Card-not-present fraud in India runs at 0.93%. That is 90 times higher than in-person fraud at 0.06%. If you shop, pay bills, or subscribe to anything online with a credit card, you are the prime target.
Most guides tell you to “use strong passwords” and “avoid public Wi-Fi.” You already know that. This guide goes further. It covers what your bank app can do for you right now, which RBI rules protect your money in 2026, and exactly what to do if your card is compromised. Every tip is specific to India, with real bank names, real app settings, and real regulatory timelines.
Why Online Credit Card Fraud Is Surging in India
Credit card fraud cases in India jumped from 2,321 cases worth Rs. 87 crore to 12,069 cases worth Rs. 630 crore in a single year. That is a 5x increase in volume and a 7x increase in money lost.
RBI Ombudsman data for FY25 shows credit card complaints rose over 20%, making it the second-largest category of banking grievances. Globally, 170 million credit card details were exposed in 2025 alone, a 186% surge in breached records.
India is a soft target for two reasons. First, digital payment adoption is exploding. UPI crossed 14 billion transactions a month. Credit cards linked to UPI and e-commerce are everywhere. Second, financial literacy has not kept pace. Many cardholders still do not know that their bank app has a “disable online transactions” toggle sitting right there in the settings menu.
The fraud is overwhelmingly online. Card-not-present transactions account for 93% of all credit card fraud value. Skimming and physical theft are old news. The real battlefield is your browser, your phone, and the merchant databases where your card details are stored.
Types of Credit Card Fraud You Need to Know
Before you can block fraud, you need to recognise it. Here are the six types most active in India right now.
Phishing and Vishing
Phishing is a fake SMS, email, or WhatsApp message pretending to be your bank. It asks you to “verify” your card by entering your OTP, CVV, or card number on a fake website. Vishing is the phone version. A caller claims to be from “RBI” or your bank’s “fraud department” and pressures you into sharing your OTP.
The RBI has repeatedly stated: no bank or government agency will ever ask for your OTP or CVV over the phone. If someone asks, it is fraud. Period.
SIM Swap Fraud
A fraudster convinces your telecom provider to issue a duplicate SIM card linked to your mobile number. Once they have your SIM, they receive every OTP sent to your phone. They can then drain your card, reset passwords, and take over your accounts.
This is one of the most dangerous frauds in India because OTP is the primary second factor for almost every online transaction. If your phone suddenly shows “No Signal” for an extended period, call your telecom provider immediately.
Card-Not-Present (CNP) Fraud
The fraudster does not need your physical card. They only need the 16-digit number, expiry date, and CVV. These details can be stolen from a data breach, a phishing site, or even a photograph of your card. They use these details to shop on e-commerce sites or international websites with weak verification.
Card Skimming
A small device attached to an ATM or POS terminal copies your card’s magnetic stripe data. A hidden camera records your PIN. The fraudster then clones your card and uses it elsewhere. Before inserting your card at any ATM, check for loose parts around the card slot and cover the keypad while entering your PIN.
Fake UPI Payment Request Scams
This fraud is unique to India. A fraudster sends you a UPI “collect” request disguised as a payment. It looks like someone is sending you money. But when you approve the request, money leaves your account. Now that credit cards are linked to UPI in India, this scam can hit your credit card balance directly. Never approve a collect request from an unknown sender.
Keystroke Capture and Malware
Clicking a malicious link or downloading a suspicious app can install a keylogger on your phone or laptop. It records every keystroke, including card numbers, CVVs, and passwords. You will not see anything unusual. The stolen data is silently sent to the fraudster. Stick to official app stores and never click links in unsolicited SMS messages.
10 Ways to Secure Your Credit Card for Online Transactions
1. Use Your Bank App to Toggle Card Controls Right Now
This is the single most powerful step nobody talks about. Every major Indian bank app lets you control your card from your phone. Open the HDFC Mobile Banking app, go to Cards, select your credit card, and tap “Manage Card.” You will see toggles for online transactions, international transactions, contactless payments, and card-not-present transactions. Turn off everything you do not actively use.
SBI Card app, ICICI iMobile, Axis Mobile, and Kotak 811 all have similar controls. If you never shop on international websites, disable international transactions. If you rarely use contactless tap-and-pay, turn it off. You can re-enable any toggle in seconds when you actually need it.
Many of these apps also let you set a per-transaction spending limit. Set it just above your typical online purchase amount. If a fraudster tries to charge Rs. 50,000 on your card, and your limit is Rs. 10,000, the transaction gets declined automatically.
2. Enable Transaction Alerts on Every Channel
Turn on SMS alerts, email alerts, and push notifications for every transaction. This costs nothing and gives you instant awareness. If a Rs. 2,000 charge hits your card at 3 AM while you are asleep, you will see it the moment you wake up. That early alert is often the difference between losing Rs. 2,000 and losing Rs. 2,00,000.
Go into your bank app’s notification settings. Make sure both SMS and email are active. Some banks also send WhatsApp alerts. Enable all of them. Redundancy matters here.
3. Never Share OTP, CVV, or PIN With Anyone
No bank employee, RBI official, police officer, or customer care executive will ever ask for your OTP, CVV, or card PIN. If someone does, it is a scam. No exceptions. No urgency changes this rule.
If a caller says your card will be blocked in 10 minutes unless you share your OTP, hang up. That is exactly how vishing works. Your CVV is the 3-digit number on the back of your card. Some people share it casually when dictating card details over the phone for hotel or travel bookings. Do not do this. Use online payment portals instead.
4. Shop Only on HTTPS Websites
Before entering your card details on any website, check the address bar. It should show a padlock icon and the URL should start with “https://” not “http://”. The “s” means the connection between your browser and the website is encrypted. Without it, your card data travels in plain text and can be intercepted.
This check is not bulletproof. Fraudsters can get SSL certificates for fake websites too. But it filters out most opportunistic scams and is a basic hygiene step that takes two seconds.
5. Use Virtual Credit Cards for Online Purchases
A virtual credit card is a temporary card number generated by your bank app. It has its own card number, expiry date, and CVV, but it is linked to your real card. The merchant never sees your actual card details. If the virtual card number leaks in a data breach, your real card stays safe.
HDFC, ICICI, Kotak, and several other Indian banks offer virtual cards through their mobile apps. Some let you set a spending limit or a validity period on the virtual card. Use one for every new online merchant you try. For subscriptions on trusted platforms, your real card is fine.
6. Avoid Public Wi-Fi for Any Card Transaction
A coffee shop Wi-Fi or hotel lobby network is an open door for man-in-the-middle attacks. A hacker sitting on the same network can intercept data flowing between your device and the payment gateway. This includes your card number, CVV, and OTP.
If you must pay for something while on public Wi-Fi, switch to your mobile data connection first. It takes five seconds and closes the door completely. If mobile data is not an option, use a VPN to encrypt your connection.
7. Use a Password Manager Instead of Browser Autofill
Chrome, Safari, and Firefox offer to save your card details for autofill. This is convenient but risky. If someone gains access to your browser, or your device is compromised by malware, every saved card is exposed in one go.
A password manager stores your card details behind a single strong master password with end-to-end encryption. It fills in card details only when you authenticate. This is a meaningful upgrade over browser autofill, especially if you use your card on multiple websites.
8. Log Out and Use Guest Checkout
Every time you create an account on an e-commerce site and save your card, you are trusting that merchant to protect your data. Data breaches happen to large companies regularly. The fewer places your card is stored, the smaller your attack surface.
Use guest checkout whenever a site offers it. Do not save your card “for next time.” On sites where you do maintain accounts, log out after each session, especially on shared or public devices.
9. Keep Devices and Apps Updated
Software updates are not just about new features. They patch security vulnerabilities that fraudsters actively exploit. An outdated banking app or an old version of Android or iOS is an open invitation.
Enable automatic updates for your operating system and your banking apps. CERT-In, India’s nodal cybersecurity agency, lists timely software updates as a baseline recommendation against cyberattacks.
10. Check Your CIBIL Report for Unfamiliar Accounts
Application fraud is when someone uses your identity documents to open a credit card in your name. You will not know about it until the bills pile up or your CIBIL score drops unexpectedly. Check your CIBIL report at least once a year. You can get one free report annually from the CIBIL website.
Look for credit cards or loans you did not apply for. If you spot anything unfamiliar, dispute it immediately with both CIBIL and the issuing bank.
RBI Rules That Protect You in 2026
The Reserve Bank of India has introduced some of the strongest consumer protection rules in the world for credit card holders. Here is what is live and what is coming.
Mandatory Two-Factor Authentication (April 2026)
Since April 1, 2026, every online credit card transaction in India requires at least two independent verification factors. At least one must be dynamic, such as an OTP or biometric scan. This applies to online payments, POS terminals, and even contactless transactions above Rs. 5,000. This rule makes stolen card numbers far less useful to a fraudster without access to your phone.
Tokenization: Your Card Number Is No Longer Stored
Tokenization replaces your actual 16-digit card number with a unique random token. When you save your card on Amazon, Flipkart, or Swiggy, the merchant stores the token, not your real card number. If the merchant suffers a data breach, the token is useless to a fraudster because it cannot be used on any other platform.
Visa, Mastercard, and RuPay all support tokenization in India and it is now mandatory for all online merchants.
Zero Liability Policy: You Do Not Pay for Fraud
Under the RBI’s zero liability framework, if you report an unauthorised transaction within 3 days, your liability is zero. The bank must reverse the charge. If you report between 4 and 7 days, your maximum liability is capped at Rs. 10,000 to Rs. 25,000 depending on your card type. After 7 days, the bank decides on a case-by-case basis. The message is clear: report fast.
Upcoming: The Kill Switch and Compensation (Draft July 2026)
The RBI has proposed draft rules for a “kill switch” that lets you instantly freeze your credit card via SMS or your bank app with a single tap. The draft also proposes a minimum Rs. 25,000 compensation for fraud victims if the bank delays resolution beyond the prescribed timeline.
These are not law yet, but they signal the direction of regulation. Keep an eye on RBI circulars for the final notification.
What to Do If Your Credit Card Is Compromised
Speed is everything. Every minute counts. Here is the exact sequence to follow.
Block Your Card Instantly
Open your bank’s mobile app and block the card. This is the fastest method. Alternatively, call the bank’s 24/7 customer care number or send the prescribed SMS command for card blocking. HDFC, SBI, ICICI, and Axis all support instant card block via their apps.
File a Complaint on cybercrime.gov.in
Go to the National Cybercrime Reporting Portal at cybercrime.gov.in and file a complaint under the “Financial Fraud” category. You can also call 1930, the national cybercrime helpline. Save the acknowledgment number. This creates an official record that strengthens your case for a refund.
Dispute the Transaction With Your Bank
File a written dispute with your bank within 3 days of the unauthorised transaction. This triggers the RBI’s zero liability protection. Most banks accept disputes via their app, email, or by calling customer care. Ask for a dispute reference number and the expected resolution timeline. The bank must resolve it within 90 days per RBI rules.
Escalate to the RBI Banking Ombudsman if Unresolved
If your bank does not resolve the dispute within 30 days, or you are unsatisfied with the outcome, file a complaint with the RBI Banking Ombudsman at cms.rbi.org.in. This service is free. The Ombudsman can direct the bank to reverse the charge and compensate you for the delay.
Credit Card Security Features Your Bank Already Offers
Your credit card is not just a piece of plastic with a magnetic stripe. Modern Indian credit cards come with multiple layers of security built in. Most cardholders never explore these features.
EMV Chip: The gold or silver chip on your card generates a unique, one-time transaction code for every purchase. Unlike the magnetic stripe, this code cannot be cloned or reused. If a terminal asks you to swipe instead of insert, be cautious.
3D Secure (Verified by Visa / Mastercard SecureCode): When you pay online, the bank sends an OTP to your registered mobile number. You must enter this OTP to complete the transaction. This is the most common second factor for online payments in India.
AI-Powered Fraud Detection: Banks like HDFC, ICICI, and SBI use machine learning models that score every transaction in real time. If a transaction looks unusual compared to your spending pattern, the bank can flag or block it before it goes through.
Biometric Authentication: Most banking apps now support fingerprint or face recognition for login and transaction approval. This makes it much harder for someone to use your phone to access your card, even if they know your password.
Device Binding: Some banks bind your card’s app-based features to your specific device. Even if someone has your login credentials, they cannot access your card controls from a different phone without re-verification.
Bank App Security Features at a Glance
This table compares card security controls across five major Indian bank apps. Check what your bank offers and enable everything relevant.
| Feature | HDFC | SBI Card | ICICI | Kotak |
| Card On/Off Toggle | Yes | Yes | Yes | Yes |
| Disable Intl Txns | Yes | Yes | Yes | Yes |
| Virtual Card | Yes | No | Yes | Yes |
| Instant Block via App | Yes | Yes | Yes | Yes |
| Per-Txn Limit | Yes | Limited | Yes | Yes |
| Biometric Login | Yes | Yes | Yes | Yes |
Frequently Asked Questions
Can I get my money back if someone uses my credit card online without permission?
Yes. Under RBI’s zero liability policy, if you report the unauthorised transaction within 3 days, your liability is zero and the bank must reverse the charge. Reporting between 4 and 7 days caps your liability at Rs. 10,000 to Rs. 25,000 depending on your card type. Speed matters.
Is it safe to save my credit card on Amazon or Flipkart?
Safer than before, thanks to tokenization. These platforms now store a token, not your actual card number. But “safer” is not “risk-free.” If you want maximum protection, use a virtual credit card or enter your details manually each time.
What is tokenization and how does it protect my card?
Tokenization replaces your real 16-digit card number with a random token that is unique to each merchant. If that merchant is hacked, the token cannot be used anywhere else. Visa, Mastercard, and RuPay all support tokenization in India and it is now mandatory.
How do I know if a website is safe to enter my card details?
Check for “https://” in the URL and a padlock icon in the address bar. Verify the domain name matches the actual brand. Fraudsters create lookalike domains like “amaz0n-india.com” to trick you. When in doubt, navigate to the site directly rather than clicking a link from an SMS or email.
Should I use a debit card or credit card for online shopping?
Credit card. If a fraudster drains your debit card, that money is gone from your bank account until the dispute is resolved, which can take weeks. With a credit card, it is the bank’s money at risk, not yours. You also get stronger dispute resolution rights under RBI rules.
What is the RBI zero liability policy for credit card fraud?
The RBI mandates that if a fraudulent transaction occurs without any fault or negligence on your part, and you report it within 3 days, you owe nothing. The bank bears the full loss. This applies to all banks and all types of unauthorised electronic transactions including credit cards.
How do I file a cybercrime complaint for credit card fraud in India?
Visit cybercrime.gov.in and file a complaint under the “Financial Fraud” category. You can also call the national helpline at 1930. Keep your card details, transaction screenshots, and any communication from the fraudster ready. Save the acknowledgment number.
Can fraudsters use my credit card without OTP?
On Indian payment gateways, OTP is mandatory for most transactions since April 2026. But on international websites that do not support 3D Secure, a fraudster can complete a purchase with just the card number, expiry date, and CVV. This is why disabling international transactions in your bank app matters unless you actively need them.
The Verdict
Securing your credit card online is not about memorising a list of 10 tips. It is about changing three habits. First, open your bank app today and toggle off every card feature you do not actively use. Second, report any suspicious transaction within 3 days to lock in zero liability. Third, stop saving your card on websites where a virtual card or guest checkout will do.
The RBI is giving Indian cardholders stronger protections every year. But regulations only work if you use them. Your bank app is the most powerful fraud-prevention tool you already own. Use it.