Cybercrime evidence is fragile. Messages disappear, links expire, accounts are renamed and victims often erase the phone before saving the facts investigators need.
Write the event timeline.
Original device and SIM details.
Cropping out timestamps.
National Cyber Crime Reporting Portal
Start with a timeline: first contact, instructions, payments, account changes, reports and later communication. Use exact dates and times. Separate what was seen from what is assumed.
Preserve original digital material where possible. Export chats, save email headers, record URLs, retain transaction receipts and avoid editing screenshots. An edited collage may be useful for explanation but should not replace the originals.
Containment and evidence can conflict. Credentials must be secured quickly, but a factory reset may destroy logs. Where malware or a large loss is involved, ask the police or a cyber-forensic professional before wiping the device.
| Situation | Meaning | Response |
|---|---|---|
| Transaction evidence | UTR, bank statement, beneficiary and timestamp. | Supports tracing. |
| Communication | Chat export, email headers and call logs. | Shows inducement and identity. |
| Technical evidence | App file, URL, device logs and permissions. | Useful for forensic review. |
| Complaint evidence | Bank, 1930, portal and police acknowledgements. | Shows reporting speed. |
Submit the essential transaction data quickly even if the evidence file is not yet perfect. Additional documents can follow through the official process.
Maintain a read-only master folder and a separate working copy. Note who handled the device or file after the incident where forensic integrity may matter.
The safest approach is to preserve the original record, use the official channel and explain the facts in chronological order. A portal acknowledgement, complaint number or filing receipt is part of the evidence and should be downloaded rather than assumed to remain available forever.
Rules and procedures can change, and the correct action depends on the exact transaction, policy, notice or account. Where money, limitation, criminal allegations, medical causation or a large tax position is involved, qualified professional advice should be obtained before taking an irreversible step.
Fraud response has two parallel objectives: stop additional loss and preserve the evidence needed to trace the first loss. The immediate step is Write the event timeline. Record the exact time because bank liability, fund tracing, SIM or account containment and police follow-up can all depend on how quickly the incident was reported.
The evidence file should begin with Original device and SIM details. Add the transaction reference, beneficiary, phone number, link, app name, device state and every complaint acknowledgement. Keep original chats and files untouched; explanatory screenshots can be created as copies, but they should not replace the source material.
Do not continue following the fraudster’s instructions in the hope of recovering money. A frequent error is Cropping out timestamps. Use only independently located official numbers and portals. A bank dispute, cybercrime complaint and securities or telecom grievance may all be necessary because each route addresses a different part of the incident.
Also preserve the device model, operating-system version and time zone used when screenshots were captured. These details can help investigators align local timestamps with bank, telecom and platform logs.