Credit Card Fraud in India (2026): The Real Numbers

The scale of credit-card fraud in India

Credit-card fraud in India has grown with the card market. The 2024–2026 numbers:

• Total fraud value: ₹1,500–₹2,500 crore per year (estimated; RBI doesn't publish exact figures).
• Number of fraud cases: 50,000–80,000 reported per year.
• Average fraud value per case: ₹15,000–₹30,000.
• Recovery rate: 60%–80% (most cases are resolved with the bank's liability).
• Chargeback success rate: 75%–85%.

The RBI's zero-liability rule (post-2021) covers most cardholder fraud cases. If you report fraud within 3 days, you owe nothing.

The fraud types

Card-not-present (CNP) fraud

The most common type. The fraudster uses card details (number, expiry, CVV) to make online purchases.

• Share of total fraud: 70%–80%.
• Typical vector: phishing, data breaches, fake merchant sites.
• Cardholder liability: ₹0 if reported within 3 days (zero-liability rule).

Card-skimming

Fraudster installs a device on an ATM or POS to clone the card.

• Share of total fraud: 10%–15%.
• Typical vector: tampered ATMs, compromised POS terminals.
• Cardholder liability: ₹0 if reported promptly.

Lost / stolen card

Card is physically lost or stolen; fraudster uses it before you hotlist.

• Share of total fraud: 5%–10%.
• Typical vector: physical theft.
• Cardholder liability: ₹0 if hotlisted within 3 days.

Identity fraud

Fraudster uses stolen identity to apply for a new credit card.

• Share of total fraud: 5%–10%.
• Typical vector: PAN/Aadhaar theft, fake applications.
• Cardholder liability: ₹0 if fraud reported; bank takes full loss.

Friendly fraud

Cardholder makes a purchase, then disputes it as fraud.

• Share of total fraud: 5%–10%.
• Typical vector: dishonest cardholders.
• Cardholder liability: depends on dispute resolution; banks often side with the merchant.

The most common fraud scenarios

Phishing calls

A caller claims to be from your bank and asks for OTP, PIN, or CVV.

• Frequency: very high.
• Damage: full card limit if cardholder shares details.
• Defense: never share OTP, PIN, CVV. The bank never asks.

Fake merchant websites

A website mimics a real merchant (often Amazon or a bank) and steals card details at checkout.

• Frequency: high.
• Damage: card details used for fraud.
• Defense: only shop on verified URLs. Check for HTTPS and the lock icon.

Skimming at ATMs

A skimming device on an ATM clones your card when you insert it.

• Frequency: low in metros (ATMs are monitored); higher in non-metros.
• Damage: card limit fraud.
• Defense: use ATMs at bank branches; inspect the card slot for tampering.

Public Wi-Fi

Using public Wi-Fi to make online purchases exposes card details to potential interception.

• Frequency: low (most sites use HTTPS).
• Damage: card details exposed.
• Defense: never shop on public Wi-Fi; use mobile data.

BIN attacks

Fraudsters generate card numbers using known BIN prefixes and try small transactions to verify validity.

• Frequency: low (most banks have rate-limiting).
• Damage: small transactions followed by larger ones.
• Defense: bank's fraud-detection systems catch this.

Who's most at risk

New cardholders

New cardholders are less familiar with the fraud patterns and may share OTP/PIN without thinking.

Senior citizens

Senior citizens are targeted by phishing calls (often impersonating bank or government).

High-limit cardholders

Cards with ₹5L+ limits are targeted for larger fraud.

Frequent travellers

Travellers use cards at unfamiliar merchants and ATMs (potential skimming).

E-commerce-heavy users

Users who shop on many online merchants have higher exposure to fake sites.

The RBI's zero-liability rule (2021)

For transactions post-2021:

• Fraud reported within 3 days: cardholder owes ₹0.
• Fraud reported within 4–7 days: cardholder owes up to ₹10,000.
• Fraud reported after 7 days: cardholder owes the transaction value (rare in practice; banks often waive).

The bank's fraud-detection systems also block suspicious transactions automatically. Most cardholders experience zero fraud even if their card details are exposed.

What to do if fraud happens

Step 1: hotlist the card immediately

• Call the bank's 24×7 customer care.
• Use the bank's app to hotlist.
• SMS to the bank's hotlist number.

Time matters: every minute counts.

Step 2: file a dispute

• Use the bank's app's dispute form.
• Or call customer care and request a written dispute.
• Get a reference number for the dispute.

Step 3: file a police complaint (if required)

• For fraud above ₹1 lakh, the bank may require a police FIR.
• File online via the state police's e-FIR portal.

Step 4: monitor your credit report

• Check CIBIL report 30 days after the fraud is resolved.
• If fraudulent accounts appear, file a CIBIL dispute.

Step 5: escalate if not resolved

• After 90 days, escalate to the bank's Nodal Officer.
• If still unresolved, escalate to the Banking Ombudsman (RBI).

The bank's fraud-detection systems

Most banks have AI-based fraud detection:

• Velocity checks: 5 transactions in 5 minutes is unusual.
• Geographic anomalies: card used in Mumbai and Delhi within 1 hour is flagged.
• MCC anomalies: card used at grocery store then at a foreign casino is flagged.
• Amount anomalies: ₹50,000 transaction on a card with ₹1 lakh limit is flagged.

Banks typically block suspicious transactions and SMS/call the cardholder for confirmation.

The fraud prevention checklist

1. Never share OTP, PIN, or CVV. No exceptions.
2. Hotlist immediately on loss or theft. The 3-day window starts at discovery.
3. Enable transaction alerts. SMS or app push for every transaction.
4. Use only verified merchant URLs. Check for HTTPS and the lock icon.
5. Use bank's official app. Don't click links in SMS or email.
6. Cover the PIN pad at ATMs and POS.
7. Review monthly statements. Catches fraudulent transactions early.
8. Avoid public Wi-Fi for shopping. Use mobile data.
9. Set a low international transaction limit (and unlock for specific trips).
10. Set a low contactless limit (₹2,000 default; lower if you're worried).

The cost of fraud to the bank

• Average fraud cost to bank: ₹20,000–₹30,000 per case (after chargebacks and write-offs).
• Total fraud cost to banks: ₹1,500–₹2,500 crore per year.
• Cost per active card: ₹50–₹100/year (across the bank's portfolio).
• Bank's investment in fraud prevention: 1%–2% of revenue.

Banks invest heavily in fraud prevention because the cost of fraud is significant. The cardholder's protection is a result of this investment.

The bottom line

Credit-card fraud in India is real but manageable. The RBI's zero-liability rule covers most cardholder losses. The bank's fraud-detection systems block most fraud attempts. The cardholder's role: never share OTP/PIN/CVV, hotlist immediately on loss, enable alerts, review statements. If fraud happens: hotlist, dispute, monitor, escalate. The annual risk for a typical cardholder: <0.1% chance of significant fraud. The annual cost of prevention: 5 minutes a month of review.