Skip to main content
FinWiz24
TravelCashbackPremiumLifetime FreeFuelRewardsDiningShoppingAll cards
Back to Blog
Credit Card Fraud in India: The Numbers and the Protections
Fees & Fine Print

Credit Card Fraud in India: The Numbers and the Protections

Card fraud is rare in India — and dropping. Here's what the RBI's data shows and how the protections have evolved.

Arjun Banerjee

Banking analyst turned writer. Tracks RBI rate moves and how they reach your monthly statement.

7 June 2026
5 min read
DisputeFraudLost CardStolen Card

The headline: fraud is rare, but rising in absolute terms

Credit card fraud in India is uncommon in percentage terms (less than 0.05% of transactions by value) but rising in absolute terms as card volumes grow. The RBI's annual report shows:

  • Total credit-card transactions in FY 2024–25: ~3 billion transactions, ~₹20 lakh crore in value.
  • Reported fraud value: ~₹1,200 crore (~0.006% of transaction value).
  • Reported fraud volume: ~150,000 cases (~0.005% of transactions).

The fraud rate is low; the absolute losses are real.

The fraud types, in order of frequency

Card-not-present (CNP) fraud

The dominant fraud type in India. The fraudster uses stolen card data (number, expiry, CVV) to make online purchases. The card isn't physically present.

  • Frequency: ~70% of reported cases.
  • Typical loss per case: ₹5,000–₹50,000.
  • Detection: bank's fraud detection system flags unusual online transactions.

Lost/stolen card fraud

The fraudster has the physical card and uses it at ATMs or POS terminals. Less common since the introduction of chip + PIN.

Ad slot: article
  • Frequency: ~15% of reported cases.
  • Typical loss per case: ₹10,000–₹2,00,000 (ATM withdrawals can drain the limit quickly).
  • Detection: cardholder reports loss; bank hotlists.

Phishing and social engineering

The cardholder is tricked into sharing OTP, CVV, or PIN via fake websites, emails, or phone calls.

  • Frequency: ~10% of reported cases.
  • Typical loss per case: ₹50,000–₹5,00,000 (fraudsters drain the entire credit limit).
  • Detection: cardholder realises too late; bank investigates.

Identity theft

The fraudster opens a new card in the cardholder's name using stolen KYC documents.

  • Frequency: ~3% of reported cases.
  • Typical loss per case: ₹50,000–₹5,00,000.
  • Detection: cardholder sees the account on their CIBIL report.

Merchant fraud

The merchant processes a fake transaction or skims card data at the POS. Rare in India but real.

  • Frequency: ~2% of reported cases.
  • Typical loss per case: variable.

The RBI's anti-fraud measures

Zero-liability rule (2021)

The 2021 master directions introduced a strict zero-liability rule:

  • For CNP fraud reported within 3 days: bank reverses the disputed amount. No customer liability.
  • For lost/stolen cards reported within 3 days: same protection.
  • For phishing cases: same protection if the customer didn't authorise the transaction.

The zero-liability rule shifted the burden of proof to the bank. Most disputes resolved in the customer's favour.

Tokenisation (2021, full rollout 2024)

Card numbers stored at merchants must be replaced with tokens. A merchant breach doesn't expose real card numbers.

Effect: a major reduction in merchant-side fraud. The tokenisation rollout has been successful.

SMS/email alerts (ongoing)

Every transaction above the bank's threshold must trigger an alert. Customers detect fraud faster.

Effect: most fraud is detected within 24 hours of the transaction.

E-mandate framework (2021)

Recurring transactions are subject to e-mandate enrolment with the customer's OTP. Fraudulent subscriptions are easier to dispute.

Effect: subscription fraud has dropped.

AI-based fraud detection (ongoing)

Banks use machine learning to detect unusual patterns: large transactions at unusual merchants, multiple transactions in quick succession, transactions at high-risk countries.

Effect: most fraud is detected and blocked before the customer sees it.

What the customer can do

  1. Enable transaction alerts for every transaction. The fastest fraud detection is the alert.
  2. Hotlist immediately on loss or theft. The 3-day window starts at the time you reasonably discovered the loss.
  3. Never share OTP, PIN, or CVV. No bank or merchant ever asks for these.
  4. Use tokenised payments (Apple Pay, Google Pay, Samsung Pay) wherever possible.
  5. Set international transaction blocking by default. Toggle on when you need to travel.
  6. Check your monthly statement. Look for small unfamiliar transactions.
  7. Check your CIBIL report every 6 months. Look for unfamiliar accounts.

What the bank does

The bank is responsible for:

  • Hotlisting the card within minutes of the report.
  • Issuing a replacement card within 7–10 days.
  • Investigating the dispute within 30 days.
  • Reversing the disputed amount within 90 days (or per the zero-liability rule).
  • Reporting fraud patterns to the RBI's Centralised Fraud Registry.

The bank's incentive is to retain the customer. Most disputes are resolved in the customer's favour when reported promptly with evidence.

The unreported fraud problem

Industry estimates suggest the actual fraud volume is 3X–5X higher than reported. Customers often don't report fraud because:

  • The amount is small (₹500–₹2,000) and they don't think it's worth the effort.
  • They blame themselves for sharing OTP/CVV.
  • They don't know how to dispute.
  • They're embarrassed.

The RBI is encouraging reporting by simplifying the dispute process. The 2024 dispute rules make it easier than ever to file a written dispute via the bank's app.

The cost of fraud

The cost of fraud falls on:

  • The bank (for unauthorised transactions under the zero-liability rule).
  • The merchant (for merchant-side breaches).
  • The card network (for inter-network fraud).
  • The customer (for transactions they authorised or for delayed disputes).

For the customer, the cost is minimal if you dispute promptly. For the bank and merchant, the cost is real and growing.

The fraud-vs-rewards tradeoff

Banks have to balance fraud prevention with friction:

  • Strong fraud detection = fewer false declines, but more legitimate transactions flagged.
  • Tokenisation = excellent security, but merchant adoption is uneven.
  • OTP for every transaction = excellent security, but high friction.
  • Biometric authentication = excellent security, but limited device support.

The optimal balance is merchant-specific: high-value merchants can use OTP; small merchants can use tokenised payments without OTP.

The bottom line

Credit card fraud in India is rare (less than 0.05% of transactions) but real. The RBI's zero-liability rule protects customers who report within 3 days. Tokenisation reduces merchant-side fraud. SMS alerts help customers detect fraud quickly. The biggest risks are CNP fraud and phishing. The customer can reduce risk dramatically with alerts, tokenised payments, and immediate hotlisting on loss. The discipline: stay alert, check your statement, dispute promptly.

Share: