How Law Enforcement Investigates Cyber Scams in India: The Complete Process

You filed a complaint. The police took your details. And then… silence.

Most scam victims have no idea what happens after they report a cybercrime. Does anyone actually look into it? Are the police tracing the fraudster? Will they ever catch him?

The short answer is: yes, investigations do happen. But the process is nothing like what you see in movies. This guide breaks down exactly how Indian law enforcement investigates cyber scams, step by step, in plain language.

Understanding this process helps you know what to expect, how to help your own case, and why fast reporting matters so much.

Step 1: Your Complaint Triggers an Immediate Bank Alert

When you call 1930 or file a complaint on cybercrime.gov.in, your report does not just sit in a queue somewhere.

The moment your complaint goes in, the operator contacts the banks and payment platforms involved in the transaction. This happens through a system called CFCFRMS which directly connects over 85 banks, UPI platforms and digital wallets to the cyber crime backend. Think of it as a direct hotline between the helpline and your bank.

The only goal at this point is to freeze the money before the scammer gets to it. Call within the first hour and there is a real chance the funds in the fraudster’s account get locked before they can touch it. Wait longer and that window starts closing fast.

Speed is everything here. The sooner you report, the better your chances. And this is also where the official investigation begins.

Step 2: The FIR Is Filed and a Case Is Assigned

Once your online complaint is verified, it goes straight to the nodal officer of your state cyber crime cell.

If your loss is above Rs 10 lakh, something important happens automatically. As of May 2025, complaints above this amount trigger a Zero FIR with the e-Crime Police Station of Delhi. This is a new initiative by the Ministry of Home Affairs under I4C and it means your case gets registered immediately without any back and forth about which police station has jurisdiction.

This matters because cyber crimes do not follow state boundaries. The scammer could be sitting in a different state or a different country entirely. A Zero FIR cuts through all of that and gets the case moving right away.

After this an Investigating Officer gets assigned to your case. This is the person who takes charge of the investigation from here.

Step 3: Tracing the Digital Trail

This is where the actual detective work begins. Once an Investigating Officer is assigned to your case, they start tracing the scammer through multiple digital channels at the same time.

• Bank account trail Your UTR number is the starting point. Police use it to request the full transaction history from the bank. They can see exactly which accounts the money passed through and where it ended up. Banks have to share this by law.
• Mobile number trace Police request the call records for the phone number the scammer used. The telecom company has to provide this under Section 91 of CrPC. Those records show every call made, every tower the phone connected to, and the time of each activity. Location starts becoming clear from here.
• IP address analysis Every fake website or phishing link runs on a server that has an IP address. Police contact the internet service provider associated with that IP and request the name and address registered to it at the time of the fraud.
• Device fingerprinting Every phone has a unique IMEI number that does not change even when the SIM card is replaced. If police can identify the device used in the scam, they can keep tracking it regardless of how many numbers the scammer switches to.
• UPI handle and wallet data Every UPI account on PhonePe, Google Pay or Paytm is linked to a KYC verified identity. Police send a legal notice to the platform and within days they have the real name and details behind that UPI handle.

Step 4: Mule Account Investigation

Here is something most people do not know.

Scammers rarely use their own bank accounts. They use what are called “mule accounts.” These are accounts opened by innocent people who were either tricked or paid to lend their account details. The money lands in these accounts first, then gets moved quickly to other accounts or converted to cash.

When police trace the first account, they often find it belongs to a person who had no idea their account was being misused. This person then becomes a witness, not the main accused, and helps investigators trace the actual scammer.

This is why it sometimes takes weeks before you hear news of an arrest. Police are following a chain of accounts, sometimes across 5 to 10 different states.

You can read more about how mule accounts work in our blog on mule account scams in India.

Step 5: Digital Forensics at the Cyber Lab

If a device gets seized during the investigation, it is sent to a cyber forensic lab. India has a National Cyber Forensic Laboratory in New Delhi that has already assisted state police in over 12,000 cases.

At the lab, forensic experts do the following:

• Recover deleted messages, call logs and files from the seized device that the scammer thought were permanently gone
• Pull out transaction records and app data to build a clear picture of what happened
• Read the metadata hidden inside images and documents, which reveals the exact location and time a photo was taken
• Go through WhatsApp, Telegram and other chat histories through legal data requests to the platforms
• Check whether any screenshots or payment proofs submitted as evidence were digitally edited or manipulated

If you ever suspect someone sent you a fake payment screenshot, our Fake Payment Screenshot Checker can help you verify it before you take any action.

The forensic report prepared at this stage becomes the primary technical evidence used in court. This is not just a formality. Under Section 63 of the Bharatiya Sakshya Adhiniyam 2023, which replaced Section 65B of the Indian Evidence Act, digital records are only accepted as valid evidence in court if they come with a proper certificate from a certified forensic expert. Without that certificate, even genuine digital evidence can be challenged and thrown out entirely.

Step 6: Surveillance and the Pratibimb Tool

India’s I4C has developed an analytics tool called Pratibimb that gives investigators a live map of criminal activity across the entire country. It shows where fraud is happening, where the people behind it are located, and how different scam operations are connected to each other.

Using Pratibimb, investigators can spot clusters of fraud activity, link multiple complaints back to a single criminal network, and coordinate arrests across different states at the same time without waiting for paperwork to travel between jurisdictions.

Since its launch the tool has led to over 12,987 arrests and uncovered more than 1.5 lakh criminal linkages across India according to the Ministry of Home Affairs.

When Pratibimb data is combined with CCTV footage and cell tower records, investigators can often narrow down the exact location of a scam operation, even if it is running out of a compound in a completely different state from where the victim is.

Step 7: Arrest and Cross-State Operations

Cyber crime rarely happens in one place. A scammer sitting in Rajasthan might be targeting someone in Mumbai using a phone number registered in UP and a bank account opened in West Bengal. The pieces are deliberately scattered to make investigations harder.

Indian cyber crime units now coordinate regularly through I4C’s Cyber Crime Coordination Centres. Special Task Forces are put together for larger cases. In 2025 alone, the UP Cyber Crime police froze Rs 325 crore across thousands of complaints. Recovery rates have also improved, going from 11% in 2024 to 24% in 2025, which shows the system is getting better at acting fast.

When a fraudster is identified, a team is physically sent to arrest them. For cases connected to international scam networks like digital arrest scams that trace back to Cambodia or Myanmar, Indian agencies coordinate with Interpol and partner agencies in those countries.

But international cases are genuinely difficult. Once the money crosses the border or IP addresses point to servers in another country, the trail usually goes cold. A real case covered by Bloomberg in 2025 showed exactly this. A major digital arrest scam was traced back to Cambodia but the person running it was never caught. The investigation hit a wall the moment it crossed international borders.

What Are the Realistic Chances of Recovery?

Between April 2021 and September 2025, only 6.7% of total cyber fraud money was recovered across India. That number is hard to read but it is the reality. However for people who reported within the first hour, the recovery rate was significantly better, reaching up to 24% in 2025.

Your chances depend on a few specific factors:

• How fast you reported. Within the first hour gives you the best shot. Every hour after that reduces your chances considerably
• Whether the money stayed in India. Domestic transfers can still be traced and frozen. Once the money leaves the country, recovery becomes extremely difficult
• How many accounts the money passed through. A single transfer to one account is much easier to freeze than money that has hopped through five different accounts across three states
• What the fraudster did with the money at the end. If they withdrew cash or converted it to cryptocurrency, getting it back becomes nearly impossible. These two methods are specifically used by scammers because they know how hard they are to reverse

Why Do So Few Cases Result in Arrests?

In 2025, India recorded 28.15 lakh cyber crime complaints. But only 55,484 FIRs were filed. That means most complaints never became formal police cases.

There are real reasons for this:

• Volume: Police are overwhelmed. Small-value cases (below Rs. 50,000) often get logged but do not receive dedicated investigation resources.
• Jurisdiction complexity: Crime in one state, money in another, fraudster in a third. Coordinating between three state police forces takes time.
• VPNs and anonymization: Fraudsters increasingly use VPNs, encrypted messaging apps, and anonymous SIM cards, making IP tracing difficult.
• Mule accounts: By the time police trace the full chain of mule accounts, the actual perpetrator may have disappeared.

This does not mean you should not report. Serial fraudsters are eventually caught through the pattern of cumulative complaints. Your single complaint contributes to a larger picture that helps police dismantle entire networks.

How You Can Help Your Own Investigation

The police can only work with what you give them. Here is what you should do immediately after a scam:

• Do not delete any messages, calls, or screenshots from the fraudster
• Note down the exact time of every transaction
• Save the UTR number and transaction ID from your banking app
• Take screenshots of any URLs, WhatsApp messages, or emails
• If you clicked a suspicious link, use our URL Checker and report the link to police
• Write down everything that happened in order, before memory fades

Also, if you received suspicious messages or calls, check them using our Scam Message Checker before taking action.

Real Case: Digital Arrest Scam in India

A Noida based woman received a call from someone claiming to be a Delhi Police official. Nothing about the call felt suspicious at first. The person spoke like an authority figure, used the right language and made the situation sound extremely serious.

She was told her Aadhaar number had shown up in a money laundering case and that she needed to cooperate immediately or face arrest. Then came the video call. The scammers kept her on a continuous WhatsApp call and told her she was under digital arrest. She could not hang up. She could not talk to her family. She could not leave the room.

For the next several days she was pressured into transferring money to different bank accounts, each one described as a safe account or a verification account. The calls never stopped. The threats never stopped. She had no space to think, no moment to step back and question what was happening.

By the time it was over she had transferred more than Rs 11 crore.

What makes this case important to understand is how little the victim did wrong. She did not click a suspicious link. She did not ignore obvious warning signs. She was systematically isolated, threatened and controlled until she had nothing left to transfer. That is what digital arrest scams actually look like. Not a obvious fraud but a carefully constructed situation designed to make a normal person feel like they have no choice.

Source: NDTV

Frequently Asked Questions