It's like building an expressway and adding speed breakers every few kilometres.
In a nation where digital payments have become as common as cash, India's central bank now confronts the shadow that rapid modernization casts: nearly 2.5 million citizens lost $2.5 billion to digital fraud in 2025, a 4,300 percent rise since 2021. The Reserve Bank of India has proposed a suite of protective measures — transaction delays, layered authentication, and mule account detection — yet experts caution that technical barriers alone cannot outpace the ingenuity of those who exploit trust. The deeper challenge is one of human readiness: a population invited into the digital economy faster than it could be taught to navigate it safely.
- A single phishing text about an eleven-dollar fine drained a Pune professional of over three thousand dollars in minutes — a microcosm of a fraud epidemic now costing India billions annually.
- The 4,300% surge in digital fraud since 2021 signals a systemic failure: the country's payment infrastructure scaled at speed while security safeguards and public awareness lagged dangerously behind.
- The RBI's proposed remedies — cooling-off delays, trusted-person authentication for the elderly, and mule account crackdowns — are drawing scrutiny for assuming a simplicity that India's sprawling, complex payment ecosystem does not possess.
- Experts warn that scammers will adapt to new technical barriers, that implementation costs will likely fall on consumers, and that an existing AI fraud-detection tool, Mulehunter.AI, remains largely undeployed across the banking system.
- The path forward, analysts argue, demands more than regulation: it requires urgent national investment in digital literacy, clearer inter-agency ownership of the problem, and a consultative process that translates good intentions into enforceable, scalable rules.
In February, a business analyst in Pune received a text warning him of a speeding fine — roughly eleven dollars — and a threat that his licence would be suspended unless he paid at once. He clicked the link, entered his one-time password, and within minutes his credit card was charged $3,225. He had authorized a transaction nearly 300 times the size of the supposed fine, a victim of the phishing scams that have become routine across India.
The scale of the crisis is now undeniable. Nearly 2.5 million Indians lost $2.5 billion to digital fraud in 2025, representing a 4,300 percent increase since 2021 — an acceleration driven by the country's rapid embrace of digital payments without corresponding security safeguards. The Reserve Bank of India has responded with a discussion paper outlining proposed interventions: a one-hour delay on account-to-account transfers, additional authentication requirements for elderly and vulnerable users, stronger mule account detection, and customer controls to disable digital payments or cap transaction limits.
Experts welcome the attention but question the remedies. Rajesh Bansal, formerly of the RBI's Innovation Hub, notes that the one-hour delay might have protected the Pune analyst, but such OTP scams account for only a small fraction of total fraud losses. Scammers, he argues, will simply instruct victims to wait — maintaining the illusion of legitimacy until the window closes. Wriju Ray of regulatory technology firm IDfy adds that introducing delays would require fundamental changes to India's payment architecture, conflicting with the very principle of instant transactions. "It's like building an expressway and adding speed breakers every few kilometres," Bansal observed.
The proposal for trusted-person authentication for elderly citizens raises further questions: Who qualifies? What if that person lives abroad, or is themselves deceived? Meanwhile, the RBI's own Mulehunter.AI platform — designed to flag suspicious accounts in near-real-time — has yet to be widely deployed across the banking system, suggesting that the gap between policy and implementation is already significant.
Both experts agree that regulation must be paired with serious investment in digital literacy. Celebrity campaigns and cricket advertising have raised some awareness, but Ray argues the effort falls far short of what is needed. Bansal calls for tighter coordination between the central bank, police, government ministries, and market regulators — noting that confusion over who owns the problem remains a critical weakness.
What offers a measure of hope is the RBI's decision to publish a discussion paper and invite public feedback before finalizing rules — a departure from its tradition of simply announcing decisions. Whether the resulting regulations will be ambitious enough to match the scale of the crisis, and whether the government will treat digital literacy as a national priority alongside enforcement, remains the open question.
In February, a business analyst in Pune received a text message about a speeding fine of 1,000 rupees—roughly eleven dollars. The message warned that his driving licence would be suspended unless he paid immediately. He clicked the link, entered his one-time password as instructed, and within minutes his credit card was charged $3,225, the maximum transaction limit. He had authorized a transaction nearly 300 times larger than the supposed fine, victim of a phishing scam that has become routine in India.
The scale of this problem has become impossible to ignore. Nearly 2.5 million Indians lost $2.5 billion to digital fraud in 2025 alone. That represents a 4,300 percent increase since 2021—a staggering acceleration driven by the country's headlong rush into digital payments without corresponding safeguards. The Reserve Bank of India, the nation's central bank, has finally moved to address the crisis, publishing a discussion paper outlining a series of proposed interventions. But experts who study the problem say the remedies, while well-intentioned, may prove insufficient.
The RBI's proposals include introducing a one-hour delay in account-to-account transfers, requiring additional authentication from a "trusted person" for large payments made by elderly citizens and other vulnerable groups, and strengthening detection systems to identify mule accounts—bank accounts used to launder stolen money. The central bank also suggests giving customers the ability to disable digital payments entirely or set transaction limits, similar to controls available on credit cards. These measures will be refined after a public consultation period.
Rajesh Bansal, who formerly led the RBI's Innovation Hub, told the BBC that while the regulator's attention is welcome, the proposed solutions face a fundamental problem: the fraud landscape is far more complex than the measures address. The one-hour delay might prevent the type of OTP scam that caught the Pune analyst, but such attacks represent only a tiny fraction of total fraud losses by value. Scammers, Bansal suggested, will simply adapt—asking victims to authorize payments and then wait an hour before raising alarms, maintaining the illusion that nothing is wrong.
Implementation poses another obstacle. Wriju Ray, who works at IDfy, a regulatory technology firm, points out that introducing delays would require fundamental changes to India's payment architecture, from how transactions are queued to how they can be cancelled. The RBI itself acknowledges this in its discussion paper, noting that such changes would demand "cost and effort for the ecosystem" and would conflict with the core principle of instant digital payments. "It's like building an expressway and adding speed breakers every few kilometres," Bansal said. The friction created by these barriers may slow legitimate transactions without meaningfully slowing criminals.
The proposal to add authentication requirements for elderly citizens raises its own complications. Who qualifies as a "trusted adviser"? What if that person lives abroad? What if they themselves are deceived into authorizing a fraudulent transaction? Ray asks these questions not to dismiss the idea but to highlight how the RBI's framework assumes a clarity that doesn't exist in practice. Strengthening mule account detection could work, but it will be expensive—costs that banks will likely pass to consumers. Notably, the RBI already developed a platform called Mulehunter.AI designed to identify suspicious beneficiary accounts in near-real-time, but it has not been widely implemented across the banking system.
Experts agree that regulation alone cannot solve the problem. India's population has adopted digital payments at a pace that has far outstripped both the security infrastructure and public understanding of how to use these tools safely. The RBI has launched educational campaigns featuring Bollywood star Amitabh Bachchan and advertising during cricket's Indian Premier League, but Ray argues that far more investment in digital literacy is needed. Bansal adds that the central bank must coordinate more closely with police, government ministries, and market regulators—currently, he notes, there is confusion about who owns the problem.
What gives some hope is the process itself. Ray points out that the RBI's decision to publish a discussion paper and invite public feedback represents a shift from the regulator's historical approach of simply announcing decisions. This consultative method, while slower, suggests a willingness to think through implementation challenges before imposing rules. The question now is whether the final regulations, once drafted, will be ambitious enough to match the scale of the crisis, and whether the government will commit the resources needed to make digital literacy a national priority alongside enforcement.
Citações Notáveis
They are just going to figure out a way to overcome the lag. For instance, they might ask for a customer to undertake a payment and wait for an hour for their acknowledgement so an alarm is not raised.— Wriju Ray, IDfy
The challenge right now is, whose baby is this?— Rajesh Bansal, former CEO of RBI's Innovation Hub
A Conversa do Hearth Outra perspectiva sobre a história
Why did it take until 2025 for the RBI to act, when digital fraud has been rising for years?
The growth was exponential—a 4,300 percent increase since 2021. At some point the numbers become undeniable. But there's also a lag between when a problem emerges and when regulators have the political will and institutional capacity to address it.
The one-hour delay sounds sensible on paper. Why won't it work?
Because it assumes scammers operate in a vacuum. They don't. If there's a one-hour window before a transaction settles, they'll simply ask victims to wait an hour before checking their accounts. The victim thinks everything is normal. The delay becomes theater.
What about the mule account detection system that already exists?
That's the frustrating part. Mulehunter.AI was built years ago to identify suspicious accounts in real-time. It works. But it hasn't been deployed across the banking system. It's like having a vaccine and not distributing it.
Who bears the cost if banks have to implement all these new checks?
Ultimately, consumers do. Every new layer of verification, every new detection system—banks will pass those costs along. So you're asking people who've already lost billions to pay more to protect themselves.
Is digital literacy really the answer, or is that just something people say when they don't have a technical solution?
It's not either-or. You need both. But literacy matters because most of these scams work through deception, not technical exploitation. If people understood that their bank will never ask for an OTP, that a speeding fine won't come via text message, many attacks would fail immediately.
What does success look like here?
Coordination. The RBI can't solve this alone. Police need to investigate, ministries need to fund education, banks need to implement detection systems. Right now everyone's waiting for someone else to move first.