If money has just left your account, stop reading this in five seconds and call 1930. Then come back. The first hour decides whether you recover the money or whether it disappears through three mule accounts and a shell company. India froze INR 8,189 crore in fraud proceeds in 2025 because complaints reached 1930 fast enough. That number could include yours, or it could not, and the deciding factor is what you do in the next 60 minutes.
Who this is for
Anyone in India who has just realised they have been scammed. Your parent who clicked a link. Your colleague who paid a fake invoice. Your neighbour whose UPI app showed a debit they did not authorise. The founder whose CFO transferred funds on a fake voice note from the “CEO.” Yourself, after a night when something went wrong.
This is the reference post we wish every household had on the fridge. We link it from every other scam awareness post we publish, because the answer to “what do I do now” is the same regardless of which scam category hit.
Why the first hour matters
When money leaves your account in a cyber fraud, it does not sit in the recipient’s account waiting. Within minutes it is broken into smaller transfers, pushed across 3 to 7 mule accounts, sometimes converted to gift cards, crypto, or cash withdrawals from ATMs in another state. The longer you wait, the more hops the money takes. Every hop makes recovery harder.
The Ministry of Home Affairs, through the Indian Cybercrime Coordination Centre (I4C), runs the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS). This is the central pipe that connects 1930 calls and cybercrime.gov.in complaints to every bank, wallet, payment aggregator, and UPI handle in the country. When a complaint enters the system fast enough, the recipient bank can place a debit freeze on the mule account before the next hop happens.
The 2025 numbers, reported by PIB and discussed in Parliament:
| Metric (2025) | Value |
|---|---|
| Total cyber fraud losses reported in India | INR 22,495 crore |
| Funds frozen through fast 1930 reporting | INR 8,189 crore |
| Complaints registered on cybercrime.gov.in | 24+ lakh |
| Digital arrest extortion losses (2024) | INR 1,935 crore |
The 36% freeze rate is not luck. It is a direct function of how fast each complaint arrived in the system. The cases where the money was completely lost are almost always the cases where the victim waited overnight, or waited until they could “explain it properly,” or went to the local police station first and lost three hours filing an FIR before anyone called 1930.
That gap, between the moment of loss and the moment of reporting, is the gap the scammer wants. Close it.
The 4-step process, in order
Memorise this order. If you only remember one thing from this post, remember the sequence: 1930, bank, cybercrime.gov.in, evidence. Each step is something a separate part of the system does. None of them is redundant.
Step 1: Call 1930 immediately
1930 is the national cybercrime helpline run by I4C under the Ministry of Home Affairs. It is operational 24 hours a day, in multiple Indian languages, every day of the year. It replaced the earlier 155260 helpline in 2021 and now serves as the single intake point for all financial cybercrime in India.
When you call 1930:
- The operator asks for your name, phone number, the approximate time of the fraud, the amount lost, the platform used (UPI, net banking, card, wallet), the recipient handle or account if you have it, and your bank
- They register the complaint immediately and give you an acknowledgement number
- They push the complaint to the I4C central system within minutes
- The system relays it to the recipient bank, your bank, and the payment intermediary (NPCI for UPI, the card network for cards, the wallet operator for wallets)
- They also instruct you to file the full complaint on cybercrime.gov.in within 24 hours
Do not wait for the local police station. Do not wait to “calm down.” Do not wait until office hours. Call now. The number is just four digits and it is free.
If 1930 is busy (it happens during festival weeks and after major scam waves), keep dialling. Do not give up after one attempt. The operators handle thousands of calls a day and the queue does clear.
Step 2: Call your bank for freeze and reversal
Your bank is the second call. They have a separate fraud line, usually on the back of your debit card and on the bank’s website. Save these numbers now, before you ever need them: SBI, HDFC, ICICI, Axis, Kotak, your own bank, save the fraud-reporting line in your contacts.
When you call the bank:
- State that you are reporting a cyber fraud, give the 1930 acknowledgement number if you have it
- Ask for an immediate debit freeze on the recipient account if you can identify it
- Ask for a chargeback if the transaction was via card
- Ask for the transaction to be flagged for fraud investigation
- Confirm whether the bank’s own fraud team can hot-list the recipient account through their internal channels
- Request written confirmation of the report (email or SMS), keep it
Some banks have a 3-day fraud reversal window for card transactions, some have shorter windows for UPI, some can do partial recovery if the funds are still in the mule account. The agent you speak to may or may not know the exact policy, but the report on record is what matters.
If the fraud involved your card being used at a merchant, ask for the card to be blocked and a new one issued. If it involved your net banking password being phished, change the password and ask for any other linked devices to be de-registered. If it involved your UPI PIN, raise a complaint with NPCI through the bank.
Step 3: File at cybercrime.gov.in within 24 hours
The cybercrime.gov.in portal is where the formal complaint lives. The 1930 call creates the initial record. The portal complaint is the legal version with full detail, evidence uploads, and the basis for any subsequent FIR.
Go to cybercrime.gov.in. Click “File a Complaint” under “Report Cybercrime.” Choose “Report and Track” if you want to follow up on a 1930 call, or “Report and Track” for the financial fraud category. Register with your phone number, get the OTP, log in.
You will need:
- Your ID (Aadhaar number, not the document)
- Detailed description of the incident with the exact timeline
- All evidence files (screenshots, recordings, documents, payment confirmations) uploaded as attachments
- Bank account, UPI handle, or wallet details where the money went
- Bank account or UPI handle from where it was debited
- Names, phone numbers, email addresses of suspects if known
- Any URL, app name, or APK file that was involved
The portal generates a complaint acknowledgement. Save the PDF and the complaint number. You will need both for follow-ups, bank coordination, and any local police station visits.
For complaints under the financial fraud category, the portal automatically routes to the state cybercrime unit and the bank concerned. For complaints under “Other Cybercrime” (sextortion, harassment, identity theft, social media abuse), the routing is to the state cyber cell.
Step 4: Preserve evidence, do not delete anything
This is the step most victims get wrong. The instinct after a scam is to clean up. Delete the chat, uninstall the app, change the password, throw away the SIM. Do not do any of that yet.
What to preserve, in order of importance:
- The transaction record itself. Bank SMS, app notification, UPI app history, card statement. Screenshot the full debit alert including the timestamp and reference number.
- The communication. WhatsApp chat (with the contact info visible at the top), SMS thread, email (forward as attachment to your own address to preserve headers), call log with the timestamp.
- The caller or sender identity. Caller ID screenshot, WhatsApp profile photo and number, email sender address, social-media handle.
- Any documents shown to you. Fake FIR PDF, fake court order, fake notice, fake invoice, fake job offer letter. Save the file, do not just screenshot the screen.
- Any apps installed. Note the app name and publisher. If it was an APK shared over WhatsApp, do not delete the APK file from your downloads folder. Switch off mobile data and Wi-Fi on the device instead, so the app cannot continue exfiltrating data.
- Voice recordings. If the scammer sent a voice note, save the audio file separately. Voice samples are evidence both for the case and for any AI voice cloning analysis.
- URLs visited. Browser history of any fake site you opened. Screenshot the URL bar.
- Time and date of every interaction. Maintain a written timeline. Memory fades fast under stress.
Once you have backed everything up to your laptop or to email, then and only then, you can change passwords, block contacts, and uninstall apps.
What NOT to do in the first hour
The first hour is when victims make the second mistake. The first mistake was falling for the scam. The second is destroying evidence, paying more money, or staying silent out of shame. Each of these costs you the recovery window.
Do not pay more money thinking it will fix the situation. Scammers often follow the first payment with a “verification fee,” “release fee,” “tax,” “agent fee,” “GST payment,” or “case clearance fee.” Every additional payment goes to the same network. Stop the bleeding.
Do not engage the scammer further to “trick” them or get evidence. You are not the investigator. Every additional minute on the call gives them more time to move the funds and more pressure to push you. Hang up, then preserve what you already have.
Do not delete the conversation or block the number before screenshotting. Blocking removes the contact from your phone view. Screenshots taken after blocking can lose the contact name or profile photo. Capture first, block later.
Do not factory reset your phone if you installed a suspicious APK. The forensic data is on the device. Switch off data and Wi-Fi, take it to a trusted technician or to the cybercrime team, and let them image it first. Resetting wipes the evidence.
Do not go to the local police station first if you have not called 1930. Local stations are often unfamiliar with the I4C system. They will take a written complaint, ask you to come back tomorrow, and the freeze window closes while you wait. Call 1930 first, then visit the station with the 1930 acknowledgement in hand. Most stations now know to route financial cyber complaints through 1930.
Do not stay silent out of embarrassment. Senior citizens, professionals, founders, doctors, even retired judges have been scammed. The script is engineered to bypass intelligence with authority and urgency. Shame is the scammer’s last weapon. Talk to family, call 1930, file the report. Recovery odds drop with every hour of silence.
Do not believe anyone who calls back offering to “recover your money for a fee.” Recovery scams are the second wave. The original scammer (or their network) calls back posing as a “cybercrime recovery expert” who can return your funds for a small upfront payment. There are no recovery agents. 1930 and your bank do recovery for free. Anyone asking for money to recover money is the same network rotating the same victim.
Evidence preservation checklist
A printable version of what to capture before you start cleaning up. The amount of useful evidence drops by half within the first 24 hours, and by 90% within a week, mostly because of automated message deletion, app uninstalls, and natural forgetfulness.
| Evidence type | Where it lives | How to preserve |
|---|---|---|
| Bank debit SMS | SMS inbox | Screenshot, forward to your own email |
| UPI transaction | UPI app history | Screenshot transaction detail page |
| WhatsApp chat | Chat window | Screenshot, export chat (settings → more → export) |
| Caller ID | Phone dialer | Screenshot of the call log entry |
| Mailbox | Forward as attachment to your own email | |
| Fake APK | Downloads folder | Do not delete, leave device offline |
| Fake document | Downloads or screen | Save file, screenshot the source |
| Voice note | WhatsApp or call recording | Save audio file separately |
| Browser URL | Browser history | Screenshot the URL bar |
| Social profile | App | Screenshot profile, full URL of the handle |
| Timeline | Your memory | Write down events with timestamps within first hour |
Follow-up timeline
The first hour starts the process. What happens over the next 90 days determines whether the money comes back, whether the scammer gets caught, and whether you stay protected.
Within 24 hours
- File the full complaint at cybercrime.gov.in
- Confirm the bank has logged the fraud on your account
- Change all passwords that may have been exposed (bank, email, UPI, social media)
- If a SIM was involved, request a new SIM through your telecom provider in person
- Tell family and close contacts so they are not targeted next via your number or social profile
Within 72 hours
- Follow up with 1930 on the acknowledgement number, ask whether the recipient account was frozen
- Follow up with the bank fraud team, ask for status
- If funds were transferred from a credit card, raise a chargeback through the issuing bank
- Check your CIBIL or credit report for any unauthorised account opening
- Lock down social media privacy settings (we explain how in our digital footprint guide)
Within 7 days
- Visit the local cybercrime police station with all documents and the 1930 acknowledgement, request an FIR if the loss is significant or the bank has not been able to freeze the funds
- Continue checking the cybercrime.gov.in portal for status updates
- If the scammer is still active (still calling, still messaging), report each new contact as it happens
- Notify your insurance provider if you have cyber fraud cover (some credit cards and home insurance policies include limited cover)
Within 30 days
- Most bank fraud investigations close within 90 days. Many close within 30. Get a written status update.
- If you have not heard back, escalate through the RBI Banking Ombudsman under the Reserve Bank Integrated Ombudsman Scheme. The bank is required to respond within 30 days of a complaint and provide a deficiency-of-service resolution within 90 days.
- Run a basic security review of your digital life. Change passwords on all accounts using a password manager. Enable 2-factor authentication. Review app permissions on your phone.
Within 90 days
- Recovery, if it is going to happen via the freeze route, will mostly have happened by now
- If the case is going to a police investigation, you should have a case number and an investigating officer assigned
- If the bank has rejected your fraud claim, you have grounds to escalate to RBI Ombudsman
- Build the habit. Save 1930 in your contacts. Save cybercrime.gov.in as a browser bookmark. Save +91 99644 43350 (Cybersecify) for free verification of suspicious messages going forward.
When the first hour is already over
If you are reading this 6 hours, 6 days, or 6 weeks after the fraud, you have not lost everything. Late reporting is much weaker than fast reporting, but it is still better than silence.
Late reporting still:
- Adds the recipient account to the watchlist for future freezes when other victims report
- Contributes to the pattern data that I4C uses to map mule networks and connect cases
- Creates the legal record needed for any future police investigation
- Triggers the bank’s own fraud workflow even if the funds have already moved
- Sometimes leads to recovery weeks or months later when the mule network is busted
We have seen victims get partial recovery 8 months after the original fraud, because the mule account was eventually frozen as part of a CBI sweep and their complaint was on file as one of the receivers. The complaint has to exist for that recovery to be possible.
If it has been a while, still call 1930 today. Still file on cybercrime.gov.in today. Still preserve whatever evidence you have. The system is built for batch recovery, not just first-hour recovery.
How this applies to specific scam types
Each scam category has its own cross-link to a dedicated post. The first-hour process is the same. The specifics of evidence and red flags differ:
- Digital arrest scams: the call is the evidence. Screenshot the Skype or WhatsApp video before disconnecting. Note the fake officer’s name and the agency claimed.
- Sextortion: preserve the chat, do not pay, the first-hour post for sextortion is its own dedicated guide for the specific takedown steps with platforms.
- Fake loan apps: do not delete the app, do not pay the harassment fee, screenshot the WhatsApp threats including the morphed photos.
- WhatsApp ghost pairing: immediately log out all linked devices (WhatsApp settings → Linked Devices), then preserve and report.
- SMS scam clusters: screenshot the SMS with sender ID visible, do not click the link, do not delete the message.
- AI voice cloning: save the voice note separately, note the time the call came, identify the family member whose voice was cloned.
- DPDP impersonation: note the fake “notice” reference number and the email sender domain.
- Traffic challan SMS: screenshot the SMS, do not visit the link, verify the actual challan on the real Parivahan portal.
- Fake recruiter Trifleck malware: preserve the recruiter LinkedIn profile, the test script, and the laptop in offline state before any reformat.
- Calls claiming to be police: same as digital arrest, hang up and report; police do not interrogate or arrest over phone.
- Karnataka citizen safety guide: the broader umbrella for impersonation patterns across apps, ads, calls.
Our other two flagship guides round this out: Pause, Verify, Then Act is the prevention framework that stops the scam before money moves. Your Digital Footprint Is the Scam’s Raw Material explains why you got targeted in the first place.
Got a call or message right now? Send it to us, we verify free
If you are not sure whether what just happened is a scam, or you want a sanity check before you take action, send it to us privately.
WhatsApp / Call: +91 99644 43350
Send a screenshot, the caller number, the audio recording, the fake document, whatever you have. We tell you whether it is a real contact or a scam, and what to do next. Verification is free.
What we do:
- Cross-check the caller, sender, app, or URL against publicly available official records
- Identify the scam pattern (digital arrest, sextortion, fake loan, KYC, etc.)
- Tell you in plain language whether to proceed, ignore, or report
- Walk you through the 1930 and cybercrime.gov.in process if needed
What we do not do:
- Charge you for verification
- Ask for OTPs, bank passwords, or UPI PINs
- Pretend to be a law enforcement agency
You only pay if you want hands-on help beyond verification, and we always tell you honestly whether we can help before any payment is involved.
Save these numbers now
Save them in your contacts under names that are easy to find at 2 AM:
- 1930 (National Cybercrime Helpline, 24/7)
- +91 99644 43350 (Cybersecify, free verification, 50 citizens at a time)
- Your bank’s fraud line (back of your debit card or bank website)
- cybercrime.gov.in (browser bookmark)
The first hour after a fraud is not the time to search. It is the time to dial.
Frequently asked questions
What is the Golden Hour in cyber fraud reporting?
The Golden Hour is the first 60 minutes after money leaves your account. Scammers route stolen funds through layered mule accounts within minutes. If your complaint reaches 1930 fast enough, the I4C Citizen Financial Cyber Fraud Reporting and Management System can flag the recipient account before the next hop, and banks can place a hold on the funds. I4C reported INR 8,189 crore frozen in 2025 across all complaint types, and the bulk of those freezes were on complaints filed within the first few hours.
Should I call 1930 or my bank first?
Call 1930 first if it is the middle of the night or the bank line is slow. Call the bank first if you have their fraud-line number saved and can get through immediately. In practice, do both within 10 minutes of each other. 1930 talks to banks via the central system. The bank still needs your direct instruction to freeze, reverse, or chargeback the specific transaction on your account.
What evidence should I preserve right after a cyber fraud?
Do not delete anything. Take screenshots of the chat, the caller ID, the SMS, the email, the payment confirmation, the UPI reference, the bank debit alert, any APK file, and any voice note. Keep the call log untouched. Note the exact time of each event. If a fake app is installed, do not uninstall it yet, switch off mobile data and Wi-Fi instead. Forensic value drops the moment you start cleaning up.
How long does the 1930 helpline take to act?
1930 takes the complaint and pushes it to the I4C central system within minutes. The system then alerts the recipient bank and the payment intermediary (UPI, NPCI, wallet). Bank action depends on whether the funds have already moved to the next mule account. If you call within the first hour, the freeze rate is dramatically higher. If you call after 24 hours, recovery becomes a long police investigation rather than a fast freeze.
What if I already paid the scammer and it has been more than a day?
Still report. Funds are sometimes recovered weeks later when mule accounts are eventually frozen as part of larger investigations. The cybercrime.gov.in complaint also feeds the official record that becomes evidence if the case goes to police or court. And it adds to the pattern data that I4C uses to map mule-account networks. Late reporting is better than no reporting.
Will the police actually do anything if the amount is small?
Yes, the 1930 and cybercrime.gov.in route works for any amount. There is no minimum. Smaller losses still get logged, the recipient account still gets flagged, and the data still feeds enforcement. If you only file with the local police station and skip 1930, the freeze window often closes before the FIR is even registered. The two paths are complementary, not alternatives.
Can I get my money back if it was sent via UPI?
Possibly, if you report within the freeze window. UPI transactions are not technically reversible, but if 1930 alerts the recipient bank fast enough, the bank can place a debit freeze on the mule account before the scammer moves the money out. Once it has moved through two or three accounts, recovery becomes much harder. UPI speed is the scammer’s advantage. Reporting speed is yours.
Disclaimer: This guide is for public awareness only. Cyber Secify is an independent cybersecurity consultancy and is not affiliated with or endorsed by I4C, the Ministry of Home Affairs, RBI, any bank, or any government department. Verification is best effort guidance, not legal or law enforcement advice. For emergencies and legal reporting, always contact 1930 and file at cybercrime.gov.in.
Ashok Kamat Co-founder, Cybersecify