Marking a significant verdict under the Information Technology Act, Gujarat's Adjudicating Officer has delivered a judgment on a major cyber fraud case involving an Ahmedabad-based firm that lost more than Rs 1.19 crore due to unauthorised bank transactions enabled by a cloned SIM card.
The dispute involves the directors of Collective Trade Links Pvt. Ltd., a bearings trading company, against ICICI Bank, Vodafone Idea Limited (VIL), and local law enforcement authorities. Registered under Sections 43 and 43A of the IT Act, 2000, the grievance details how criminals used a SIM swap to bypass OTP security measures and siphon money from the firm's overdraft account over a weekend in March 2023.
The Sequence of the Fraudulent Scheme
The incident began when Prakash Mehta, a director at the firm, was travelling for business in Vietnam. On March 11, 2023, an unusual email - purporting to be from the company's account - requested a SIM swap for Mehta's mobile number, which was linked to OTP verifications for banking transactions. Vodafone Idea processed the request and activated the new SIM by 4:30 PM the same day without conducting detailed verification, even though the number was on international roaming.
On that Sunday, when the office was closed, scammers used the duplicate SIM to obtain OTPs and carry out 22 transactions totalling Rs 1,19,37,000 through RTGS and NEFT from the company's ICICI Bank account. Ten new beneficiaries were registered, and substantial amounts-far beyond usual limits for newly added payees-were transferred to unfamiliar accounts. Director Bharatkumar Mehta received delayed transaction alerts on his secondary number, but the damage had already been done.
The complainants discovered the breach the next day when accountants reviewed the account. They immediately notified ICICI Bank and lodged a police complaint, leading to an FIR at the Cyber Crime Police Station under sections related to cheating, criminal conspiracy, and IT Act violations.
Banks and Telecom Under Fire
ICICI Bank, in its defence, claimed that all transactions were verified using passwords, OTPs, MPIN, and grid values, asserting compliance with RBI guidelines. The bank initiated an internal investigation, froze beneficiary accounts, and offered a provisional shadow credit during the inquiry. However, it argued that customer negligence in safeguarding credentials absolved it of responsibility, citing the RBI's 2017 circular that limits liability only when transactions are reported promptly and without user error.
Vodafone Idea contended that it acted on a request originating from the registered email and followed standard procedures for Corporate Owned Corporate Paid (COCP) connections. The company denied violating TRAI guidelines and described itself as an "intermediary" under Section 79 of the IT Act, which protects it from liability for the content of communications. It emphasised that SIM issuance is governed by DoT regulations, not the IT Act, and that it does not handle banking information.
The complainants, however, accused both organisations of negligence. They argued that VIL ignored the number's roaming status and failed to verify through secondary contacts or mandatory audio-video procedures prescribed in DoT regulations. ICICI Bank was criticised for allowing large-value transactions on a non-working day and bypassing mandatory waiting periods for newly added beneficiaries.
"This is not merely an error; it reveals underlying systemic weaknesses," an individual familiar with the matter told NDTV.
Police Investigation Uncovers Wider Network
The Cyber Crime Branch's inquiry revealed a broader pattern of SIM-swap scams involving Vodafone Idea cards in Ahmedabad. A report submitted during the hearings noted that at least 20 similar cases in the city involved VIL SIMs, with little evidence of proactive action by the company to prevent repeated incidents.
Further findings indicate an organised criminal network. More than 34 mule accounts have been identified, with three FIRs being prepared against individuals managing these accounts. Employees of two banks are under scrutiny for possible involvement, and 18 SIM card sellers are being investigated for issuing SIMs based on forged identities. Extensive financial and cyber forensic analyses are underway to uncover the network enabling these crimes.
The adjudicating officer referenced previous rulings, including a Jaipur case in which VIL was found liable for similar KYC lapses, and a Mumbai decision stressing telecom companies' responsibility to prevent fraud.
Legal Ramifications and Calls for Reform
Hearings took place between February 2024 and January 2025, with the officer allowing Collective Trade Links Pvt. Ltd. to join as a co-complainant. The complainants sought refunds from ICICI Bank (including interest on the overdraft), compensation from VIL, and penalties under the IT Act.
During final arguments, the petitioners invoked the doctrine of Res Ipsa Loquitur-where negligence is presumed-and presented accounts alleging that VIL personnel may have assisted fraud networks, including links to cybercrime groups. "Scammers exploit weekends due to reduced oversight, and firms like VIL must strengthen their vigilance," the complainants' counsel argued.
Vodafone and ICICI to Pay Collective Fine
The Adjudicating Officer imposed a combined penalty and compensation of Rs 15,00,000 on the respondents for negligence leading to the SIM-swap fraud. Specifically:
ICICI Bank was directed to pay Rs 10,00,000 as compensation and penalty under Sections 43(g) and 43(j) of the Information Technology Act, 2000.
Vodafone Idea Limited was ordered to pay a penalty of Rs 5,00,000 under Section 43(g) of the IT Act.
Additionally, ICICI Bank was ordered to refund the principal amount of Rs 1,05,00,000 to the petitioner based on circular guidelines within six weeks.
