Cyber Crime in Banking: IT Act, CERT-In & Prevention for IIBF 2026

Few topics in modern banking carry the urgency of cyber crime, and the IIBF Prevention of Cyber Crime paper tests it from both a legal and a practical angle. As banking shifts almost entirely online, cyber crime has become the dominant operational and reputational threat facing every institution. This guide explains the major attack types, the governing law and the regulatory framework that examiners expect you to know in detail.

Major Types of Banking Cyber Crime

Banking cyber crime takes many forms, and you should be able to define each precisely. Phishing uses fraudulent emails or websites that impersonate a bank to trick customers into revealing credentials. Vishing is its voice equivalent, where a fraudster calls posing as a bank official to extract OTPs or card details, while smishing uses SMS for the same purpose. These social-engineering attacks exploit human trust rather than technical weaknesses, which is why customer awareness is the strongest defence.

Technical attacks are equally important. Malware and ransomware infect systems to steal data or lock files until a ransom is paid, and a man-in-the-middle attack intercepts communication between customer and bank. SIM swap fraud hijacks a victim's mobile number to capture OTPs, and card skimming copies card data at compromised ATMs or point-of-sale machines. Money mule accounts then launder the proceeds. Understanding the modus operandi of each cyber crime helps a banker spot red flags early and advise customers correctly. Practise identifying these patterns with our IIBF cyber crime practice tests, which mirror the exam's scenario style.

The Information Technology Act, 2000

The legal backbone of India's response to cyber crime is the Information Technology Act, 2000, which gives legal recognition to electronic records and digital signatures and creates offences for computer-related wrongdoing. Section 43 provides civil liability for unauthorised access, downloading or damage to computer systems, while Section 66 covers computer-related offences such as hacking with criminal intent. Section 66C deals with identity theft and Section 66D with cheating by personation using a computer resource — both highly relevant to banking fraud.

Section 43A is crucial for banks: it requires a body corporate handling sensitive personal data to maintain reasonable security practices, failing which it is liable to pay compensation. Section 72A penalises disclosure of information in breach of a lawful contract. The Act also established the Adjudicating Officer and the appellate machinery for cyber disputes. For the exam, link each section number to its offence, because direct one-mark questions on section numbers are common. The Act is steadily being supplemented by the Digital Personal Data Protection regime, which strengthens data-handling duties. Reinforce the section mapping with our cyber law match game.

RBI Cyber Security Framework and CERT-In

The Reserve Bank of India has issued a comprehensive Cyber Security Framework requiring every bank to have a board-approved cyber security policy distinct from its broader IT policy, a Security Operations Centre for continuous monitoring, and a tested Cyber Crisis Management Plan. Banks are categorised by their digital footprint, with more stringent baseline controls for larger and more digitally active institutions. Detailed expectations are published by the Reserve Bank of India.

At the national level, the Indian Computer Emergency Response Team (CERT-In) is the nodal agency for responding to cyber security incidents. Under its directions, organisations must report specified cyber incidents within a strict timeline and retain logs for a defined period. Banks must also report fraud and security incidents to the RBI. Customers are protected by the RBI's limited liability framework, under which a customer who reports an unauthorised electronic transaction promptly bears little or no loss, with the burden shifting to the bank. This customer-protection angle is a favourite exam theme. Stay current on fresh advisories through our IIBF news tracker.

Prevention, Controls and Incident Response

Preventing cyber crime is a layered exercise. Technical controls include multi-factor authentication, encryption of data in transit and at rest, network firewalls, intrusion-detection systems and timely patching of vulnerabilities. Vulnerability Assessment and Penetration Testing (VAPT) is conducted periodically to find weaknesses before attackers do, and access is governed on a least-privilege, need-to-know basis with maker-checker controls for sensitive actions.

Equally vital are human and procedural controls: continuous staff training, customer-awareness campaigns on never sharing OTPs or PINs, and a well-rehearsed incident response plan that defines who does what when an attack occurs. The plan should cover detection, containment, eradication, recovery and post-incident review. The growth of the National Cyber Crime Reporting Portal and the 1930 helpline has made it easier for victims to report and for banks to freeze fraudulent transfers quickly. A banker who combines legal knowledge, regulatory awareness and practical controls becomes the institution's strongest shield against cyber crime. Build that complete picture with our advanced banking technology course and the explainers on our study blog.

Conclusion

Cyber crime preparation rewards candidates who connect three layers: the attack typologies, the IT Act sections, and the RBI and CERT-In frameworks, all underpinned by practical controls and customer protection. Map the section numbers and the reporting timelines precisely, since those are near-certain exam points. Test your readiness with a timed cyber crime mock and deepen your expertise through our advanced banking course.