Why Every Business Needs One Before a Cybercrime Notice Arrives

Cyber fraud investigations rarely begin with a company being prepared.

More often, they begin with a sudden email from the bank, a call from the accounts team, a police notice, a lien on the company’s bank account, or a complaint from a customer claiming that money has been fraudulently transferred.

At that stage, the first instinct of most businesses is to respond quickly. That is understandable. But in cyber fraud matters, speed without structure can create further problems.

The more important question is not only:

“How do we respond?”

It is also:

“Can we prove what happened?”

That is where a Digital Evidence Preservation Policy becomes critical.

For a business, digital evidence may include emails, WhatsApp chats, invoices, payment confirmations, bank statements, system logs, customer records, access logs, screenshots, call records, IP logs, CRM entries, delivery records, and internal approvals.

If this evidence is deleted, altered, overwritten, misplaced, or casually forwarded without proper control, the business may lose its ability to explain the transaction clearly before a bank, police authority, cyber cell, court, or regulator.

In cyber fraud investigations, documents are often the difference between panic and a structured defence.

What is a Digital Evidence Preservation Policy?

A Digital Evidence Preservation Policy is an internal company policy that sets out how a business will identify, preserve, secure, and produce digital records when a cyber fraud incident, suspicious transaction, police notice, or bank account freeze arises.

It answers basic but important questions:

• What records must be preserved?

• Who is responsible for preserving them?

• How should electronic records be collected?

• Who can access them?

• How should screenshots, chats, emails, logs, and transaction records be stored?

• What should employees not delete or alter?

• How should records be shared with lawyers, banks, police authorities, or courts?

A good policy does not need to be complicated. But it must be clear enough for the finance, legal, IT, customer support, operations, and leadership teams to follow during a crisis.

Why Digital Evidence Matters in Cyber Fraud Cases

Cyber fraud investigations are usually document-heavy.

When a complaint is filed, the investigating agency will often try to trace the movement of money. This may involve bank accounts, UPI IDs, payment gateways, wallets, e-commerce platforms, invoices, IP addresses, emails, mobile numbers, customer details, and intermediary records.

A business may have no role in the alleged fraud. It may have acted in good faith, supplied goods or services, and received payment in the ordinary course.

However, if the money received by the business is later alleged to be linked to a cybercrime complaint, the business may be required to explain:

• why it received the payment;

• who made the payment;

• whether the payer was connected to the customer;

• what goods or services were supplied;

• whether invoices were issued;

• whether KYC documents were collected;

• whether the transaction was commercially genuine;

• whether there was any suspicious conduct;

• whether the business has retained supporting records.

Without proper evidence, even an innocent business can struggle to explain its position.

This becomes especially important where the company’s bank account is lien-marked or frozen due to a cybercrime complaint.

The Legal Importance of Preserving Electronic Records

Electronic records are not merely internal business records. In legal proceedings, they become evidence.

Under Indian law, electronic records can be admitted in proceedings subject to prescribed conditions and certification requirements. Therefore, the manner in which electronic evidence is collected, stored, exported, and certified can become relevant at a later stage.

This is why businesses should avoid casual handling of digital evidence.

For example:

• screenshots should not be the only form of preservation;

• original emails should be retained;

• WhatsApp chats should not be selectively deleted;

• device data should not be tampered with;

• system logs should not be overwritten prematurely;

• files should not be renamed or modified without record;

• evidence should not be circulated informally across multiple people.

The aim is simple: the business should be able to demonstrate that the record is genuine, complete, and traceable to its source.

When Should the Policy Be Triggered?

A Digital Evidence Preservation Policy should be triggered as soon as any of the following events occur:

1. The business receives a cybercrime notice.

2. The business receives a notice under the BNSS requiring appearance, information, or documents.

3. A bank account is frozen, lien-marked, or partially blocked.

4. A customer alleges fraud, impersonation, phishing, or unauthorised payment.

5. A suspicious payment is received from an unknown or unrelated third party.

6. A vendor or customer claims that payment instructions were altered.

7. The business identifies a fake invoice, spoofed email, or payment diversion.

8. There is unauthorised access to company email, CRM, payment systems, or accounting tools.

9. The business receives communication from a bank, payment gateway, cyber cell, or investigating officer.

10. Internal teams suspect that company systems or credentials may have been compromised.

The policy should not wait for litigation. By the time the matter reaches court, crucial records may already be lost.

What Digital Evidence Should Be Preserved?

The policy should define the categories of records that must be preserved. Depending on the nature of the business, this may include:

A. Payment and Banking Records

• bank statements;

• UPI transaction details;

• payment gateway records;

• settlement reports;

• transaction IDs;

• chargeback records;

• lien/freeze communication from the bank;

• payment confirmation screenshots;

• ledger entries;

• refund records.

  
  

B. Customer and Vendor Records

• invoices;

• purchase orders;

• customer onboarding forms;

• vendor onboarding documents;

• GST details;

• PAN details;

• KYC documents;

• delivery challans;

• proof of supply;

• agreements;

• order history.

  
  

C. Communication Records

• emails;

• WhatsApp chats;

• SMS records;

• call logs;

• customer support tickets;

• CRM notes;

• internal Slack/Teams messages;

• recorded customer calls, where lawfully maintained.

D. Technical Records

• login logs;

• IP logs;

• device access logs;

• admin panel activity;

• audit trails;

• server logs;

• firewall logs;

• email header data;

• cloud access logs;

• system alerts;

• endpoint security alerts.

E. Internal Approval Records

• payment approval notes;

• maker-checker records;

• dispatch approvals;

• exception approvals;

• escalation emails;

• risk flags raised by employees;

• management decisions relating to the incident.

The objective is not to preserve everything forever. The objective is to preserve the right records once an incident or investigation is reasonably anticipated.

6. What Employees Should Not Do

In a cyber fraud investigation, careless conduct by employees can create avoidable complications.

The policy should clearly instruct employees not to:

• delete emails, WhatsApp chats, SMS messages, invoices, logs, or payment records;

• edit or overwrite files connected to the incident;

• rename documents without keeping a record;

• take selective screenshots while deleting the underlying conversation;

• reset devices without approval;

• format laptops or phones connected to the incident;

• speak informally to banks, police authorities, or third parties without internal approval;

• forward sensitive evidence through personal email accounts;

• discuss the matter casually on WhatsApp groups;

• make admissions or speculative statements without verification;

• contact the complainant directly without legal advice.

A simple rule should be communicated internally:

Once a cyber fraud issue is identified, preserve first and respond after review.

7. Who Should Own the Policy?

Digital evidence preservation cannot be left only to the IT team.

A proper response usually requires coordination between:

• Founders / senior management;

• Legal team;

• Finance team;

• IT / cybersecurity team;

• Compliance team;

• Customer support team;

• Operations team;

• External counsel;

• Forensic experts, where required.

The policy should identify a specific internal incident response group.

For smaller businesses, this may be a three-person group consisting of the founder, finance head, and external counsel.

For larger companies, it may involve legal, finance, IT, compliance, and information security teams.

What matters is that responsibility is clearly assigned before a crisis arises.

8. The First 24 Hours: Evidence Preservation Checklist

When a cyber fraud issue arises, businesses should immediately follow a structured checklist.

Step 1: Identify the Incident

Record what has happened.

For example:

• account frozen;

• suspicious payment received;

• police notice received;

• customer fraud complaint received;

• unauthorised access detected;

• payment diversion suspected.

Step 2: Identify the Relevant Transaction

Collect:

• date of transaction;

• amount;

• payer name;

• bank account details;

• UPI ID;

• transaction reference number;

• invoice number;

• customer/vendor name;

• related communication.

Step 3: Preserve Communications

Preserve all related:

• emails;

• WhatsApp chats;

• SMS messages;

• customer support tickets;

• call records;

• internal communications.

Step 4: Preserve Financial Records

Collect:

• bank statements;

• invoices;

• ledger entries;

• GST records;

• payment confirmations;

• refund records;

• settlement reports.

Step 5: Preserve Technical Records

Ask the IT team to preserve:

• logs;

• login records;

• access history;

• email headers;

• system alerts;

• CRM records;

• admin panel activity.

Step 6: Restrict Access

Limit access to the evidence folder to authorised persons only.

Step 7: Create an Evidence Index

Prepare a simple index containing:

• document name;

• source;

• date;

• person collecting it;

• format;

• relevance;

• storage location.

Step 8: Seek Legal Review Before Submission

Do not send documents to a bank, cyber cell, investigating officer, or third party without legal review.

9. Maintaining Chain of Custody

Chain of custody means maintaining a clear record of how evidence was collected, stored, accessed, transferred, and produced.

This is especially important for electronic evidence because digital records can be easily modified, duplicated, or challenged.

A business should maintain a simple chain of custody log containing:

• description of evidence;

• source device/system;

• date and time of collection;

• name of person collecting it;

• method of collection;

• hash value, where applicable;

• storage location;

• persons who accessed it;

• date of sharing with counsel, authority, or expert.

For routine business cases, this does not need to be overly technical. But there should be enough discipline to show that the record was not casually altered.

10. Screenshots Are Useful, But Not Enough

Many businesses rely heavily on screenshots.

Screenshots are helpful for quick reference. But they should not be treated as the only evidence.

For example, if a WhatsApp chat is relevant, the business should preserve the chat itself, export it where appropriate, retain the device where necessary, and avoid deleting the original conversation.

If an email is relevant, the original email, header information, attachments, and mailbox records may be important.

If a transaction is relevant, the bank statement, transaction ID, ledger entry, invoice, and customer communication should be preserved together.

A screenshot may show what was visible on a screen. But it may not be sufficient to prove the full source, context, authenticity, or continuity of the record.

11. Evidence Preservation and Bank Account Freezing

Digital evidence preservation becomes critical when a company’s bank account is frozen or lien-marked.

In such cases, the business may need to demonstrate:

• the payment was received against a legitimate invoice;

• goods or services were actually supplied;

• the customer relationship was genuine;

• the business had no knowledge of any alleged fraud;

• there was no suspicious conduct;

• the amount received can be identified;

• the freeze is disproportionate or causing business disruption.

A well-prepared evidence file can assist in making representations to the investigating authority, bank, Magistrate, or High Court, depending on the facts of the case.

Conversely, a business that cannot produce documents may find it difficult to seek urgent relief.

12. Evidence Preservation for Finance Teams

Finance teams are often the first to identify unusual payments.

They should be trained to flag:

• payments from unrelated third parties;

• split payments from multiple unknown accounts;

• mismatch between invoice name and payer name;

• sudden high-value payments from new customers;

• payment followed by urgent dispatch requests;

• requests to refund money to a different account;

• payment from one person and delivery to another;

• inconsistent GST, billing, shipping, or bank details.

Whenever such a red flag appears, the finance team should preserve the transaction records and escalate the matter internally.

The key question should be:

If a cyber cell asks about this payment six months later, can we explain it with documents?

13. Retention Periods and Log Preservation

Businesses should define retention periods for different categories of digital records.

For cyber fraud and payment-related matters, businesses should consider longer retention for:

• transaction records;

• invoices;

• customer onboarding documents;

• vendor records;

• payment approval records;

• access logs;

• email records;

• incident records.

Businesses subject to specific regulatory or cybersecurity directions may have additional log retention and reporting obligations. Therefore, the evidence preservation policy should be aligned with applicable sectoral requirements, including cybersecurity, financial services, payment, data protection, and intermediary obligations, where relevant.

At a minimum, the policy should ensure that logs and records are not automatically deleted before the business has had a reasonable opportunity to identify and respond to cyber fraud risks.

14. Role of Legal Counsel

Legal counsel should be involved early in the process.

This is not because every cyber fraud issue must become litigation. It is because early legal review helps the business:

• identify legally relevant documents;

• avoid accidental admissions;

• prepare structured responses;

• preserve privilege where applicable;

• coordinate with banks and authorities;

• assess criminal, civil, regulatory, and contractual risks;

• decide whether court intervention is necessary.

In many cases, the quality of the first response can influence how quickly the matter is resolved.

15. Suggested Internal Policy Framework

A business can structure its Digital Evidence Preservation Policy under the following heads:

1. Purpose and scope

2. Trigger events

3. Categories of evidence to be preserved

4. Roles and responsibilities

5. Immediate preservation steps

6. Restrictions on deletion or alteration

7. Evidence storage protocol

8. Access control

9. Chain of custody log

10. Legal review before external sharing

11. Coordination with banks and authorities

12. Retention periods

13. Employee training

14. Periodic review of the policy

This framework can be adapted for startups, SMEs, e-commerce businesses, payment-heavy companies, marketplaces, technology companies, exporters, agencies, and regulated businesses.

16. Sample Internal Instruction After a Cyber Fraud Incident

Once an incident is identified, the company may issue an internal preservation instruction.

This simple instruction can prevent significant loss of evidence.

17. Conclusion

Cyber fraud response is not only about filing complaints, replying to notices, or seeking de-freezing of bank accounts.

It is also about evidence.

A business that preserves its records properly is better placed to explain the transaction, cooperate with authorities, protect its bank account, and seek appropriate legal relief.

A business that does not preserve evidence may find itself struggling to reconstruct facts after the damage is already done.

In cyber fraud investigations, the best time to create a Digital Evidence Preservation Policy is before an incident occurs.

The second-best time is immediately after one is suspected.

For businesses operating in a digital payment environment, evidence preservation is no longer a back-office function. It is a core part of legal, finance, cybersecurity, and business continuity planning.