Indian fake loan apps run a four-stage trap. They advertise instant loans, harvest your phone contacts and gallery at install, disburse a tiny loan, then blackmail you and your contacts when the impossible interest comes due. The RBI has flagged 442 such apps to MeitY, MeitY has blocked 87 under IT Act Section 69A, and Google has removed over 2,200 from Play Store. Recent suicide cases (Hyderabad, Sircilla, Kannur, multiple cities) show the human cost. RBI’s Digital Lending Directions 2025 (effective 8 May 2025) restrict lending to regulated entities. DPDP Act 2023 makes contact-harvesting itself illegal with penalties up to INR 250 crore. The defence: verify the lender on RBI’s CIMS directory before borrowing, never grant contact-list permission, screenshot every threat, and report to 1930 / cybercrime.gov.in immediately if harassed.
Who this is for
Anyone in India who has installed an unfamiliar loan app, is currently borrowing through one, or is being harassed about a loan they took. The pattern hits salaried employees facing month-end cash crunches, small-business owners with seasonal liquidity gaps, college students, and gig workers. Family members of borrowers also receive the harassment calls and morphed-photo broadcasts; this guide is for them too.
The 4-stage fake loan app trap
This pattern is documented across hundreds of FIRs in Hyderabad, Telangana, Karnataka, Kerala, and Maharashtra (Al Jazeera long-form, Telangana Today coverage, The Print on Telangana govt urging RBI).
Stage 1: The lure
A push notification, an SMS, an Instagram ad, or a Google Play search result promises “instant loan, no paperwork, no CIBIL check, INR 5,000 to 50,000 in 5 minutes.” The app’s listing carries fake five-star reviews and a generic Indian-sounding name (CashAdvance, RupeeFlash, LoanQuick, ScoreClimb, etc.).
Stage 2: The data harvest
At install, the app demands these permissions, all of which are red flags under RBI’s Digital Lending Directions 2025:
- Read all contacts (used later to call your network)
- Read SMS and call logs (used to screen for income markers and family relationships)
- Read photos and media files (used to find compromising content for blackmail)
- Camera (used to take a “selfie verification” later)
- Location (used to confirm Indian residence and target locale)
Legitimate RBI-regulated lenders never need any of these. The RBI’s Digital Lending Directions explicitly prohibit unauthorised harvesting of contacts and gallery.
Stage 3: The disbursal
A small loan, typically INR 3,000 to 10,000, is disbursed within minutes. Processing fees and “GST” deductions are aggressive: a INR 5,000 loan often arrives as INR 3,000 in the bank account. Repayment terms are 5 to 7 days with implicit interest rates of 200% to 1,000% annualised.
Stage 4: The harassment
When the borrower cannot repay (which is the design), recovery agents activate the harvested data. The script:
- WhatsApp messages and calls every hour, escalating tone within 24 hours
- Calls to the borrower’s parents, spouse, employer, friends from the contact harvest
- Morphed nude photos of the borrower (using the gallery harvest plus AI nudification) sent to selected contacts
- Recovery agents impersonating police, court officials, or RBI inspectors
- Threats to file false rape, harassment, or fraud cases against the borrower
- Group calls where multiple agents pressure simultaneously
The agents are often based outside India (multiple Hyderabad investigations have linked apps to Chinese operators) and use VOIP numbers that change daily.
RBI’s response: 442 + 2,200 + 87
The Indian state has built up a blocking infrastructure since 2021.
| Authority | Action | Number |
|---|---|---|
| RBI Working Group on Digital Lending (Nov 2021) | Identified illegal/suspicious lending apps in pilot review | ~600 |
| RBI | Flagged unique unauthorised lending apps to MeitY (Sep 2022 to Aug 2023) | 442 |
| Removed/suspended fraudulent loan apps from Play Store (Sep 2022 to Aug 2023) | 2,200+ | |
| MeitY | Blocked illegal lending apps under IT Act Section 69A (cumulative through late 2025) | 87 |
Sources: Business Standard on Lok Sabha reply by MoS Finance, Medianama on MeitY blocking, Inc42, PIB release PRID 2200567.
RBI Digital Lending Directions 2025: the new legal regime
The legal regime has tightened significantly. The original RBI Guidelines on Digital Lending (2 September 2022) were repealed and replaced by the RBI (Digital Lending) Directions, 2025, effective 8 May 2025 (FIDC press release PDF).
Key provisions:
- Only RBI-regulated entities (banks, NBFCs) and their approved Digital Lending Apps (DLAs) can lend. A non-regulated entity offering loans through an app is illegal.
- Mandatory grievance officer. Every DLA must display a grievance officer with name, email, and phone. Complaints must be resolved within 30 days.
- Centralised Information Management System (CIMS) directory. RBI maintains a public directory of legitimate DLAs, operational from 1 July 2025. Borrowers can verify a DLA before installing.
- Key Fact Statement (KFS). Lenders must show the all-in cost of borrowing (interest, fees, charges) before disbursal in a standardised format.
- Data minimisation. Lenders cannot harvest contacts, gallery, or SMS access. Only data strictly necessary for credit assessment, with specific informed consent under DPDP Act 2023, is permitted.
The DPDP Act 2023 layers on top: Section 6 (consent must be specific, informed, free), Section 8 (data fiduciary obligations including purpose limitation and security safeguards). Penalties for breaches go up to INR 250 crore per Schedule.
Recent verified Indian cases
These are publicly reported, primary-source-verified.
Hyderabad (Jiyaguda), April 2022. Rajkumar. Ended his life after sustained harassment by loan app executives (Telangana Today).
Sircilla, Telangana, 2023. 28-year-old. Suicide after morphed photos circulated to family (Deccan Chronicle).
Kannur, Kerala, April 2024. Nithin Raj, BDS student. Suicide after loan app harassment. FIR registered under extortion and abetment of suicide provisions (The Federal).
Bengaluru, 2024. Score Climb app. Woman blackmailed with morphed nude photos after defaulting on a small loan. Recovery agents threatened mass distribution (Deccan Herald).
Hyderabad investigations. Hyderabad police booked 22 cases against fake loan apps, arrested 22 individuals including Chinese nationals, froze approximately 3,000 mule bank accounts, and uncovered a separate INR 903 crore money-laundering case linked to a Chinese investment app (Inc42).
Loan-app fraud complaint volume. Complaints registered jumped from 61 (2021) to 900 (2022) per Telangana data, with continued growth in 2023-2025.
The legal armour you have
| Section | Law | What it covers |
|---|---|---|
| BNS 318 | Bharatiya Nyaya Sanhita 2023 | Cheating (replaces IPC 415/420). Up to 7 years if delivery of property is involved. |
| BNS 308 | BNS 2023 | Extortion. |
| BNS 351 | BNS 2023 | Criminal intimidation. Up to 7 years if threat involves imputation of unchastity. |
| BNS 336 / 356 | BNS 2023 | Forgery, defamation. Covers morphed images. |
| IT Act 66C | IT Act 2000 | Identity theft. |
| IT Act 66D | IT Act 2000 | Cheating by personation using computer resource. Covers morphed-photo blackmail. |
| IT Act 67 / 67A | IT Act 2000 | Obscene material / sexually explicit material. |
| IT Act 69A | IT Act 2000 | Government blocking power. MeitY has used this to block 87 loan apps. |
| DPDP Act Section 6 | DPDP Act 2023 | Consent must be specific, informed, free. |
| DPDP Act Section 8 | DPDP Act 2023 | Data fiduciary obligations. Penalties up to INR 250 crore. |
| RBI Digital Lending Directions 2025 | 8 May 2025 | Only regulated entities can lend; mandatory grievance officer; data minimisation. |
The Delhi High Court ruling in Soukin v. State (NCT of Delhi) (April 2024) on sextortion is directly applicable to morphed-photo blackmail by loan-app agents.
5 red flags before you install
1. The app demands access to contacts, gallery, SMS, or call logs
Legitimate RBI-regulated lenders cannot ask for this. Anyone who does is illegal under RBI Digital Lending Directions 2025 and DPDP Act 2023.
2. The app does not display a regulated entity name and RBI registration number
Section 4 of the RBI Directions requires every DLA to clearly display the lending bank’s or NBFC’s name, RBI registration number, grievance officer name, email, phone. Missing any of these = unregistered.
3. The Key Fact Statement is missing or shows interest above 36% per annum
A standardised KFS is mandatory before disbursal. Effective interest above 36% per annum is rarely legal in retail unsecured lending.
4. The processing fee is more than 5% of the loan
Aggressive deductions (e.g. INR 5,000 loan disbursed as INR 3,000) are an unmistakable trap pattern.
5. The app’s grievance email or phone goes to a generic Gmail or non-Indian number
Real lenders have institutional grievance officers with bank/NBFC email domains.
Three defences that work
Verify before you install
Open the RBI CIMS directory of legitimate DLAs. Search the lender’s name. If the app is not listed, do not install. Cross-check the lender on the RBI Sachet portal for prior complaints.
Never grant contact, gallery, SMS, or call-log permission
If a loan app demands these at install, stop immediately. Real lenders use bank statement uploads, not your contact list, for credit assessment.
Screenshot every threat
If you are already borrowing and the harassment has started, screenshot every message, every call log, every WhatsApp threat, every morphed image. These become evidence for the FIR and the NCRP complaint. Save copies outside your phone.
What to do if you are being harassed
- Do not pay any further. Harassment is the crime; non-payment of an illegal loan is not. The original disbursal can be argued as void in court if the lender is unregistered.
- File an FIR at the local police station under BNS 308, 351, IT Act 66D, 67. The morphed photos add IT Act 67/67A.
- File a complaint at cybercrime.gov.in or call 1930. Both 24x7, operated by I4C under MHA.
- Use the official escalation path: DLA’s grievance officer (mandatory under RBI Directions, response in 30 days), then the lender’s nodal officer, then RBI Integrated Ombudsman at cms.rbi.org.in.
- Alert your contact list. Send a personal SMS or call to your closest 20 to 30 contacts: “I have been targeted by loan-app harassment. Recovery agents may call you with false claims. Please ignore and tell me.” Most contacts respond with support, not judgement.
- Report the app on Google Play Store via the fraud-reporting form. Google has removed 2,200+ apps via this and bulk RBI flags.
- Take care of yourself. Loan-app harassment has driven multiple suicides. Mental health support: AASRA +91 9820466726 (24x7), Vandrevala 1860-266-2345 (24x7), iCALL 9152987821.
Got a suspicious loan app or active harassment? Send it to us, we verify free
If you are considering a loan app and want to verify it before installing, or you are already being harassed, send it to us privately.
WhatsApp / Call: +91 99644 43350
Send the app name, screenshots of permissions requested, the lender’s claimed name, and any threats received. We help you verify whether the app is legitimate and what to do next.
What we do (free):
- Verify the app against the RBI CIMS directory
- Decode the threat patterns and document them for the FIR
- Walk you through the NCRP and FIR drafting
- Help you alert your contact list safely
What we do not do:
- Charge for the verification
- Negotiate with recovery agents on your behalf
- Pay any amount
We also publish related guides: sextortion first-hour playbook, WhatsApp GhostPairing, AI voice cloning, DPDP impersonation phishing.
Need help beyond verification?
If you are mid-harassment and need help with FIR drafting, evidence preservation, contact-tree alerts, or platform takedowns, we offer paid engagements:
- Crisis incident response: FIR + NCRP filing, evidence preservation, bank dispute drafting, platform takedown coordination
- Family awareness sessions for senior parents and students
- Corporate awareness for HR teams handling employees in loan-app crisis
- Ongoing security consulting for AI-first and API-first SaaS startups
- Founder-led Security on Demand for INR 9,999, 4 hours, fully refundable if we cannot help
WhatsApp +91 99644 43350 or contact Cybersecify.
Save this number now
If a loan app turns hostile: WhatsApp +91 99644 43350. Save it now. During an active harassment cycle, you will not have time to search.
For mental health crisis: AASRA +91 9820466726 (24x7), Vandrevala 1860-266-2345 (24x7). For police: 1930.
Frequently asked questions
How do fake loan apps trap victims?
The trap runs in four stages. One: the app advertises an instant loan with no paperwork. Two: at install, it demands access to your contacts, gallery, SMS, and call logs (legitimate RBI-regulated apps cannot ask for these per RBI Digital Lending Directions 2025). Three: a small loan (INR 3,000 to 10,000) is disbursed minus huge processing fees. Four: when the loan plus impossible interest comes due in 5 to 7 days, recovery agents threaten the victim, then call every contact in the harvested list, often sending morphed nude photos. Some agents impersonate police. The RBI has flagged 442 such apps to MeitY; MeitY has blocked 87 under IT Act Section 69A; Google has removed over 2,200 from Play Store.
How do I check if a loan app is legitimate?
Use the RBI’s Centralised Information Management System (CIMS) directory of registered Digital Lending Apps, mandatory under RBI’s Digital Lending Directions 2025 (effective 8 May 2025). Only RBI-regulated entities (banks, NBFCs) and their approved DLAs can lend. The app must clearly display the regulated entity’s name, the lender’s RBI registration number, a grievance redressal officer with email and phone, and a Key Fact Statement before disbursal. If any of these are missing, do not borrow. Search the lender’s name on the RBI Sachet portal (sachet.rbi.org.in) for prior complaints.
Can I report a loan app and get it blocked?
Yes. Three parallel channels. First, file at cybercrime.gov.in or call 1930 (I4C, 24x7). Second, file with the lender’s grievance officer, then if unresolved in 30 days, escalate to the RBI Integrated Ombudsman at cms.rbi.org.in. Third, report to the Google Play Store fraud-reporting form. MeitY has blocked 87 lending apps under IT Act Section 69A as of late 2025. Police across Hyderabad, Telangana, and Karnataka have made multiple arrests; Hyderabad alone froze approximately 3,000 mule bank accounts in connected investigations and uncovered an INR 903 crore money-laundering case linked to a Chinese investment app.
What if the app is harassing me or my contacts already?
First, do not pay any amount you have not legitimately borrowed; harassment is itself a crime under BNS Section 351 (criminal intimidation), Section 308 (extortion), and IT Act Section 67 (obscene material if morphed photos are circulated). Second, file an FIR at the local police station and a complaint at cybercrime.gov.in. Third, alert your contacts via personal call or SMS that they may receive harassment calls and to ignore them. Fourth, if you transferred any money, ask your bank to flag the recipient account immediately. Fifth, the DPDP Act 2023 (Section 6 consent, Section 8 fiduciary obligations) makes the contact-list and gallery harvesting itself illegal, with penalties up to INR 250 crore.
What law protects me from loan-app harassment?
Five layers. RBI Digital Lending Directions 2025 (8 May 2025) restricts lending to regulated entities and prohibits unauthorised data harvesting. DPDP Act 2023 makes contact-list and gallery harvesting illegal without specific informed consent (penalties up to INR 250 crore). BNS 2023 Section 318 (cheating), Section 308 (extortion), and Section 351 (criminal intimidation) cover the harassment and morphed-photo blackmail. IT Act Section 66C (identity theft), 66D (cheating by personation via computer), 67 and 67A (obscene material), and 69A (which MeitY uses to block apps). The Soukin Delhi HC ruling on sextortion (April 2024) is directly applicable to morphed-photo harassment.