When Someone Steals Your Identity

Priya received a call from her bank one Tuesday morning. A loan of ₹4.5 lakh had been sanctioned in her name. She had never applied. The KYC documents were hers — her Aadhaar, her PAN, even a scanned signature — but she had never submitted them to any lender. By the time the call ended, her stomach had dropped. Someone, somewhere, had become her in the digital world.

Stories like Priya's are no longer rare. Fraudsters use stolen photographs, forged documents, cloned SIM cards, and misappropriated digital signatures to take out loans, open bank accounts, register companies, and sign contracts — all in someone else's name. When the damage surfaces, the real victim is left holding the bill, the police complaint, and the burden of proving they were not the one who did it.

That burden — proving your own innocence in a digital world — is what this article is about. The law is not perfectly designed for this. Some parts of it will feel unfair. But understanding how it works gives you the only real advantage you have: the ability to build your evidence trail before it disappears.

What Actually Counts as Proof in an Identity-Theft Case

The first question any lawyer or police officer will ask you is: "What can you show me?" The answer has to be documents — because Indian courts operate on the best evidence rule. The Supreme Court in Bai Hira Devi v Official Assignee of Bombay (AIR 1958 SC 448) put it plainly: when written documents exist, they must be produced. Oral statements about what a document contained are weaker, secondary evidence, and are allowed only when the original is genuinely unavailable.

In an identity-theft case, evidence falls into several categories:

Electronic Records as Documents

Under the Indian Evidence Act, "documentary evidence" includes all documents — and that explicitly covers electronic records produced for a court's inspection. Bank transaction records, email exchanges, WhatsApp messages, OTP delivery logs, loan application data, and server access logs are all documents in the eyes of the law (PC Purushothama Reddiar v S Perumal, AIR 1972 SC 608). Entries in electronic records regularly maintained in the course of business — bank ledgers, telecom CDRs, app access logs — are specifically relevant whenever they touch on a matter the court is looking at (Section 34 of the Evidence Act; CBI v V C Shukla, AIR 1998 SC 1406).

This cuts both ways. The fraudster's trail — the IP address used to submit a fraudulent application, the device fingerprint, the server timestamp — is electronic evidence that can be used against them. But any record in your name is also an electronic document that the other side may try to use against you. Your job is to get ahead of it.

Call Recordings and Voice Logs

If you have a call recording of a fraudster impersonating you — or a recording of a bank officer confirming the fraud — that is admissible. Indian courts have held that recordings are admissible as res gestae (part of the event itself) and may be used both to corroborate other evidence and to contradict a witness's account (Ram Singh v Ram Singh, AIR 1986 SC 3). The conditions are strict: the voice of the speaker must be identifiable, the accuracy of the recording must be provable, there must be no evidence of tampering, and the recording must be preserved carefully after collection (Ziyauddin Burhanuddin Bukhari v Brijmohan Ramdass Mehra, AIR 1975 SC 1788). If you have such a recording, do not forward it, re-record it, or share it on WhatsApp — doing so creates a copy of unknown integrity. Store the original on a separate device and hand it to your lawyer.

Screenshots and Emails as Secondary Evidence

Screenshots are secondary evidence — copies, not originals. Courts allow secondary evidence when the original is unavailable, but you must first explain why you cannot produce the original. This means: take screenshots, but simultaneously ask the relevant platform (bank, NSDL, telecom operator, app company) to preserve the original server records. A screenshot without the underlying server record is weak. A screenshot accompanied by a certified copy from the platform's official custodian is far stronger. Public officers who have custody of official records are obliged to provide certified copies to anyone entitled to inspect them (Sections 76–77 of the Evidence Act). Use this right.

The FIR: Your Timestamped Declaration of Innocence

A First Information Report is not evidence of the crime by itself. The Supreme Court has been clear that an FIR does not constitute substantive evidence on its own (George v State of Kerala, AIR 1998 SC 1376). What it does do is two things that matter enormously in an identity-theft case.

First, it creates a timestamp. It is the law's record that on a specific date, you told the police you were a victim — before any court proceedings began, before any adverse order was passed in your name. In later litigation, your lawyer can use the FIR to show that your claim of victimhood was not an afterthought manufactured after the fraud was already discovered (Damodar Prasad Chandrika Prasad v State of Maharashtra, AIR 1972 SC 622).

Second, it triggers investigation. Once an FIR is registered, the police have the authority — and the duty — to obtain records from banks, telecom companies, and digital platforms. They can access data that you, as a private citizen, cannot. The results of that investigation are not evidence by themselves at trial (the law is clear that only evidence adduced at trial carries weight: Kaptan Singh v State of MP, AIR 1997 SC 2485), but the investigation is the mechanism that gets those records collected, preserved, and eventually produced in court. File the FIR as early as humanly possible. Every day of delay is a day the digital trail gets colder, servers get purged, and the fraudster gets further away.

How Courts Decide Who Sent That Electronic Record — and Why This Is a Double-Edged Problem

Here is the part of the law that no one tells identity-theft victims, and it is important that you understand it.

Section 11 of the Information Technology Act, 2000 deals with the attribution of electronic records — meaning, who the law treats as the person who sent or generated a digital communication. Under Section 11, an electronic record is attributed to the "originator" if it was sent by them directly, by a person authorised to act on their behalf, or by an information system that was programmed on their behalf to operate automatically.

The word "originator" is defined under Section 2(za) of the IT Act as anyone who sends, generates, stores or transmits any electronic message. Crucially, Section 11 is drafted in absolute terms. It does not create exceptions. It does not say "unless the originator can prove they didn't send it." Legal commentators have noted that this absolute language creates real practical difficulty — because in an identity-theft case, the fraudster sends the electronic record using stolen credentials, so the record is legally attributed to you, the victim. You then have to fight an uphill battle to show that attribution is wrong, in a section that does not even acknowledge the possibility of rebuttal.

What this means practically: if a loan application was submitted using your Aadhaar and your digital signature, the law starts by treating it as your application. You must affirmatively gather evidence to break that presumption. This is why building your evidence trail proactively — rather than waiting for a court case to arrive on your doorstep — is not optional. It is essential.

If you are concerned that an online fraud has been committed and there is also a criminal FIR angle you need to manage, understanding both sides of the process simultaneously will help you respond faster.

Digital Signatures, the Private Key, and Your Defence

Digital signatures are the gold standard of electronic authentication in India. Under the IT Act, a digital signature works through a pair of mathematically linked keys — a private key that only you are supposed to hold, and a public key that anyone can use to verify that a document was signed using your private key. The Explanation to Section 15 of the IT Act makes this explicit: in the case of digital signatures, the "signature creation data" is the private key of the subscriber.

Section 15 defines a "secure electronic signature" as one where the signature creation data — your private key — was under the exclusive control of you, the signatory, and no one else, at the time of affixing the signature. This word "exclusive" is your legal foothold in a digital-signature identity-theft case.

If a fraudster obtained access to your private key — by phishing, by installing malware on your computer, by bribing a certifying authority employee, or by stealing your USB token — then the signature that was affixed was not done under your exclusive control. It therefore cannot qualify as a "secure electronic signature" under Section 15. And if the signature is not secure, the legal strength of that document is significantly undermined.

How do you prove this? Through forensic evidence: cybersecurity experts can examine whether malware was present on your device, whether your private key was accessed from an IP address or device that was not yours, and whether the timestamp of the signature matches any time you were actually using your computer. This technical evidence, presented by a certified examiner, can shift the factual picture significantly. The key is to act before your device is wiped, updated, or replaced — because once the forensic evidence is gone, it cannot be recovered.

Secure Records — and Why Security Procedures Matter

Section 14 of the IT Act introduces the concept of a "secure electronic record." An electronic record is deemed secure — with a higher level of legal protection and reliability — if a government-prescribed security procedure (defined under Section 2(1)(zf) of the IT Act and prescribed under Section 16) was applied to it from a specific point in time until it is verified.

This is significant for victims. If a fraudulent document — say, a digitally signed agreement or a forged loan application — was processed without applying the prescribed security procedure, it cannot be treated as a "secure electronic record." A document that is not a secure electronic record carries lower evidentiary weight. Your lawyer can challenge whether the fraudulent transaction even had the required security procedures applied, and if it did not, argue that the court should treat the transaction's electronic records with skepticism.

Section 16 grants the Central Government the power to prescribe security procedures, taking into account the commercial circumstances, the nature of the transactions, and related factors. At present, the government has issued guidelines under the IT (Certifying Authorities) Rules, 2000. If the platform through which the fraud occurred did not follow these procedures — and many smaller lending apps and informal platforms do not — that is a ground to challenge the validity of the records attributed to you.

What Should I Actually Do Now?

  1. File an FIR immediately, even if the police seem unsure what to write. Go to the cyber crime cell or the nearest police station with jurisdiction. Give them a written complaint. If they refuse to register an FIR, file a complaint with the Superintendent of Police and, if necessary, approach the Judicial Magistrate under Section 156(3) of the CrPC/BNSS. The date of your FIR is your earliest legal timestamp. For detailed guidance on handling FIR difficulties, visit our guide on FIR rights and problems.
  2. Preserve your device exactly as it is. If the fraud involved any device you own — a phone, laptop, USB token — do not factory reset it, do not update it, and do not use it for anything else. A forensic examiner may need to extract evidence from it. Notify your lawyer before taking any action on your device.
  3. Write to every platform involved and demand preservation of records. Send a registered letter (not just email) to the bank, lending app, telecom operator, or registration portal that was used in the fraud. Ask them to preserve all logs, access records, IP addresses, device fingerprints, and application data related to the fraudulent transaction. Platforms routinely purge data after 30–90 days.
  4. Obtain certified copies of all records in your name. Request certified copies of the KYC submissions, the loan application, the account-opening form, and any documents bearing your name from the relevant institutions. Public authorities are legally required to provide certified copies to entitled persons (Sections 76–77 of the Evidence Act). These will be your primary evidence for showing what the fraudster submitted versus what you actually look like, sign like, or communicate like.
  5. Collect your own alibi-style electronic records. Pull together every electronic trail showing where you were and what you were doing at the time the fraud was committed. Bank statements, GPS data from your phone, office access logs, email timestamps, and social media activity can all establish that you could not have been the person who made the fraudulent application.
  6. Engage a certified cyber forensics examiner. If your private key, email account, or device was compromised, a forensic examination can produce a court-admissible expert report identifying the breach. Ask your lawyer to arrange this early — courts give significant weight to expert forensic testimony.
  7. Contact CERT-In and the RBI Ombudsman or SEBI, as relevant. If the fraud involved a financial institution or cyber incident, reporting to the Indian Computer Emergency Response Team and the relevant financial regulator adds an official record outside the criminal system.
  8. Speak to a lawyer who handles cyber law matters before speaking at length to investigators or providing voluntary statements to any bank or institution. Everything you say can become part of the record, and a lawyer can help you frame your account in a way that protects your legal position.

You Are Not Powerless — But Time Is the Enemy

Identity theft cases are winnable. They are winnable because fraud leaves traces — server timestamps, IP addresses, device fingerprints, ATM footage, courier records, handwriting on physical documents, and forensic analysis of digital signatures. Courts in India have consistently held that electronic evidence, when properly collected and certified, is as valid as any other form of documentary proof.

What courts cannot do is reconstruct evidence that has been deleted, overwritten, or lost to time. The legal system's tools for attribution — especially the absolute language of Section 11 of the IT Act — put the burden squarely on you, the victim, to show that the electronic record attributed to your name was not sent by you. That showing requires evidence. Evidence requires action. And action has to happen now, not after the first court date arrives.

If you have discovered that your identity has been stolen or misused digitally, the Pinaka Legal team is available to help you understand your evidence options, draft your FIR complaint, engage forensics experts, and represent you if litigation becomes necessary. Reach us at +91 8595704798 or info@pinakalegal.com for a first consultation.

Related Reads

Written by the Pinaka Legal Editorial Team. For queries, call +91 8595704798 or email info@pinakalegal.com.

Get legal help from Pinaka Legal — Cyber and Digital law experts in Delhi

Frequently Asked Questions

Can I prove identity theft without the original fraudulent document?

Yes, though it is harder. If you cannot produce the original fraudulent loan application or agreement, you may rely on secondary evidence — certified copies from the institution, screenshots, or oral accounts from bank employees who have seen the document. Courts require you to first explain why the original is unavailable before accepting secondary evidence. This is why demanding certified copies from the institution early is so important.

What is an FIR and does filing one actually help in an identity-theft case?

An FIR — First Information Report — is the police's formal record of your complaint. It is not substantive evidence of the crime by itself, but it creates a legally recognised timestamp: the date on which you first said you were a victim. Courts treat an FIR filed promptly as evidence that your claim is genuine and not an afterthought. It also authorises the police to collect records from banks, telecom companies, and digital platforms that you cannot access on your own.

Is a screenshot valid evidence in court for identity theft?

A screenshot is secondary evidence — a copy, not the original. Courts allow it when the original is unavailable, but you must explain why you cannot produce the original. A screenshot backed up by a certified copy from the platform's official custodian is far more reliable. On its own, an unverified screenshot carries limited weight.

How does the IT Act attribute electronic records — and what does it mean for me as a victim?

Section 11 of the IT Act says an electronic record is attributed to the originator — meaning, the person it appears to come from — if it was sent by them, by someone they authorised, or by a system they programmed. The law does not create a clear rebuttal mechanism. This means if a fraudulent application was submitted in your name, the law initially treats it as yours, and you bear the practical burden of showing otherwise through your evidence trail.

Can I use call recordings as proof in an identity-theft case?

Yes, call recordings are admissible as res gestae — part of the transaction or event — under Indian evidence law. The conditions are: the speaker's voice must be identifiable, the recording must be accurate, there must be no evidence of tampering, and the recording must be stored carefully after collection. Do not forward or re-record it. Store the original device safely and hand it to your lawyer for proper handling.

What is a private key and why does it matter when my digital signature was stolen?

A digital signature works through two linked keys: a private key you hold exclusively and a public key anyone can use to verify your signature. Section 15 of the IT Act says a digital signature is only 'secure' if the private key was under your exclusive control when used. If a fraudster accessed your private key — through malware, phishing, or physical theft of your USB token — the signature was not under your exclusive control. A forensic examiner can document this breach, providing grounds to challenge the signature's validity.

What is a secure electronic record and how can I use that concept in my defence?

Under Section 14 of the IT Act, a 'secure electronic record' is one to which a government-prescribed security procedure has been applied. If the platform that processed a fraudulent transaction in your name did not follow the prescribed security procedures, the records from that platform cannot be called secure electronic records. Courts may treat such records with more scepticism, and your lawyer can use this as a ground to challenge the reliability of the evidence the other side relies on.

How long does it take for electronic evidence to get deleted?

It varies. Banks typically retain transaction records for 5–10 years under RBI guidelines, but lending apps, third-party KYC platforms, and informal lenders often purge access logs within 30–90 days. Server logs — which contain IP addresses and device fingerprints — may be deleted even sooner. This is why contacting the platform in writing and asking them to preserve records, immediately after discovering the fraud, is one of the most important steps you can take.

Can I demand certified copies of fraudulent documents submitted in my name?

Yes. If those documents are held by a public institution or officer — a government registry, a regulated bank, a telecom company — you are entitled to request certified copies under Sections 76–77 of the Evidence Act. A public officer with custody of official records must provide a certified copy on payment of the prescribed fee. These certified copies are admissible as primary evidence of the document's contents.

Do I need a lawyer to file an identity-theft complaint?

You do not legally need a lawyer to file an FIR. But given the complexity of building an evidence trail — understanding what to preserve, how to frame your complaint, when to involve forensics, and how to respond to proceedings in your name — a cyber law lawyer is strongly recommended. Mistakes made in the early stages of evidence collection are very difficult to correct later.

For more articles on Indian law, visit the Pinaka Legal Blog.