Over 20,000 cases reported; ATM cloning, OTP sharing and SIM-swap rackets dominate. Of ₹165 crore lost in 4,132 card-related FIRs, police could recover only ₹4.8 crore.
Mumbai – Mumbai, the country’s financial hub, has emerged as one of the most targeted cities for cybercrime, recording an alarming surge in digital fraud over the past five years. With nearly 20,000 cyber cases ranging from card cloning to sophisticated SIM-swap frauds, the city has lost more than ₹2,000 crore, while recoveries remain negligible.
Card and ATM Frauds Account for the Largest Share
According to Mumbai Police data, banking and payment-related frauds remain the most damaging category. In the last five years, 4,132 FIRs were filed for credit and debit card frauds, including ATM skimming, card cloning, SIM-swap, and OTP-based fraud, causing a cumulative loss of ₹165 crore, of which police managed to recover only ₹4.8 crore.
Investigators say fraudsters are increasingly using advanced tools—malware-embedded ATMs, card skimming devices, spoofed customer-care numbers, counterfeit app links, and even AI-driven voice cloning—to trick consumers into sharing confidential details.
OTP Theft and SIM-Swap: Biggest Triggers Behind Losses
A majority of cases involve manipulated calls and messages, where fraudsters pretend to be bank officials or service representatives. Victims were often coerced into sharing critical information such as OTPs, PINs, or KYC details.
In a growing number of cases, criminals executed SIM-swap attacks through mobile operators, giving them full access to victims’ bank-linked numbers, allowing unauthorized transactions without raising instant alerts.
Weak digital hygiene among users and systemic lapses in customer verification are deepening the crisis, cyber experts say.
Banks Under Fire for Denying Refunds Despite RBI’s Zero-Liability Rule
A significant concern raised by victims, as reported by TOI, is the reluctance of banks to reimburse fraudulent debits—even in cases that clearly fall under the RBI’s zero-liability framework.
Under RBI rules, customers who report unauthorized transactions promptly and are not at fault must be compensated by the bank.
However, multiple complainants allege:
- Banks delay registering fraud complaints,
- shift responsibility onto customers,
- and reject refund requests even when fraud is proven through digital forensics.
Consumer-rights advocates say this practice is contributing to public distrust and further under-reporting of cases.
Cybercrime Networks Now Spread Across Borders
Mumbai Police maintain that most fraudulent operations are no longer localised. Several cyber rackets operate across:
- Jharkhand, Uttar Pradesh, Rajasthan,
- Nepal and Bangladesh,
- and parts of Southeast Asia, including Cambodia and Myanmar.
Funds disappear quickly through mule accounts, fake UPI handles, multi-layered wallet transfers, and cryptocurrency channels, making the recovery trail extremely short-lived.
Police Focus on Awareness and Faster Reporting
Authorities emphasise that quick reporting is crucial to blocking fraudulent transfers. Cyber teams say the first 4–6 hours after a fraudulent transaction provide the narrowest but most effective window for fund freezing.
To strengthen public response, Mumbai Police are pushing:
- immediate reporting via cyber helpline 1930,
- strict caution against unknown links and APK downloads,
- awareness on fast-growing UPI, KYC and social-media scams.
The Road Ahead: A Critical Test for Mumbai’s Digital Safety
The staggering ₹2,000-crore loss has raised serious questions over the robustness of Mumbai’s cybersecurity framework and the preparedness of institutions to counter tech-driven crime.
Experts warn that unless banking security protocols are strengthened, RBI compensation norms are enforced strictly, and cross-border cyber networks are dismantled, the scale and impact of cyber fraud in the coming years could be even more severe.
