ICICI Bank, Vodafone Idea fined ₹1.19 crore in SIM-swap cyber fraud case

The judgment, delivered after nearly a year of hearings, marks one of the most detailed examinations of corporate cyber fraud in the state.

The case involves Collective Trade Links Pvt. Ltd., a bearings trading firm whose directors alleged that fraudsters cloned a company-linked SIM card and gained access to banking OTPs. The scam took place while one of the directors, Prakash Mehta, was travelling in Vietnam.

On March 11, 2023, Vodafone Idea received an email — purportedly from the firm’s account — requesting a SIM swap for Mehta’s number, which was linked to ICICI Bank’s overdraft account.

Despite the number being on international roaming, VIL processed the request and activated the duplicate SIM by 4:30 pm the same day.

Within hours, scammers added 10 new beneficiaries and executed 22 RTGS and NEFT transfers cumulatively worth ₹1,19,37,000 — all on a Sunday, when the company office was closed. Alerts on a secondary number reached co-director Bharatkumar Mehta only after the transactions were completed.

The fraud was discovered the next day during routine accounting checks. The firm immediately informed ICICI Bank and filed a complaint that led to an FIR at the Cyber Crime Police Station.

Bank, Telecom company blame users

ICICI Bank argued that all transactions were properly authenticated through OTPs, passwords and grid values, insisting it had followed RBI norms.

It claimed the company failed to safeguard sensitive credentials and therefore bore responsibility.

Vodafone Idea said it acted based on an authorised corporate email and followed procedures applicable to Corporate Owned Corporate Paid (COCP) numbers.

It described itself as an intermediary exempt from liability under Section 79 of the IT Act and denied violating DoT or TRAI regulations.

The complainants, however, accused both organisations of failing to follow mandatory checks.

They alleged VIL did not verify the roaming number through alternate contacts or conduct prescribed audio-video KYC, while ICICI Bank allowed unusually large transfers to newly added beneficiaries without enhanced scrutiny.

The Cyber Crime Branch told the adjudicator that at least 20 similar frauds in Ahmedabad involved Vodafone Idea SIMs. Investigators also identified more than 34 mule bank accounts, and several bank employees and SIM card retailers are under scrutiny for possible involvement.

Eighteen SIM sellers are being investigated for issuing cards using forged documents, while financial and cyber forensic teams continue to map the broader network behind the scam.

Past rulings were also referenced, including cases in Jaipur and Mumbai where VIL was held liable for KYC lapses.

Legal outcome: Refund and penalties

After hearings held between February 2024 and January 2025, the Adjudicating Officer allowed the company to join as co-complainant and ruled partly in its favour. The order states:

ICICI Bank must refund ₹1,05,00,000 — the principal loss — within six weeks, in line with circular guidelines.

ICICI Bank must also pay ₹10,00,000 as compensation and penalty under Sections 43(g) and 43(j) of the IT Act.

Vodafone Idea must pay ₹5,00,000 as a penalty under Section 43(g).

The officer noted failures in due diligence and highlighted the growing threat of SIM-swap frauds, especially over weekends when oversight is reduced.

Lawyers for the complainants argued that the doctrine of Res Ipsa Loquitur applied, given that both the bank and the telecom provider held exclusive control over the systems that enabled the breach.

The ruling adds to mounting pressure on banks and telecom operators to strengthen verification protocols in the face of increasingly sophisticated cybercrime.

With multiple similar cases under investigation in Ahmedabad alone, authorities say the need for stricter KYC enforcement and faster inter-agency coordination is becoming urgent.