In a major ruling highlighting systemic vulnerabilities in India’s telecom–banking ecosystem, the Adjudicating Officer of Gujarat has imposed penalties totalling ₹1.19 crore on ICICI Bank and Vodafone Idea Limited (VIL) for negligence that enabled fraudsters to execute a high-value SIM-swap cyber theft of ₹1.2 crore from a corporate account.
The order found both institutions guilty of failing to follow mandatory verification, monitoring and fraud-prevention procedures—allowing criminals to gain control of a company’s registered mobile number and subsequently siphon funds through rapid online banking transactions.
SIM-Swap Enabled Fraudsters to Capture OTPs and Drain Funds
According to the investigation, the fraudsters used phishing and social engineering to obtain personal and account-related details of the victim company, Collective Trade Links. Posing as the customer, they approached a Vodafone Idea store in West Bengal and successfully procured a duplicate SIM card—despite the original number being active on international roaming.
The telecom operator’s failure to verify documents and identity allowed the attackers to hijack the phone number. Once the new SIM was activated, the fraudsters captured OTP messages and transaction alerts, enabling them to:
- Add new beneficiaries
- Approve high-value transfers
- Move ₹1.2 crore within minutes
By the time the victim attempted to access the account, the balance had been wiped out.
Vodafone Idea Penalised for Verification Failure
The adjudicating authority held Vodafone Idea accountable for failing to enforce mandatory SIM reissuance protocols, calling the lapse “a direct enabler of the fraud.”
Key findings:
- Store personnel did not verify ID proofs properly
- Mandatory cross-checks were skipped
- The duplicate SIM was issued even though roaming was active on the original number
Vodafone Idea was fined ₹5 lakh under provisions of the IT Act.
ICICI Bank Faces ₹1.15 Crore Liability for Ignoring Red Flags
ICICI Bank faced more severe action due to multiple failures in its fraud monitoring and security systems. The order stated that despite multiple large and rapid transfers, the bank:
- Did not flag transactions as unusual
- Added new beneficiaries without enhanced due diligence
- Allowed transfers that exceeded standard alert thresholds
- Failed to freeze activity despite detectable anomalies
The bank has been ordered to compensate the victim with ₹1.05 crore and pay an additional ₹10 lakh penalty, bringing its total liability to ₹1.15 crore.
Case Highlights Risks of Mobile-Based Authentication
Authorities described the case as a textbook example of the rising threat of SIM-swap fraud, a technique increasingly used by cybercriminals to bypass banking authentication frameworks.
Cyber experts warn:
- SIM-swap scams are escalating rapidly
- OTP-based verification alone is insufficient
- Better integration between telecom operators and banks is essential
The ruling is expected to push financial institutions and telecom companies to strengthen identity verification, fraud monitoring and inter-agency coordination.
Ongoing Cybersecurity Concerns
Officials emphasised that the case must serve as a wake-up call for all institutions handling sensitive digital data. Both ICICI Bank and Vodafone Idea have been advised to overhaul their verification and monitoring systems to prevent recurrence.
