Lock Down Your Login Credentials

Open your net banking portal right now. I mean it. Log in and go straight to the security or profile settings section. Most Indian banks have security features that ship in a disabled state. They exist, they work, but nobody turns them on because nobody knows they are there. You are going to change that today.

Start with your net banking password. It should be something you are not using anywhere else. Not a variation of your email password. Not your name followed by your year of birth. Not “india123” or “password1” or any combination that a human could guess in five tries. Use a password manager to generate something random, at least 14 characters long, and store it there. If you are not using a password manager yet, pick something long and memorable to you but meaningless to anyone else, and write it down on paper kept in a secure place at home until you get set up with a manager.

SBI’s OnlineSBI portal lets you change your login and transaction passwords under Profile, then Change Password. HDFC NetBanking has the option under My Profile on the left sidebar. ICICI’s portal puts it under Customer Service, then Change Password. Each bank uses slightly different navigation, but they all have it. While you are in there, check if your bank offers a virtual keyboard option for typing your password during login. SBI and HDFC both have this. A virtual keyboard means you click on-screen buttons instead of typing on your physical keyboard, which defeats keylogger malware that might be running silently on your computer and recording every keystroke.

Next, bookmark your bank’s official URL in your browser. Use only that bookmark when you want to access net banking. Never follow a link from an email, SMS, or WhatsApp message to reach your bank’s website. Phishing pages are designed to look identical to the real thing, down to the colour scheme, the logo, and the layout. The only difference is the URL, and that difference can be subtle. A bookmark removes the risk entirely. You click your bookmark, you land on the real site, done.

For mobile banking apps, download them only from the Google Play Store or Apple App Store. After installation, turn on the biometric lock. Every major Indian banking app supports fingerprint or face authentication now. SBI’s YONO, HDFC Mobile Banking, iMobile Pay from ICICI, Axis Mobile, all of them. This means even if someone picks up your unlocked phone, they still cannot open the banking app without your fingerprint.

For UPI apps like Google Pay, PhonePe, and Paytm, enable the app-level lock separately. These apps have their own PIN or biometric gate that sits on top of your phone’s lock screen. On Google Pay, go to your profile picture, then Settings, then Privacy & Security, then Screen Lock. On PhonePe, open the app settings and look for App Lock. On Paytm, it is under Security Settings. Each one takes ten seconds to enable.

When you finish a net banking session, click the Logout button. Actually click it. Closing the browser tab is not the same as logging out. Your session can remain active for several minutes after you close the tab, and if someone accesses your browser during that window, they may be able to resume your session. Also, never save your banking credentials in the browser’s built-in password auto-fill for a shared computer. If you are the only person who uses your machine and you trust your browser’s password manager, that is a different conversation. But on any shared device, save nothing.

Smartphone showing online banking app with security shield protection overlay

Set Transaction Limits and Alerts

This is the layer that caps the damage if something goes wrong. Even if an attacker gets past your login, transaction limits control how much they can actually take. And alerts tell you the moment anything moves.

Log into your net banking portal and find the transaction limits section. On SBI OnlineSBI, go to e-Services, then Manage Transaction Limits. On HDFC NetBanking, look under Accounts, then Transaction Limits. On ICICI, check under Payments & Transfer, then Manage Limits. Each of these pages will show you your current daily maximums for NEFT, RTGS, IMPS, and sometimes UPI and card transactions separately.

Now look at those numbers honestly. If you have never transferred more than one lakh rupees in a single day in your entire life, there is no reason your NEFT daily limit should be sitting at five lakh or ten lakh, which is what many banks set as the default. Drop it. Set each channel to the lowest amount that works for your actual usage. If you normally transfer twenty thousand a day at most, set the limit to thirty thousand to give yourself some breathing room. You can always temporarily raise the limit on the rare occasions you need to make a large payment. The point is that if an attacker gets into your account on a Tuesday night, they are capped at thirty thousand instead of five lakh. That difference could be the difference between a bad week and a financial disaster.

Do the same for your UPI limits. Most UPI apps let you set per-transaction and daily limits. The per-transaction limit is especially useful because it means even a single fraudulent transfer cannot exceed a certain amount. Check your banking app’s settings for UPI limit management. On SBI YONO, it is under UPI Settings. On HDFC, it is accessible through the Fund Transfer section.

After that, turn on transaction alerts for every amount. Not just transactions above five thousand rupees. Set the threshold to zero. Every single rupee that moves in or out of your account should trigger both an SMS and an email notification. The reason you want both channels is redundancy. If your SIM card gets compromised in a SIM swap attack, SMS alerts stop reaching you. But email alerts will still arrive on your laptop, tablet, or secondary phone if you have your email logged in there. That second channel might be the one that tips you off to a problem while there is still time to act.

Fraudsters commonly make a small test transaction before going for the larger amounts. They might transfer one hundred or five hundred rupees to confirm that the stolen credentials work and that the account is active. If your alert threshold is set at five thousand, you miss that test entirely. By the time you notice the fifty-thousand-rupee transfer, the attacker already knows your credentials are good and may have already initiated multiple transfers.

Disable features you are not using. International transactions on your debit card? Unless you travel abroad regularly, turn them off. Online shopping on your debit card? Turn that off too. Use a credit card for online purchases instead. The reason is simple: when fraud happens on a debit card, the money leaves your bank account immediately. Recovery takes weeks, sometimes months, and during that time you are out the cash. With a credit card, the bank’s money is at risk, not yours. You have a billing cycle to dispute the charge. You have chargeback rights that are much stronger than debit card protections. Pay the full credit card balance every month to avoid interest charges, and you get better fraud protection at no extra cost.

Quick reference checklist:
  • SMS + email alerts for all transactions (threshold: zero)
  • Daily NEFT/RTGS/IMPS limit: set to your actual daily maximum
  • UPI per-transaction and daily limit: lower them in your banking app
  • Debit card online transactions: off (use credit card instead)
  • International transactions: off unless needed
  • ATM withdrawal limit: lowest practical amount
  • Review transactions at least twice a week

Check your transactions regularly. Not once a month when the statement comes. Twice a week at minimum. Open the app, scroll through recent activity, and look for anything unfamiliar. Small charges you do not recognise can be a sign that someone is testing your account. Catching it early is the difference between a close call and an actual loss.

Spot Phishing Attempts and Fake Calls

After that come the tricks. Most bank fraud in India does not involve someone hacking into a bank’s server. It involves someone tricking you into giving away your own credentials. The technical term is social engineering. The everyday term is a con job. And the quality of these cons has improved dramatically over the past few years.

SMS phishing, sometimes called smishing. You receive a text message that looks like it came from your bank. The sender name might even say “SBI” or “HDFCBK” because attackers can spoof the sender ID on SMS. The message says something like “Dear customer, your account has been suspended due to incomplete KYC. Click here to update immediately.” There is a link. The page you land on looks exactly like your bank’s login page. Same colours, same logo, same layout. You enter your username and password. Those details go straight to the attacker. Indian banks do not send links via SMS asking you to update KYC. They do not send links to verify your identity. KYC updates are done at the branch or through the official banking app. Any SMS with a link and an urgent request is fraudulent. Every time. No exceptions.

Phone call scams, known as vishing. Someone calls you, sometimes from a number that looks like it belongs to your bank. They claim to be from the fraud detection team. They know your name. They might know the last four digits of your account or card number, information they pulled from a previous data breach. They say they have detected a suspicious transaction and need to verify your identity to block it. They ask for your card number, CVV, expiry date, or OTP. They create urgency: “Sir, we need this in the next two minutes or the transaction will go through.” Your bank will never call you and ask for your full card number. Your bank will never ask for your CVV over the phone. Your bank will never ask you to share an OTP to “block” a transaction. If someone asks for any of these, hang up. Then call your bank yourself using the number printed on the back of your card or listed on their official website.

UPI collect request scams. This one is clever and catches people who are otherwise careful. Someone on a classifieds site like OLX says they want to buy something you have listed. They say they are sending an advance payment. A notification pops up on your UPI app. It asks for your PIN. Stop. Think about what is happening. To receive money through UPI, you do not enter your PIN. A collect request is a pull, not a push. When someone sends a collect request, they are asking you to pay them. Entering your PIN authorises a payment from your account, not a receipt. The confusion between “approve to receive” and “approve to pay” is deliberate. The scammer is counting on it. If anyone ever asks you to enter your UPI PIN to “receive” money, refuse.

Remote access scams. Someone calls and claims there is a problem with your bank account or UPI app. They ask you to install AnyDesk, TeamViewer, or QuickSupport on your phone. Once installed, these apps give the caller complete access to your screen. They can see everything you see. They can watch you type your PIN. They can read your OTPs as they arrive. They can operate your phone as if they were holding it. No bank, payment app, or government agency will ever ask you to install a screen-sharing application. The request itself is the scam.

Across all of these, one rule applies universally: never share your OTP with anyone. Not on the phone. Not on a website. Not in a text message. Not even with someone who claims to be from your bank, from the RBI, or from a “verification department.” An OTP is a verification code for a transaction you initiated. If you did not start the transaction, the OTP is not for you. It is for the person trying to steal from you.

I keep a personal rule that has served me well: any unexpected communication about my bank account, whether by SMS, phone, or email, triggers a pause. I do not respond to it. I do not click anything. I open my banking app directly, check for any alerts or messages inside the app, and if I am still concerned, I call the bank myself using a number I looked up independently. It takes an extra minute or two. That minute has probably saved me from a scam at least once.

Secure the Devices You Bank From

The next layer of protection is the device itself. Your phone, your laptop, your computer. If the device is compromised, then every security measure you have set up on the banking side can be bypassed because the attacker is watching your screen and reading your inputs in real time.

Start with your phone, since that is where most banking happens now. Keep your operating system updated. Android and iOS release security patches regularly, and those patches close vulnerabilities that attackers know about and are actively trying to exploit. An out-of-date phone is a phone with known security holes. On Android, go to Settings, then System, then System Update. On iPhone, go to Settings, then General, then Software Update. Turn on automatic updates if you have not already.

Do not root your Android phone or jailbreak your iPhone. Rooting and jailbreaking remove the built-in security barriers that keep apps isolated from each other. On a rooted phone, a malicious app can access data from your banking app that would normally be off-limits. Most banking apps will detect a rooted or jailbroken device and refuse to run, but some do not check, and even the ones that do can sometimes be fooled. It is not worth the risk.

Install apps only from the Play Store or App Store. Sideloading apps from random websites is one of the fastest ways to get malware on your device. If someone sends you an APK file on WhatsApp or Telegram and tells you to install it, do not. It does not matter what they say it is. The official app stores are not perfect, but they do scan for malware and remove known malicious apps. That filtering does not exist for APK files downloaded from a chat message.

Review the apps already on your phone. Remove anything you do not use or do not recognise. Check app permissions, particularly which apps have access to SMS, phone calls, accessibility services, and screen overlay. A malicious app with SMS permissions can read your OTPs silently. An app with accessibility service access can read what is on your screen and simulate taps. On Android, go to Settings, then Apps, then select an app and check Permissions. On iPhone, go to Settings, then Privacy & Security, and review each permission category.

For your computer, the fundamentals are similar. Keep the operating system and browser updated. Use a reputable antivirus program. Avoid downloading software from unofficial sources. If you bank on a shared or office computer, always use a private or incognito browsing window, and always log out fully when you are done. Do not leave a net banking session open while you go to a meeting or step away from your desk.

Never do banking on public Wi-Fi. Hotel Wi-Fi, airport Wi-Fi, coffee shop Wi-Fi. On a public network, an attacker in the same coffee shop can intercept the data flowing between your phone and the bank’s server if the connection is not properly encrypted. Even if the banking site uses HTTPS, there are attack techniques that can downgrade the connection or redirect you to a fake page. Switch to your mobile data connection before opening any banking app or website. It takes two taps and it eliminates a real risk.

If you need to use public Wi-Fi for banking or anything sensitive, use a VPN. A VPN encrypts all your internet traffic before it leaves your device, making it unreadable to anyone on the local network. ProtonVPN has a free tier that works well enough for occasional use. But the simplest solution is still to just switch to mobile data.

Laptop showing bank login page with multi-layer security and OTP on phone

If Something Goes Wrong: Emergency Steps

Speed is the only thing that matters if you suspect fraud on your account. What you do in the first hour determines whether you get your money back or spend months fighting for it. I am going to lay out the exact sequence of actions, in order.

Call your bank’s fraud helpline. Not the general customer service number. The dedicated fraud line. Every major bank has one, and it routes to a team trained to handle exactly this situation. Tell them you suspect unauthorised access. Ask them to freeze your account, block all debit and credit cards, and disable net banking and UPI. Get a complaint reference number and write it down.

Here are the fraud helpline numbers for the major banks. Save the one for your bank in your phone contacts right now:

  • SBI: 1800-111-111 (toll free) or 1800-425-3800
  • HDFC Bank: 1800-267-6161
  • ICICI Bank: 1800-102-4242
  • Axis Bank: 1860-419-5555
  • PNB: 1800-180-2222
  • Bank of Baroda: 1800-102-4455
  • Kotak Mahindra: 1860-266-2666

Call 1930. This is the national cybercrime helpline run by the Indian government. It operates 24 hours. When you call, they can flag the receiving account (the account where your money was sent) and request the receiving bank to freeze it. This is time-sensitive. If the attacker has not yet withdrawn or moved the money from the mule account, a freeze at this stage can actually recover the funds. Every minute counts.

File a complaint at cybercrime.gov.in. Go to the website, select Financial Fraud, and fill in the details. Include the amount, the date and time, the type of fraud, any phone numbers involved, any messages or screenshots you have. This creates an official record that your bank and the police will reference later. You will get an acknowledgement with a complaint number. Save it.

File an FIR at your local police station. Bring your bank statement showing the fraudulent transaction, the cybercrime.gov.in acknowledgement, your ID proof, and screenshots of any suspicious messages or calls. Ask for a copy of the FIR. Some police stations may try to direct you to the cyber cell instead. If so, go there. The FIR is an important piece of documentation for your bank claim and for any future legal proceedings.

Send a written complaint to your bank within 24 hours. Email your branch manager and the bank’s grievance redressal officer. Include your account number, the details of the fraudulent transactions, your complaint reference number from the phone call, copies of the cybercrime complaint and FIR, and a clear statement that you did not authorise the transactions. This written record establishes the timeline of your reporting, which directly affects your liability under RBI rules.

Under the RBI’s guidelines on customer liability for unauthorised electronic banking transactions, the framework is as follows:

  • If the fraud was caused by the bank’s negligence or a third-party breach, and you report within 3 working days: zero liability. The bank must refund the full amount within 10 working days.
  • If you report between 4 and 7 working days: your liability is limited to Rs 5,000 for a basic savings account, up to Rs 25,000 for certain other account types.
  • If you report after 7 working days: the bank decides based on its board-approved policy. In practice, this often means you absorb the loss.
  • If you shared your OTP, password, or PIN yourself: full liability is yours, regardless of how quickly you report. The RBI’s zero-liability protection does not cover cases where the customer voluntarily handed over their credentials.

If the bank does not credit the disputed amount back within ten working days, or if they reject your claim, you can escalate to the Banking Ombudsman. File a complaint at cms.rbi.org.in. It is free. You do not need a lawyer. The Ombudsman has the power to direct the bank to refund you and pay compensation for the delay and inconvenience. Many people do not know about this escalation path, and some banks take advantage of that.

After the immediate crisis is handled, change your passwords on everything connected to your finances. Net banking, email, UPI apps, investment platforms, insurance portals. Turn on two-factor authentication using an authenticator app wherever the option exists. Pull your CIBIL report from cibil.com to check for any loan applications or credit inquiries that you did not make. Attackers who have your personal details sometimes apply for loans in your name, and you may not find out until a collector calls months later.

If something does go wrong, you have a 24-hour window under RBI guidelines to report and limit liability. Save your bank’s fraud helpline number in your phone right now. Not later. Right now.

And maybe bookmark this page. You will not remember all of this, and when you need it, you will need it fast.