DNCA REPORTER, Ahmedabad: In a landmark ruling under the Information Technology Act, the Adjudicating Officer of Gujarat has held ICICI Bank and Vodafone Idea Limited liable for gross negligence in a ₹1.19-crore SIM-swap cyber fraud that targeted an Ahmedabad-based trading firm in March 2023.
The officer directed ICICI Bank to pay ₹10 lakh as penalty and compensation, while Vodafone Idea has been fined ₹5 lakh. Most importantly, ICICI Bank has been ordered to refund ₹1.05 crore — the principal amount fraudulently transferred — to the victim company within six weeks.
How the Fraud Was Executed
The victim, Collective Trade Links Pvt Ltd, a bearings trading firm, lost ₹1,19,37,000 in 22 unauthorised RTGS and NEFT transactions over a single weekend when its office was closed.
Director Prakash Mehta was in Vietnam on a business trip when fraudsters sent an email — masquerading as the company — requesting a duplicate SIM for his Vodafone corporate number, which was linked to banking OTPs.
Vodafone Idea activated the cloned SIM the same day (March 11, 2023) at 4:30 PM without verifying the request properly, despite the original number being on international roaming. DoT guidelines mandate audio-video verification or secondary contact confirmation in such cases — procedures the adjudicating officer found were ignored.
Armed with the duplicate SIM, the scammers generated OTPs, added 10 new beneficiaries to the ICICI Bank corporate internet banking portal, and transferred huge sums — far exceeding the bank’s own limits for newly added payees — on a Sunday.
Bank and Telecom Defences Rejected
ICICI Bank argued that all transactions were authenticated through passwords, OTPs, MPIN and grid values, and blamed “customer negligence”. It cited RBI’s 2017 limited-liability circular, claiming the company reported the fraud too late.
The adjudicating officer rejected this, noting:
- Large-value transfers on a non-working day should have triggered extra scrutiny
- Newly added beneficiaries were allowed transactions without the mandatory cooling-off period
- The bank failed to act on delayed SMS alerts received by another director on his secondary number
Vodafone Idea claimed it merely acted on an email request for a Corporate Owned Corporate Paid (COCP) connection and described itself as an “intermediary” immune under Section 79 of the IT Act.
This defence was also dismissed. The officer held that telecom companies have a positive duty to prevent SIM-swap frauds and cannot hide behind intermediary status when their own KYC and verification processes are compromised.
Wider Criminal Network Uncovered
Police investigation has exposed an organised SIM-swap racket in Ahmedabad:
- At least 20 similar cases involving Vodafone SIMs reported in the city
- 34 mule accounts identified; three separate FIRs in progress
- Employees of two banks under scanner for possible collusion
- 18 SIM vendors being probed for issuing cards on forged documents
Precedents and Systemic Gaps
The judgment referred to earlier rulings from Jaipur and Mumbai that held Vodafone Idea liable for identical KYC lapses. It applied the doctrine of Res Ipsa Loquitur (the thing speaks for itself) to establish negligence by both the bank and the telecom operator.
Victim’s counsel told NDTV: “Scammers deliberately strike on weekends when oversight is low. Banks and telcos must plug these predictable gaps instead of shifting blame to customers.”
Both ICICI Bank and Vodafone Idea are likely to challenge the order before the Cyber Appellate Tribunal.
