Cyber Fraud Investigation

Legal Framework for Cyber Fraud in India

The legal framework for addressing cyber fraud in India rests on multiple statutes that work in conjunction. Understanding this layered framework is essential for both investigation and prosecution.

Information Technology Act, 2000 (as Amended in 2008)

The IT Act is the primary legislation governing cyberspace in India. The key provisions relevant to cyber fraud are:

• Section 43: Penalty and compensation for damage to computer, computer system, etc. Any person who accesses a computer without authorisation, downloads or extracts data, introduces viruses, disrupts services, or tampers with a computer system is liable to pay compensation up to Rs 5 crore (by way of adjudication, not criminal prosecution).
• Section 65: Tampering with computer source documents. Punishment: imprisonment up to three years, or fine up to Rs 2 lakh, or both.
• Section 66: Computer-related offences (hacking). Any person who dishonestly or fraudulently commits any act referred to in Section 43 is punishable with imprisonment up to three years, or fine up to Rs 5 lakh, or both.
• Section 66C: Identity theft. Using the electronic signature, password, or unique identification feature of another person is punishable with imprisonment up to three years and fine up to Rs 1 lakh.
• Section 66D: Cheating by personation using computer resource. Punishment: imprisonment up to three years and fine up to Rs 1 lakh.
• Section 72: Breach of confidentiality and privacy. Any person who secures access to electronic records and discloses them without consent is punishable with imprisonment up to two years, or fine up to Rs 1 lakh, or both.
• Section 72A: Punishment for disclosure of information in breach of lawful contract. Imprisonment up to three years, or fine up to Rs 5 lakh, or both.

Indian Penal Code / Bharatiya Nyaya Sanhita

In addition to the IT Act, several IPC provisions (now corresponding BNS provisions for offences committed after 1 July 2024) apply to cyber fraud:

• Section 420 IPC (Section 318 BNS): Cheating and dishonestly inducing delivery of property.
• Section 468 IPC (Section 338 BNS): Forgery for the purpose of cheating.
• Section 471 IPC (Section 340 BNS): Using as genuine a forged document.
• Section 406 IPC (Section 316 BNS): Criminal breach of trust.

RBI Framework for Cyber Fraud in Banking

The Reserve Bank of India has issued comprehensive guidelines on cybersecurity for banks, including the Cyber Security Framework for Banks (2016), guidelines on electronic banking transactions, and the framework for limiting liability of customers in unauthorised electronic banking transactions. Under the RBI’s customer liability framework, the customer’s liability in cases of unauthorised transactions depends on who reported the fraud and the time taken to report — if the customer reports within three working days, the customer’s liability is zero (for third-party breaches).

Types of Cyber Fraud Encountered in India

Based on our forensic investigation practice, the most prevalent types of cyber fraud in India include:

1. Business Email Compromise (BEC) / CEO Fraud

In BEC fraud, the attacker gains access to (or spoofs) a senior executive’s email account and sends instructions to the finance team to transfer funds to a fraudulent account. The emails are carefully crafted to appear legitimate, often mimicking the executive’s writing style and referencing ongoing transactions. BEC fraud has caused losses of hundreds of crores to Indian companies. Our investigations typically involve email header analysis, IP address tracing, and fund flow tracking.

2. Phishing and Vishing

Phishing involves fraudulent emails, SMS messages, or websites that trick victims into revealing sensitive information (login credentials, OTPs, card details). Vishing is the voice-based variant, where fraudsters impersonate bank officials or government authorities over phone calls. These methods are the entry point for a vast majority of individual-level cyber frauds in India.

3. UPI Fraud

With the explosive growth of UPI transactions in India, UPI-related fraud has surged. Common methods include fraudulent collect requests (where the victim unknowingly approves a debit), QR code scams (where a malicious QR code initiates a debit instead of a credit), and SIM swap fraud (where the attacker takes over the victim’s mobile number to intercept OTPs).

4. Ransomware Attacks

Ransomware attacks encrypt an organisation’s data and demand payment (typically in cryptocurrency) for the decryption key. Indian businesses, hospitals, and government agencies have been targeted. The forensic investigation involves identifying the attack vector (often a phishing email or unpatched vulnerability), determining the extent of data compromise, and tracing any ransom payments.

5. Investment and Trading Fraud

Fraudulent investment platforms — offering unrealistic returns on stock trading, forex, or cryptocurrency — have proliferated online. Victims are lured through social media advertisements, messaging apps, and fake testimonials. The forensic investigation involves analysing the platform’s architecture, tracing fund flows, and identifying the persons behind the operation.

6. E-Commerce Fraud

This includes fraudulent sellers on e-commerce platforms, fake product listings, and payment manipulation. It also includes refund fraud, where fraudsters exploit return policies using counterfeit products.

Section 65B — Admissibility of Digital Evidence

Section 65B of the Indian Evidence Act, 1872 (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023) is the cornerstone provision for the admissibility of digital evidence in Indian courts. Every forensic investigator and legal practitioner must have a thorough understanding of this provision.

Requirements for Admissibility

Under Section 65B(2), electronic evidence is admissible if:

1. The computer output was produced by the computer during the period over which the computer was used regularly to store or process information.
2. During the said period, information of the kind contained in the electronic record was regularly fed into the computer in the ordinary course of activities.
3. Throughout the material part of the said period, the computer was operating properly — or if not, the malfunction did not affect the accuracy of the electronic record.
4. The information contained in the electronic record reproduces or is derived from information fed into the computer in the ordinary course of activities.

The Certificate Requirement — Section 65B(4)

Critically, under Section 65B(4), the electronic record must be accompanied by a certificate that:

• Identifies the electronic record and describes the manner in which it was produced.
• Provides the particulars of the device involved in the production of the electronic record.
• Certifies that the conditions specified in Section 65B(2) are satisfied.
• Is signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities.

Judicial Interpretation

The Supreme Court has addressed the requirement of the Section 65B certificate in several landmark decisions:

• Anvar P.V. v. P.K. Basheer (2014): The Supreme Court held that electronic evidence without a Section 65B certificate is inadmissible. The Court overruled the earlier decision in State (NCT of Delhi) v. Navjot Sandhu, which had suggested that the certificate was not always mandatory.
• Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020): The Supreme Court reaffirmed the mandatory nature of the Section 65B(4) certificate but clarified that the requirement can be relaxed if the original electronic device is produced in court. The Court also observed that the certificate can be issued at any stage before the trial, not necessarily at the time of production of the evidence.

In our forensic practice, we ensure that all digital evidence collected during an investigation is accompanied by a properly drafted Section 65B certificate, prepared in coordination with the IT personnel responsible for the relevant systems. For more on our forensic capabilities, visit our forensic accounting page.

Forensic Investigation Methodology for Cyber Fraud

Our approach to cyber fraud investigation follows a structured methodology designed to ensure thoroughness, evidentiary integrity, and compliance with legal requirements.

Phase 1: Incident Assessment and Scoping

Upon engagement, we conduct an initial assessment to understand the nature and extent of the cyber fraud. This involves interviewing the affected persons, reviewing available logs and records, understanding the IT infrastructure, and defining the scope of the investigation. We work closely with the client’s IT team and legal counsel to ensure alignment on objectives and legal constraints.

Phase 2: Digital Evidence Acquisition

This is the most technically critical phase. Digital evidence must be acquired in a forensically sound manner to ensure its admissibility in court. Key principles include:

• Forensic Imaging: Creating a bit-for-bit copy (forensic image) of the relevant storage media (hard drives, servers, mobile devices) using validated forensic tools. The original media is preserved untouched.
• Hash Verification: Computing and recording cryptographic hash values (MD5, SHA-256) of the original media and the forensic image to prove that the copy is an exact replica and has not been tampered with.
• Chain of Custody: Maintaining a documented chain of custody for all evidence, recording who handled the evidence, when, and for what purpose. Any break in the chain of custody can render the evidence inadmissible.
• Volatile Data Preservation: Capturing volatile data (RAM contents, active network connections, running processes) before shutting down a compromised system, as this data is lost upon power-off.

Phase 3: Analysis

The analysis phase involves examining the acquired evidence to reconstruct the fraud, identify the perpetrators, and quantify the loss. Common analytical techniques include:

• Email Header Analysis: Examining email headers to identify the true origin of fraudulent emails, including IP addresses, email servers, and timestamps.
• Log Analysis: Reviewing server logs, firewall logs, application logs, and access logs to trace the attacker’s actions within the system.
• Malware Analysis: If malware was used in the attack, analysing the malware to understand its functionality, origin, and command-and-control infrastructure.
• Fund Flow Analysis: Tracing the flow of misappropriated funds through bank accounts, payment gateways, and cryptocurrency wallets.
• Timeline Reconstruction: Creating a chronological timeline of events based on digital artefacts (file timestamps, log entries, email timestamps) to establish the sequence of the fraud.
• Network Traffic Analysis: Examining captured network traffic to identify data exfiltration, unauthorised access, and communication with external malicious servers.

Phase 4: Reporting and Legal Support

The investigation culminates in a comprehensive forensic report that documents the methodology, findings, and evidence. The report is prepared with the understanding that it may be presented in court proceedings, and all findings are supported by documentary and digital evidence. We also assist clients in filing FIRs with the cybercrime police, complaints with the Cyber Crime Investigation Cell, and notifications to the Indian Computer Emergency Response Team (CERT-In) where required.

Reporting Cyber Fraud in India

Victims of cyber fraud have several avenues for reporting and seeking redress:

1. National Cyber Crime Reporting Portal

The Ministry of Home Affairs operates the National Cyber Crime Reporting Portal (cybercrime.gov.in), where victims can file online complaints. Financial cyber fraud complaints filed through this portal are routed through the Indian Cyber Crime Coordination Centre (I4C) to the relevant bank for immediate fund freezing.

2. Cybercrime Police Station

Most states have dedicated Cybercrime Police Stations or Cyber Crime Investigation Cells. An FIR can be filed at the nearest cybercrime police station or at the jurisdictional police station under the relevant provisions of the IT Act and IPC/BNS.

3. CERT-In Reporting

Under the IT Act, certain cyber security incidents must be reported to CERT-In within six hours of detection. These include targeted scanning or probing, compromise of critical systems, data breaches, and ransomware attacks.

4. RBI Complaint (for Banking Fraud)

For cyber fraud involving banking transactions, a complaint should be filed with the bank immediately (within the timeframe specified by the RBI for zero liability protection). If the bank does not resolve the complaint, the customer can escalate to the RBI’s Banking Ombudsman.

For practical guidance on corporate fraud detection, see our article on employee fraud detection and prevention in Indian SMEs and our guide on forensic audit process and methodology.

Prevention Strategies for Businesses

While investigation is necessary after a cyber fraud occurs, prevention remains the most effective strategy. We advise our clients to implement the following measures:

1. Multi-Factor Authentication (MFA)

Implement MFA for all critical systems — email, banking, ERP, and cloud services. MFA significantly reduces the risk of account takeover, which is the entry point for most BEC and phishing attacks.

2. Employee Awareness Training

Conduct regular cyber awareness training, including simulated phishing exercises. Employees — particularly those in finance, HR, and IT — are the first line of defence against social engineering attacks.

3. Payment Verification Protocols

Establish independent verification protocols for all significant fund transfers. Any change in beneficiary account details must be verified through a call-back to a known number (not the number provided in the email). This simple measure can prevent most BEC fraud losses.

4. Incident Response Plan

Develop and periodically test a cyber incident response plan that defines roles, responsibilities, communication channels, and escalation procedures. Quick response in the first few hours after a cyber fraud can significantly increase the chances of fund recovery.

5. Regular Vulnerability Assessment and Patch Management

Conduct regular vulnerability assessments and ensure timely patching of known vulnerabilities. Many ransomware attacks exploit known but unpatched vulnerabilities.

To discuss your organisation’s cybersecurity posture and fraud investigation needs, contact our team.

Frequently Asked Questions

1. What is the Section 65B certificate and who can issue it?

The Section 65B certificate is a document that certifies the authenticity and reliability of electronic evidence. It must be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities. For example, the IT administrator of a company can issue a 65B certificate for emails stored on the company’s server, and the bank’s authorised officer can issue one for bank transaction records.

2. Can screenshots or printouts of electronic records be used as evidence?

Printouts of electronic records are considered “computer output” under Section 65B and are admissible if accompanied by the Section 65B certificate. However, screenshots taken on a mobile phone and then printed may face additional admissibility challenges — the chain from the original electronic record to the printout must be established through the certificate.

3. What should a company do immediately after discovering a cyber fraud?

Immediate steps include: (a) Isolate the compromised systems to prevent further damage; (b) Preserve all digital evidence — do not shut down, reformat, or modify compromised systems; (c) Notify the bank and request fund freezing if financial fraud is involved; (d) File a complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in); (e) Engage forensic investigators for evidence acquisition and analysis; (f) Report to CERT-In if required; (g) Notify legal counsel for FIR filing and regulatory compliance.

4. Can cryptocurrency transactions be traced in cyber fraud cases?

Yes, contrary to the popular misconception that cryptocurrency is anonymous, most blockchain transactions are pseudonymous and can be traced using blockchain analytics tools. Forensic investigators can trace the flow of cryptocurrency through wallet addresses, identify exchanges where the cryptocurrency was converted to fiat currency, and work with exchanges (which are now reporting entities under the PMLA) to identify the account holders. However, tracing becomes more difficult when mixing services, privacy coins, or decentralised exchanges are used.

5. What is the jurisdiction for filing a cyber crime complaint?

Under Section 75 of the IT Act, offences committed outside India by any person (irrespective of nationality) are covered if the act involves a computer, computer system, or computer network located in India. The complaint can be filed where the victim is located, where the offence was committed (the location of the computer used), or where the consequences of the offence occurred. The National Cyber Crime Reporting Portal allows filing from any location.

6. Are companies liable for cyber fraud committed by their employees?

Under Section 85 of the IT Act, if an offence is committed by a company, every person who was in charge of and responsible for the conduct of the business at the time of the offence is deemed guilty, unless they can prove that the offence was committed without their knowledge or that they exercised all due diligence to prevent it. This places significant responsibility on directors and senior management to ensure adequate cybersecurity measures and controls are in place.

Virtual Auditor — AI-Powered CA & IBBI Registered Valuer Firm
Valuer: V. VISWANATHAN, FCA, ACS, CFE, IBBI/RV/03/2019/12333
Chennai (HQ): G-131, Phase III, Spencer Plaza, Anna Salai, Chennai 600002
Bangalore: 7th Floor, Mahalakshmi Chambers, 29, MG Road, Bangalore 560001
Mumbai: Workafella, Goregaon West, Mumbai 400062
Phone: +91 99622 60333 | Email: support@virtualauditor.in
Book a Consultation