Panaji | In a case related to online fraud, a consumer disputes redressal commission has dismissed a complaint filed against a bank over an alleged fraudulent transaction of ₹89,902. The panel observed that the complainant himself clicked on a phishing link and entered his net banking credentials and OTP, following which the transaction was completed through the mandatory security process. Therefore, the bank could not be held responsible for the loss.
The case involved Mapusa resident Kenneth D’Souza, who had filed a complaint before the consumer commission accusing a private bank of failing to assist him after he lost money in an online fraud. D’Souza had sought reimbursement of the amount debited from his savings account.
https://the420.in/cfi-certified-fraud-investigator-program-fcrf-academy-launch/
According to the complaint, D’Souza received a message that appeared to be from the bank, offering redemption of reward points. Believing the message to be genuine, he clicked on the link provided in the SMS.
After opening the link, he was asked to enter his net banking customer ID, password, and a one-time password (OTP). Shortly after he entered these details, ₹89,902 was debited from his bank account without his authorization.
D’Souza stated that he immediately approached the bank and lodged a complaint within 20 minutes of noticing the fraudulent transaction. He also filed a complaint related to cybercrime and approached the banking regulator seeking intervention. However, he claimed that the responses he received from the concerned authorities were not satisfactory.
In its reply before the consumer commission, the bank stated that the transaction was carried out through a vendor and an aggregator platform. The bank argued that the beneficiary who received the funds should have been made a party in the complaint proceedings.
The bank further maintained that the payment was processed only after the completion of a two-factor authentication process, which included verification through the customer’s login credentials and OTP. Since the customer himself entered these details, the bank contended that there was no lapse on its part.
During the hearing, two members of the commission observed that the complainant had voluntarily provided his banking information on the link, which led to the completion of the transaction. They also noted that D’Souza had previously worked in the banking sector and therefore was expected to have a reasonable understanding of internet banking risks and security measures.
Based on these observations, the majority of the panel concluded that the incident was a classic case of phishing, where fraudsters trick customers into revealing sensitive financial information through fake links or websites. The panel stated that when a customer himself shares confidential information and the transaction is completed after standard security verification, the bank cannot automatically be held liable.
However, one member of the commission expressed a dissenting opinion. The member observed that the bank had failed to provide immediate assistance after the complaint was lodged. According to this view, the lack of prompt acknowledgement of the complaint could indicate shortcomings in handling a serious security breach.
The dissenting observation also pointed out that the bank did not provide details of its internal investigation or adequately explain the circumstances surrounding the transaction. Nonetheless, since the majority of members disagreed, the complaint was dismissed.
In its final order, the commission stated that without making the beneficiary of the transaction a party to the case, it would be difficult to determine liability and proceed with the matter.
Cybersecurity experts say phishing remains one of the most common methods used by fraudsters in online financial crimes. Criminals often impersonate banks or well-known institutions and send messages containing fake links promising rewards, cashback, or account updates to lure victims.
Experts advise customers to avoid clicking on suspicious links and to never share confidential information such as passwords or OTPs on unknown websites. Banking transactions should always be conducted through official websites or verified mobile applications.
The case once again highlights that while banks maintain technological safeguards, customer awareness and caution remain the first line of defense against cyber fraud in the digital banking ecosystem.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
