The Letter from a Bank You Never Visited

The envelope is from a private bank you never opened an account with. Inside is a recall notice for a personal loan of three lakh rupees taken in your name, with your Aadhaar and PAN attached as KYC. You have not borrowed a rupee from anyone. Or maybe the call comes from a relative — "Why is your photo on this matrimonial profile? Why are you telling people you live in Pune?" Or you find a cloned Instagram account using your selfies, talking to your friends, asking them for money. The first feeling is disbelief. The second is panic. The third — once you start reading — is the slow realisation that your name has become a tool in someone else's hand.

Online identity theft is one of the most violating crimes the digital age has produced, because the wrong is not just to your money but to your name. Indian law actually has well-defined remedies on both fronts: a criminal track that punishes the impersonator and a compensation track that puts money back in your pocket. This guide explains what the law gives you, in plain English, with the exact sections to write into your FIR.

What Counts as Online Identity Theft

Section 66C of the Information Technology Act, 2000 (IT Act) defines the offence with unusual clarity:

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

The IT Act commentary expands the reach of this section. The words "any other unique identification feature" are described as "very vast, comprehensive and futuristic in their approach and perspective". They cover not just the obvious — Aadhaar number, PAN, bank passwords, OTPs, electronic signatures — but also photographs, biometric identifiers, voice samples, even AI-generated voice clones and deepfakes. Anything that uniquely identifies you can be the subject of a Section 66C offence.

Two ingredients must be proved: (1) unauthorised use of your unique identifier, and (2) dishonest or fraudulent intention at the time of use. These are statutory requirements, drawn from Sections 24 and 25 of the IPC.

The Criminal Track: Sections to Cite

An online identity-theft FIR rarely contains only one section. The standard bouquet is:

IT Act 66C — identity theft

The headline section. Three years and one lakh rupees fine. Cognizable. Bailable.

IT Act 66D — cheating by personation

Where the stolen identity is used to cheat someone — to ask for money from your friends, to apply for a loan, to seek a job in your name — Section 66D applies. The IT Act commentary describes Section 66D as covering "all instances of cheating by personation, by using computers and communication devices". Same punishment as Section 66C. The two sections work together.

IPC 419 — cheating by personation

The offline counterpart of Section 66D. Section 416 of the Indian Penal Code, 1860 (IPC) defines the offence; Section 419 punishes it with imprisonment up to three years and fine. The Section 416 explanation makes clear the offence applies "whether the individual personated is a real or imaginary person".

IPC 420 — cheating with delivery of property

The most powerful section because it is non-bailable and carries up to seven years. If your stolen identity caused property — money, goods, services — to be delivered to the impersonator, Section 420 is engaged. Section 420 is also cognizable, so the police can arrest without a warrant.

IT Act 66E — privacy violation

Where the impersonator has captured, published or transmitted the image of a private area of your body, Section 66E applies. Three years or fine up to two lakh rupees, or both. This often overlaps with morphed-image and deepfake matters.

When Forgery Adds Up

If the impersonator has digitally edited your Aadhaar card, fabricated a PAN card with your name, or signed a digital document as if it were you, the IPC's forgery sections come in:

  • Section 463 IPC defines forgery — making a false document with intent to cause damage or fraud.
  • Section 468 IPC punishes forgery for the purpose of cheating with imprisonment up to seven years and fine. Cognizable, non-bailable.
  • Section 471 IPC punishes the use of a forged document as genuine. Same punishment as the original forgery.

For digital forgery using your e-signature, Section 66C of the IT Act and Section 471 of the IPC overlap. Modern FIRs invoke both because each tackles a different angle.

The Compensation Track Under the IT Act

The criminal case punishes the impersonator. It does not, by itself, put money back in your account. For that, the IT Act gives you a separate, faster, civil-style track.

Section 43 IT Act — the foundation

Section 43 lists ten unauthorised acts in relation to a computer or computer system that attract liability for damages by way of compensation. The IT Act commentary describes Section 43 as "a breath of fresh air" because it created statutory damages where Indian tort law had been hesitant. Among the ten grounds: unauthorised access, downloading or copying of data without permission, introduction of contaminants, denial of access, and unauthorised destruction or alteration of information.

An impersonator who logs in to your bank account, your email or your social-media account using your password is squarely within Section 43.

Section 46 IT Act — the Adjudicating Officer

Section 46 creates the Adjudicating Officer — usually the IT Secretary of the State — with power to hold an enquiry, examine evidence, and adjudge whether a contravention has occurred. After the 2008 amendment, the Officer's jurisdiction extends to claims for injury or damage up to rupees five crore. For claims above five crore, the regular civil court has jurisdiction.

The Adjudicating Officer functions like a civil court for IT-Act matters. Under Section 58, the Officer has the same powers as a civil court under the Code of Civil Procedure, 1908 — summoning witnesses, recording evidence on oath, ordering production of documents, and issuing commissions.

Section 61 IT Act — the civil-court bar

Section 61 of the IT Act bars the regular civil court from entertaining any matter that an Adjudicating Officer is empowered to determine. This is important: for an identity-theft compensation claim under five crore, the Adjudicating Officer is the only forum. A regular civil suit will be returned for want of jurisdiction.

Section 47 IT Act — quantum factors

Section 47 lists the factors the Adjudicating Officer considers when fixing compensation: the amount of unfair advantage gained, the loss caused to the victim, and the repetitive nature of the default. A first-time impersonator who took ten thousand rupees is treated differently from a serial offender who took twenty lakh.

Section 57 IT Act — appeal

An order of the Adjudicating Officer can be appealed within forty-five days to the Appellate Tribunal under Section 57. Both sides have appeal rights, so do not assume the matter is permanently settled at the Officer's level.

Why Both Tracks Are Needed

Running only the criminal case leaves you with no money even if the impersonator is convicted. Running only the compensation case leaves the impersonator free to repeat the offence on someone else. The IT Act explicitly contemplates both tracks. They feed each other:

  • The FIR triggers police investigation, which produces evidence — IP logs, bank statements, KYC trails — that the Adjudicating Officer can rely on.
  • The Adjudicating Officer's findings of contravention can be cited in the criminal trial as a record of factual determination, although the criminal court reaches its own independent conclusions.
  • The compensation award is recoverable as land revenue under Section 47A, giving it teeth.

For a fuller comparison of FIR-stage challenges and the magistrate route, see our companion guide.

How to Prove Identity Theft

Identity theft cases are won on documents. The following items, gathered early and preserved properly, decide both the criminal and the compensation outcomes.

  1. The misuse trail. Bank account statements, KYC submitted by the impersonator, screenshots of fake profiles, loan-recall letters, transaction logs, OTP delivery records.
  2. Your authentic identity records. Your real Aadhaar copy, real PAN copy, your usual bank statement showing your authentic transactions, your real social-media profile.
  3. Communication evidence. Any chat or email where the impersonator interacted with you or with third parties.
  4. Bank denial certificates. Written statements from your bank confirming you did not open or operate the disputed account.
  5. Section 63 BSA certificate. Under the Bharatiya Sakshya Adhiniyam, 2023, electronic records require a certificate identifying the device and the manner of capture. A lawyer can help draft this.

The IT Act commentary on Section 47 specifically directs the Adjudicating Officer to consider the quantum of unfair advantage and the actual loss caused. Documentation that maps these two figures is therefore worth its weight in gold.

What Should I Actually Do Now?

  1. Freeze the bleed. Call your bank, freeze accounts, change all passwords, enable two-factor authentication on every email and social-media account.
  2. Lock your CIBIL. Place a fraud alert with the credit bureau so no fresh loans are sanctioned in your name.
  3. File at cybercrime.gov.in. Upload bank correspondence, screenshots and your authentic ID. Note the acknowledgement number.
  4. Call 1930 if money has moved. The helpline can flag the recipient bank account in real time.
  5. File the FIR. Walk into the police station. Insist on FIR registration under BNSS Section 173 read with Sections 66C, 66D, 66E of the IT Act and Sections 419, 420, 463, 468, 471 of the IPC.
  6. If the SHO refuses, escalate. Send a written complaint to the Superintendent of Police under BNSS Section 173(4); if needed, move the Magistrate under BNSS Section 175(3) for an order to register and investigate. The Sakiri Vasu v State of UP (2008) ruling supports this.
  7. Issue a written denial to the bank. Demand reversal of disputed entries and a written letter from the bank confirming the account is fraudulent.
  8. File a Section 46 compensation claim. Identify the Adjudicating Officer for your state (usually the Secretary, Department of Information Technology). File a petition with documents, claiming damages under Section 43 read with Section 46.
  9. Inform the platform. Use the impersonation reporting form on Instagram, Facebook, WhatsApp, LinkedIn or the matrimonial site, attaching a government photo ID. Under the Information Technology (Intermediary Guidelines) Rules, intermediaries are mandated to act on actual knowledge.
  10. Keep a chronology. Date, action, reference number, person spoken to. This becomes your spine in court.

If you want a confidential review of which sections apply to your facts and how to structure the parallel claims, the team at Pinaka Legal — Advocates & Solicitors, Delhi — handles cyber-crime and data privacy matters every week. The first consultation is free.

Get legal help from Pinaka Legal — Cyber & Digital experts in Delhi

Getting Your Name Back

Online identity theft can feel like having your front door taken off its hinges and replaced with someone else's. The instinctive response — to hide, to feel ashamed, to delete every account — is the wrong one. The correct response is the opposite: document everything, file the FIR, file the compensation claim, write to the platform, and get the system to confirm in writing that the offending profile or account was never yours.

The law is on your side. Section 66C of the IT Act puts a clear three-year ceiling on the impersonator. Section 66D extends the punishment when the stolen identity is used to cheat. Sections 419 and 420 of the IPC bring in the strong arm of cognizable, non-bailable prosecution where money has changed hands. And Section 46 read with Section 43 of the IT Act lets you claim up to five crore rupees in compensation through a forum that is faster than a regular civil suit. None of these doors require you to wait for the others to close. Walk through all of them.

Frequently Asked Questions

What is online identity theft under Indian law?

Online identity theft is the dishonest or fraudulent use of another person's electronic signature, password, or any unique identification feature — Aadhaar number, PAN, OTP, photograph, voice sample or biometric. Section 66C of the IT Act, 2000 punishes this with imprisonment up to three years and fine up to one lakh rupees. Where the stolen identity is used to cheat someone, Section 66D of the IT Act and Sections 419 and 420 of the IPC come in. Both criminal and compensation tracks operate together.

Which sections do I cite when filing an FIR for online identity theft?

At the FIR stage, the typical bouquet is: Section 66C of the IT Act (identity theft), Section 66D of the IT Act (cheating by personation through computer resource), Section 419 of the IPC (cheating by personation), and Section 420 of the IPC (cheating where property is delivered). Where forged digital documents are used, Sections 463, 468 and 471 of the IPC for forgery and use of forged document are added. Section 66E of the IT Act is also added if a private image was captured or transmitted.

Can I get compensation for online identity theft without going to a criminal court?

Yes. Chapter IX of the IT Act gives you a direct compensation route. Under Section 46, the Adjudicating Officer — usually the IT Secretary of the State — can award damages by way of compensation up to rupees five crore for any contravention of the Act, including identity theft and personation. Section 43 of the IT Act lists ten unauthorised acts that attract civil liability, and Section 61 specifically bars the regular civil court from entertaining matters within the Adjudicating Officer's jurisdiction.

How much compensation can I claim for online identity theft?

Up to five crore rupees through the Adjudicating Officer under Section 46(1A) of the IT Act. For claims above five crore, the regular civil court has jurisdiction. The Adjudicating Officer must consider the amount of unfair advantage gained by the offender, the loss caused to the victim, and the repetitive nature of the default — these factors are listed in Section 47 of the IT Act. The Officer functions like a civil court for these matters and follows summary procedure.

Can both the criminal case and the compensation case run together?

Yes. The criminal case under Sections 66C/66D of the IT Act and Sections 419/420 of the IPC runs in the Magistrate's court. The compensation case under Section 46 runs before the Adjudicating Officer. The two are separate and parallel. The Supreme Court and the IT Act both recognise this dual track. In fact, having an FIR registered helps the Adjudicating Officer's enquiry because the police investigation produces evidence that the Officer can rely on.

My Aadhaar number was used to open a bank account I never authorised. What do I do?

This is a textbook Section 66C case. Your Aadhaar is a unique identification feature; its dishonest use squarely falls within Section 66C. Add Section 66D for the personation, Section 419 IPC for cheating by personation, and Section 420 IPC where money was withdrawn or a loan was taken in your name. File at cybercrime.gov.in, ring the bank to freeze the account, and lodge an FIR under BNSS Section 173. Then file a Section 46 compensation claim before the Adjudicating Officer for damages.

Someone is using my photo and voice on a fake online profile. Is that identity theft?

Yes. The IT Act commentary on Section 66C makes clear the words "any other unique identification feature" are vast and futuristic — they cover any identifier that uniquely identifies a person, including photograph, voice sample and biometric. AI-generated voice clones and deepfakes therefore fall squarely within Section 66C. If the fake profile is being used to cheat others, Section 66D is also attracted; if morphed private images are involved, Section 66E adds privacy violation.

Are Section 66C and 66D bailable?

Yes. Both Section 66C and Section 66D, with three-year ceilings, are bailable offences. The accused, if arrested, is entitled to bail as a matter of right. The IT Act commentary itself notes this is a weakness — the bailable nature reduces the deterrent effect. However, when Section 420 of the IPC is added because property was delivered through the personation, the offence becomes non-bailable and cognizable, with imprisonment up to seven years. Most identity-theft FIRs therefore carry both IT Act and IPC sections.

What evidence do I need for an identity theft case?

For Section 66C, you need to show that the dishonest user used your unique identification feature without authority. Bank statements showing accounts opened in your name, KYC documents that you never submitted, screenshots of accounts using your photo, OTP logs, transaction trails — these are the building blocks. Under the Bharatiya Sakshya Adhiniyam, 2023 (replacing the Indian Evidence Act, 1872), electronic records are admissible only with a certificate of identification. Bank-to-bank trail requests and IP logs are gathered by the police on FIR registration.

What if I am refused an FIR for online identity theft?

The Supreme Court in Lalita Kumari v Government of UP held registration of an FIR is mandatory for cognizable offences. If the SHO still refuses, write to the Superintendent of Police under BNSS Section 173(4) (old Section 154(3) CrPC). If the SP also fails, file a private complaint before the Magistrate under BNSS Section 223 (old Section 200 CrPC) and pray for an order under BNSS Section 175(3) (old Section 156(3) CrPC) directing investigation. Sakiri Vasu v State of UP confirms this Magistrate power.

How long does an identity theft compensation claim take?

The Adjudicating Officer follows summary procedure and can typically dispose of matters within six to twelve months. The Officer has the same powers as a civil court under the Code of Civil Procedure, 1908 for summoning witnesses and recording evidence. Appeals lie to the Appellate Tribunal under Section 57 of the IT Act within forty-five days. The criminal trial in the Magistrate's court usually takes longer; cyber-cases are increasingly heard in summary trial under BNSS Chapter 21.

Can a company that leaked my Aadhaar be sued for compensation?

Yes. Section 43A of the IT Act imposes liability on a body corporate that handles sensitive personal data and fails to implement reasonable security practices, where such failure causes wrongful loss or wrongful gain. Compensation is awarded by the Adjudicating Officer under Section 46. The Digital Personal Data Protection Act, 2023 has added further compliance obligations. A leak that enables identity theft creates joint liability of the impersonator and the negligent custodian.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog.