2025) only established the Board itself. Phase 2 (Nov 14, 2026) brings consent manager rules into force.

What should I do if I get a fake DPDP call?

Hang up. Do not transfer money. Save the caller’s number, take screenshots of any messages, and report to cybercrime.gov.in or call the national 1930 cybercrime helpline. If your company received the call on a corporate line, also notify your Data Protection Officer and security team.

Can the Data Protection Board call me on WhatsApp?

No. Rule 20 of the DPDP Rules 2025 makes the Board a digital office. All proceedings, complaints, and notices flow through the official online portal. Phone calls, WhatsApp messages, and Skype video calls claiming to be from the Board are scams.

Save this number now

If you ever get a Data Protection Board call or notice and you are not sure: WhatsApp +91 99644 43350. Save it now. During an active scam call, you will not have time to search.

For founders who want to assess their broader external attack surface before a real DPDP audit, run OpenEASD on your domain. It is our open source external attack surface scanner: 11 attack vectors across DNS, email, TLS, web layer, and known CVEs, runs locally via Docker, MIT licensed.

Share this article
DPDP Actscam awarenessphishingfoundersdata protection boardfraud India

Related Articles

Compliance

Vanta vs Drata vs Manual SOC 2: Decision Framework

Compare Vanta, Drata, Sprinto, and manual SOC 2 compliance for Indian SaaS startups. Cost, time-to-audit, fit by stage. Decision framework, not vendor pitch.
Compliance

SBOM for SaaS Startups: When, How, Tools

Software Bill of Materials (SBOM) for SaaS startups in 2026. CycloneDX vs SPDX, free tools (Syft, Trivy), when customers ask, how to maintain at startup scale.
Compliance

SOC 2 vs ISO 27001 vs DPDP: Which Compliance First?

Decision framework for Indian SaaS startups choosing between SOC 2, ISO 27001, DPDP Act, and RBI compliance. Picking by buyer geography, deadline, and stage.

Two Ways to Start

Pick the one that fits where you are right now.

Ready to fix things

Security on Demand

INR 9,999

4 hours, founder-led. Full refund if you don't continue.

Just exploring

Free Security Snapshot

Open source. Runs on your infra via Docker.