Every cybersecurity guide focuses on prevention. Use strong passwords. Enable two-factor authentication. Don’t click suspicious links. This advice is right — and it fails a significant percentage of people who follow it, because sophisticated attacks succeed even against prepared users, and because millions of Indians are compromised every year before they encounter any security guidance at all.
This guide covers the other half of cybersecurity that almost no article addresses: what to do after something has gone wrong. Whether your bank account has been drained, your social media account has been taken over, your phone has been stolen, your WhatsApp has been hijacked, your business has been hit by ransomware, or you have realised mid-conversation that you are being scammed — the specific steps you take in the first minutes and hours determine whether the damage is contained or catastrophic.
Speed is the critical variable in every cyber incident. The faster you act, the more options you have. This guide gives you the exact response sequence for each type of compromise so you can act immediately rather than losing precious minutes searching for what to do.
The Universal First Response Principles
Before the incident-specific guidance, three principles apply to every type of cyber compromise regardless of what has happened.
Act first, investigate later. The instinct to fully understand what happened before doing anything is wrong in a cyber incident context. A fraudulent bank transfer that is reported in five minutes has a meaningful chance of being recalled. The same transfer reported after two hours of trying to figure out what happened is almost certainly gone. Contain first. Investigate after containment.
Use a clean device for your response actions. If your phone or computer has been compromised, do not use that device to log in, change passwords, or contact your bank. A keylogger or remote access tool on a compromised device will capture everything you type, including the new passwords you are setting. Use a different device — a family member’s phone, a work computer, a trusted friend’s device — for all response actions until your primary device has been verified clean.
Document everything before changing anything. Take screenshots of suspicious transactions, unusual account activity, unfamiliar connected devices, or any communication from the attacker. This documentation is required for police complaints, bank fraud claims, insurance claims, and CERT-In reports. The evidence exists now; once you start cleaning up, some of it will be gone.
Incident Response 1: Bank Account or UPI Fraud
This is the highest-urgency category. Money that moves through the banking system becomes increasingly difficult to recover with every hour that passes.
The First 30 Minutes
Call 1930 immediately. The National Cybercrime Helpline is specifically structured to receive fraud reports and interface with banks and payment networks. When you call, have your transaction details ready: the exact amount, the time of the transaction, the recipient UPI ID or account number if visible, and your account number. Ask them to log a complaint and provide you with the complaint reference number.
Call your bank’s 24-hour fraud helpline simultaneously or immediately after. Every major Indian bank has a dedicated fraud line distinct from general customer service:
- SBI: 1800-11-1109
- HDFC Bank: 1800-120-1243
- ICICI Bank: 1800-200-3344
- Axis Bank: 1800-209-5577
- Kotak Mahindra Bank: 1860-266-0811
Tell them explicitly that you want to “mark a disputed transaction” and “initiate a chargeback or fraud recall.” The language matters — bank customer service agents have specific procedures for fraud recall that are different from general complaint processes. Request that they place a temporary freeze on further transactions from your account while the investigation is open.
Block your SIM if you suspect SIM-swap fraud. If you notice your phone has lost network signal, is not receiving OTPs, or you see UPI transactions you did not initiate, your SIM may have been swapped. Call your telecom operator immediately (Jio: 1800-889-9999, Airtel: 121, BSNL: 1503, Vi: 199) and report SIM-swap fraud. Ask them to block the fraudulent SIM and issue a replacement.
Within 24 Hours
File a formal complaint at cybercrime.gov.in. The online complaint portal is available 24 hours. Under “Financial Fraud,” provide all transaction details, screenshots, the 1930 complaint reference number, and any communication from the fraudster. This creates an official case number that you will need for all subsequent follow-up.
File an FIR at your nearest police station. Cybercrime portal complaints are useful but an FIR (First Information Report) at a police station creates a stronger legal record. Take your transaction screenshots, bank statements showing the disputed transaction, and your cybercrime portal complaint number. Ask specifically for an FIR under Section 66D of the IT Act (cheating by personation using computer resource) and Section 420 IPC (cheating). The police are legally required to register an FIR if you report a cognisable offence — if they refuse, escalate to the SP or file a complaint with the Superintendent of Police.
Request a detailed bank statement. Ask your bank for a statement showing the fraudulent transaction, the recipient account details (even if they can only provide partial information), and the transaction reference number (UTR number). This detail is required for the investigation.
Realistic Expectations
The probability of recovering fraudulently transferred funds in India depends heavily on speed of reporting and the payment pathway. According to NPCI data, a small percentage of UPI fraud amounts are recovered — the proportion is low but not zero, and it is significantly higher when reported within the first hour. Funds transferred to accounts that are immediately drained and further moved are hardest to recover. Funds transferred to accounts still holding balances have a higher recovery rate when reported within hours.
The primary purpose of reporting is not only recovery — it is creating a documented record, preventing the same fraudster from victimising others, and supporting the growing enforcement effort against cyber fraud networks.
Incident Response 2: Email Account Compromise
Your email account is the master key to your entire digital life. If it is compromised, every account that uses it for password recovery is potentially at risk.
Immediate Steps
Check whether you still have access. Try logging in. If your password has been changed and you are locked out, use the account recovery process — for Gmail, go to accounts.google.com/signin/recovery and follow the steps. Google will ask you to verify your identity through a backup phone number, recovery email, or by confirming recent account activity. Have these verification methods ready.
If you still have access, act immediately before the attacker changes your recovery information. Go to myaccount.google.com → Security:
First, change your password to a new, unique, strong password generated by your password manager. Do this before anything else.
Second, sign out all other sessions: Google Account → Security → Your Devices → click each unfamiliar device → “Sign Out.” Also go to Security → Recent Security Activity and review every login.
Third, check and update recovery information: ensure your recovery phone number and backup email are ones only you control.
Fourth, enable 2FA if not already enabled.
Fifth — and critically — go to Gmail → Settings → See All Settings → Forwarding and POP/IMAP and check for unauthorised forwarding rules. Attackers who access email accounts almost always set up forwarding so they continue receiving copies of your emails even after you regain access and change your password. Delete any forwarding addresses you did not set up.
Sixth, check Filters and Blocked Addresses in Gmail settings for any rules that automatically delete or archive certain incoming emails — particularly security alerts or bank notifications that an attacker would want you not to see.
Cascade Response
After securing your email account, systematically change passwords for every account linked to that email address, starting with the highest-risk ones: banking apps, UPI platforms, investment accounts, work email and tools. Use your password manager to generate unique strong passwords for each. Enable 2FA on every critical account.
Check each linked account for signs of access: unusual login locations, changed profile details, unfamiliar linked devices or apps. If you find evidence that a linked account was also accessed, escalate to that platform’s specific compromise response.
Incident Response 3: Social Media Account Takeover
Social media account takeovers are used to scam your contacts — impersonating you to request emergency money, promote fraudulent investment schemes, or spread malicious links to people who trust you.
Instagram Account Recovery
Go to the Instagram login page and tap “Forgot Password.” Enter your username, email, or phone number. If the attacker has changed your email, tap “Need more help?” and follow Instagram’s identity verification process — you will be asked to verify your identity through a selfie video.
If you receive a suspicious login link you did not request, do not click it — this may be a phishing attempt. Go directly to instagram.com rather than clicking any email link.
Once access is restored: change your password immediately, revoke access for all third-party apps in Settings → Security → Apps and Websites, review and remove unrecognised linked accounts, and enable 2FA in Settings → Security → Two-Factor Authentication.
Notify your followers. As soon as you regain access, post a story or message alerting your contacts that your account was compromised and that any unusual messages, financial requests, or investment promotions from “you” during the compromise period were fraudulent. This protects your contacts and reduces reputational damage.
WhatsApp Account Recovery
If your WhatsApp has been taken over, re-registering your phone number on WhatsApp forces a log-out of any other device using your account. Open WhatsApp, enter your phone number, and request a new verification SMS code. Enter the code when received.
If the attacker has enabled Two-Step Verification with their own PIN, you will be locked out for seven days before you can register without the PIN. During this period, contact WhatsApp support through web.whatsapp.com/contact explaining the account takeover.
After restoration: immediately enable your own Two-Step Verification PIN (Settings → Account → Two-Step Verification), review Linked Devices and remove any you don’t recognise, and alert your contacts through another channel that your WhatsApp was compromised.
Facebook Account Recovery
Go to facebook.com/hacked for Facebook’s dedicated account compromise recovery flow. Facebook’s recovery process includes options for when your email, phone number, and password have all been changed — identity verification through trusted contacts or official ID submission.
Incident Response 4: Phone Theft or Loss
A stolen phone is not just hardware theft — it is a potential breach of every app, account, and authenticator code stored on the device.
Immediate Steps
Remotely lock or wipe your phone. For Android, go to findmydevice.google.com from any browser, sign in with your Google account, select your device, and choose either “Lock” (adds a temporary password and displays a contact message on screen) or “Erase” (complete factory reset — choose this if you believe the thief is actively trying to access your accounts). For iPhone, go to icloud.com/find, select your device, and choose “Mark as Lost” (locks the device and displays a contact message) or “Erase iPhone.”
Block your SIM. Call your telecom operator immediately to report the number stolen and request a replacement SIM. This prevents the thief from receiving OTPs that could allow account access even if the phone is locked.
Change passwords for critical accounts. Even with the phone locked, a determined attacker may eventually break the lock screen. Change passwords for your banking apps, email, UPI platforms, and social media from a clean device as a precaution.
Disable UPI on the stolen number. For PhonePe, log into the PhonePe website or app from another device and deregister the stolen device. For Google Pay, go to pay.google.com → Settings → Manage Devices. For Paytm, contact Paytm support at 0120-4456-456 to deactivate the account on the stolen device.
File a police complaint and apply for IMEI blocking. File an FIR for theft at your nearest police station. With the FIR, register your stolen IMEI on the Sanchar Saathi portal (sancharsaathi.gov.in) to block the device from being used on Indian mobile networks with any SIM card. Your device’s IMEI is printed on the original box, on your purchase invoice, or can be retrieved from your Google account at myaccount.google.com → Security → Your Devices (shown before the theft).
Incident Response 5: Ransomware on a Computer
Ransomware — malware that encrypts your files and demands payment for decryption — is primarily a threat to Windows computers, though Mac and Android versions exist. For individual users and small businesses, the response is clear.
Do Not Pay the Ransom
Payment does not guarantee decryption. Multiple ransomware groups have taken payment and either not provided decryption keys or provided keys that do not work for all files. Payment also funds criminal networks and marks you as a target for repeat attacks. The FBI, Europol, and India’s CERT-In all advise against ransom payment.
Immediate Containment
Disconnect the affected computer from all networks immediately — unplug the ethernet cable and disable Wi-Fi. Ransomware actively spreads to networked drives and other computers on the same network; disconnection stops the spread. If the computer is part of a business network, disconnect it from the network switch and alert IT support or your managed service provider immediately.
Do not attempt to decrypt or recover files on the affected machine while it is running the original infected operating system. This can damage partially encrypted files and destroy forensic evidence needed for decryption tool development.
Recovery Options
Check No More Ransom (nomoreransom.org). This joint initiative by Europol, Interpol, and multiple cybersecurity companies provides free decryption tools for dozens of known ransomware variants. Upload a sample encrypted file and the ransom note to identify the ransomware variant — if a free decryptor exists, download and apply it.
Restore from backup. If you maintained the 3-2-1 backup discipline described in the security essentials article on this site, restore your files from the most recent clean backup taken before the infection. This is the fastest and most complete recovery path for most individuals.
Professional forensic recovery. For businesses with significant data loss, professional cybersecurity incident response firms including Quick Heal Enterprise, Sequretek, and Lucideus (TAC Security) operate in India and provide ransomware investigation, containment, and recovery services.
Report to CERT-In. Ransomware incidents affecting Indian organisations are reportable to CERT-In at incident@cert-in.org.in within six hours under India’s 2022 cybersecurity direction. Individual users should also report through the cybercrime portal to contribute to threat intelligence.
Incident Response 6: Realising Mid-Scam That You Are Being Deceived
One of the most practically important scenarios — and the least discussed — is the moment you realise during an ongoing interaction that it is a scam. The psychological engineering of sophisticated scams is designed to make this realisation difficult, but it does happen: something seems slightly off, a claim is internally inconsistent, or you feel a moment of clarity through the manufactured pressure.
The Mid-Scam Response
Disengage immediately without explanation. You do not owe the scammer a polite explanation or a reason for stopping. Simply disconnect the call, close the chat, or stop responding. Continuing to engage — even to challenge the scammer or express anger — keeps you in the interaction and gives them opportunities to re-establish psychological control.
Do not transfer any money. If money has been requested but not yet sent, the incident has zero financial cost. The moment the call ends without a transfer, the scam has failed completely. Whatever manufactured urgency or fear exists — the legal threat, the “account blocking,” the emergency claim — evaporates when you stop engaging. These consequences are not real and cannot be enacted by the scammer regardless of what they claim.
If you have already shared information but not sent money: Change passwords for any account whose credentials you mentioned, and cancel or replace any card details you provided. Enable fraud alerts with your bank. The information shared is a risk but not yet a loss — act quickly and the window for exploitation may be closed before it is used.
If you have already sent money or approved a transaction: Follow the bank fraud response protocol in Incident Response 1 above — call 1930 and your bank immediately. Every minute counts.
Process the experience without shame. Cyber fraud works by exploiting normal human psychology, not by finding uniquely gullible individuals. The most sophisticated scam operations employ psychologists to refine their techniques. Being targeted is not a reflection of intelligence or competence. Reporting the incident — both to authorities and within your family — is more useful than silence driven by embarrassment, because it prevents the same techniques from being used on others you know.
Building a Personal Incident Response Plan Before You Need It
The single best time to think through what you would do in a cyber incident is before the incident occurs — when you are calm, have time to research, and are not under psychological pressure.
A practical five-minute exercise: for each of the following scenarios, identify the specific first action you would take and write it down in a note you can access from any device.
What would you do if you saw an unauthorised UPI transaction right now? (Answer: call 1930 and your bank fraud line within minutes.)
What would you do if you could not log into your Gmail account right now? (Answer: go to accounts.google.com/signin/recovery from a clean device.)
What would you do if your phone was stolen right now? (Answer: log into findmydevice.google.com from any browser and lock the device, then call your telecom operator to block the SIM.)
What is your bank’s 24-hour fraud helpline number? (Save it in your contacts under “Bank Fraud” right now — do not rely on finding it under pressure.)
Pre-answering these questions in advance converts a potential panic response into a practised one. The information you look up today under zero stress is information you can act on instantly if a crisis arrives.
Key Numbers and Resources: Save These Now
| Emergency | Contact | How |
|---|---|---|
| Any cyber fraud / financial scam | 1930 | Call — available 24/7 |
| File cybercrime complaint | cybercrime.gov.in | Online portal |
| Stolen phone IMEI block | sancharsaathi.gov.in | Online portal |
| Aadhaar misuse / fraud | 1947 | Call UIDAI helpline |
| Check SIMs on your Aadhaar | tafcop.sancharsaathi.gov.in | Online portal |
| Free ransomware decryptors | nomoreransom.org | Online tool |
| CERT-In incident reporting | incident@cert-in.org.in | |
| SBI Fraud | 1800-11-1109 | Call |
| HDFC Fraud | 1800-120-1243 | Call |
| ICICI Fraud | 1800-200-3344 | Call |
| Axis Bank Fraud | 1800-209-5577 | Call |
| Kotak Fraud | 1860-266-0811 | Call |
This article is for educational and informational purposes only. Response steps described are based on publicly available information from NPCI, RBI, CERT-In, individual banks, and platform support documentation as of May 2026. Procedures may vary and are subject to change — always verify current processes with the relevant institution directly. For urgent cybercrime situations, contact 1930 immediately. Consult a qualified cybersecurity professional for enterprise incident response.
Mahesh is a cybersecurity writer covering digital safety, incident response, and online fraud recovery for Indian consumers and small businesses.
