Gujarat Court Penalizes ICICI Bank and Vodafone in Major SIM Swap Fraud Case: Rs 15 Lakh Fine Imposed

ICICI Bank has been directed to return the principal sum of Rs 1,05,00,000 to the complainant.

New Delhi:

In a landmark ruling under the Information Technology Act, Gujarat's Adjudicating Officer has issued a judgment on a significant cyber fraud case where an Ahmedabad-based company lost over Rs 1.19 crore through unauthorized banking transactions facilitated by a cloned SIM card.

The case involves directors of Collective Trade Links Pvt. Ltd., a bearings trading enterprise, against ICICI Bank, Vodafone Idea Limited (VIL), and local enforcement agencies. Filed under Sections 43 and 43A of the IT Act, 2000, the complaint details how fraudsters utilized a SIM swap to circumvent OTP security protocols and drain funds from the company's overdraft account during a weekend in March 2023.

The fraud began when Prakash Mehta, a company director, was on business travel in Vietnam. On March 11, 2023, a suspicious email claiming to be from the company requested a SIM replacement for Mehta's mobile number, which was linked to OTP verifications for banking activities. Vodafone Idea processed this request and activated the new SIM by 4:30 PM that day without thorough verification, despite the number being on international roaming.

That Sunday, while the office remained closed, criminals used the duplicate SIM to obtain OTPs and execute 22 transactions totaling Rs 1,19,37,000 via RTGS and NEFT from the company's ICICI Bank account. Ten new beneficiaries were added, and substantial amounts—exceeding normal limits for newly registered payees—were transferred to unfamiliar accounts. Director Bharatkumar Mehta received delayed transaction notifications on his alternative number, but the damage was already complete.

The fraud was discovered the following day when accountants examined the account. They promptly alerted ICICI Bank and filed a police complaint, resulting in an FIR at the Cyber Crime Police Station under provisions related to cheating, criminal conspiracy, and IT Act violations.

ICICI Bank defended its position by stating all transactions were verified using passwords, OTPs, MPIN, and grid values, claiming compliance with RBI guidelines. The bank initiated an internal investigation, froze recipient accounts, and provided a provisional shadow credit during the inquiry. However, it argued that customer negligence in protecting credentials absolved it of responsibility, citing the RBI's 2017 circular that restricts liability only when transactions are reported promptly without user error.

Vodafone Idea maintained that it acted on a request from the registered email and followed standard procedures for Corporate Owned Corporate Paid (COCP) connections. The company denied violating TRAI guidelines and identified itself as an "intermediary" under Section 79 of the IT Act, which shields it from liability for communication content. It emphasized that SIM issuance follows DoT regulations, not the IT Act, and that it doesn't manage banking information.

The complainants accused both organizations of negligence. They argued that VIL disregarded the number's roaming status and failed to verify through secondary contacts or mandatory audio-video procedures required by DoT regulations. ICICI Bank was criticized for permitting large-value transactions on a non-working day and bypassing mandatory waiting periods for newly added beneficiaries.

"This isn't simply an error; it reveals underlying systemic weaknesses," an individual familiar with the case told NDTV.

The Cyber Crime Branch investigation uncovered a broader pattern of SIM-swap scams involving Vodafone Idea cards in Ahmedabad. A report presented during hearings noted at least 20 similar cases in the city involved VIL SIMs, with little evidence of proactive measures by the company to prevent recurring incidents.

Further evidence indicates an organized criminal network. More than 34 mule accounts have been identified, with three FIRs being prepared against individuals managing these accounts. Employees from two banks are under investigation for possible involvement, and 18 SIM card vendors are being examined for issuing SIMs based on falsified identities. Extensive financial and cyber forensic analyses continue to uncover the network enabling these crimes.

The adjudicating officer referenced previous rulings, including a Jaipur case where VIL was found liable for similar KYC failures, and a Mumbai decision emphasizing telecom companies' responsibility to prevent fraud.

Hearings occurred between February 2024 and January 2025, with the officer permitting Collective Trade Links Pvt. Ltd. to join as a co-complainant. The complainants sought refunds from ICICI Bank (including overdraft interest), compensation from VIL, and penalties under the IT Act.

During final arguments, the petitioners invoked the doctrine of Res Ipsa Loquitur—where negligence is presumed—and presented evidence suggesting VIL personnel may have assisted fraud networks, including connections to cybercrime groups. "Criminals target weekends due to reduced monitoring, and companies like VIL must strengthen their vigilance," the complainants' counsel argued.

The Adjudicating Officer imposed a combined penalty and compensation of Rs 15,00,000 on the respondents for negligence leading to the SIM-swap fraud. Specifically:

ICICI Bank was instructed to pay Rs 10,00,000 as compensation and penalty under Sections 43(g) and 43(j) of the Information Technology Act, 2000.

Vodafone Idea Limited was ordered to pay a penalty of Rs 5,00,000 under Section 43(g) of the IT Act.

Additionally, ICICI Bank was directed to refund the principal amount of Rs 1,05,00,000 to the petitioner according to circular guidelines within six weeks.