Phishing, Ransomware and the IT Act 2000: A Banker Guide

Phishing, ransomware and the IT Act 2000 sit at the very centre of the Prevention of Cyber Crime syllabus, because they describe both the most common threats faced by Indian banks and the legal machinery built to fight them. Bankers today are the first line of defence against fraudsters who impersonate institutions, deploy malicious software and manipulate human trust. Understanding how these attacks work, how the Information Technology Act 2000 criminalises them, and how the Reserve Bank of India expects banks to respond is essential exam knowledge and equally essential professional skill. This article walks through each pillar in plain, exam-ready language.

Types of cyber crime in banking you must recognise

Cyber crime in the banking context is any offence where a computer, network or digital channel is the tool, the target, or both. For IIBF candidates it helps to group the major categories so they are easy to recall under exam pressure.

• Data and identity theft: stealing card numbers, login credentials, Aadhaar or KYC data to impersonate a customer.
• Unauthorised access and hacking: breaking into core banking systems, ATMs or payment switches.
• Financial fraud: account takeover, mule accounts, UPI fraud, and fraudulent fund transfers.
• Malware-based attacks: trojans, keyloggers and ransomware that compromise systems.
• Social engineering: tricking people rather than machines, covered in detail below.

What makes banking cyber crime distinctive is the direct monetary loss and the regulatory exposure that follows. A single compromised endpoint can cascade into thousands of fraudulent transactions within minutes. That is why prevention is layered: technology controls, staff awareness, customer education and legal deterrence all work together. Candidates should be able to map any given fraud scenario to one of these categories and then identify the relevant control. You can test this skill on our practice mock tests, which mirror the scenario-based style examiners increasingly favour.

Phishing, vishing, smishing and social engineering

The largest single channel of customer-facing fraud is social engineering, where the attacker manipulates a human being into revealing secrets or authorising a transaction. The exam expects you to distinguish the variants precisely.

• Phishing: fraudulent emails or fake websites that imitate a bank to harvest passwords, OTPs and card details.
• Vishing: voice phishing over the telephone, where the caller poses as a bank officer or KYC agent.
• Smishing: SMS-based phishing carrying malicious links or fake reward and account-block alerts.
• Pharming: redirecting a genuine web address to a counterfeit site through DNS tampering.

All of these exploit urgency and authority. A message warns that an account will be frozen, a refund is pending, or a reward will lapse, and the victim acts before thinking. Banks never ask for OTP, PIN, CVV or full card numbers, and reinforcing this single rule prevents the majority of retail fraud. For staff, the defences are equally human: verify before you act, never share credentials, and report suspicious contact immediately. The Reserve Bank and the Indian Cyber Crime Coordination Centre both run continuous awareness campaigns, and the national helpline 1930 lets victims report fraud within the critical golden hour. Reinforce these terms with our match game, a quick way to drill definitions before the exam.

Ransomware and the malware threat

Ransomware is malicious software that encrypts an organisation files and demands a payment, usually in cryptocurrency, for the decryption key. For a bank the damage is twofold: operations halt because systems are locked, and sensitive data may be stolen and threatened with public release in a double-extortion model. Recovery is far more expensive than prevention.

• Entry points: phishing attachments, compromised remote-access credentials, and unpatched software vulnerabilities.
• Spread: lateral movement across the network once a single machine is infected.
• Impact: service outages, regulatory penalties, reputational damage and customer distrust.

The defensive playbook is well established. Maintain offline, tested backups so systems can be restored without paying. Patch operating systems and applications promptly. Segment networks so an infection cannot spread freely. Enforce least-privilege access and multi-factor authentication. Run endpoint detection tools and an incident-response plan that is rehearsed, not merely written. RBI guidance is explicit that paying a ransom is discouraged because it funds further crime and offers no guarantee of recovery. Instead, institutions must contain the incident, preserve evidence and report it through the proper channels. Keeping pace with evolving threats is part of the job, which is why we curate the latest IIBF news and updates for candidates and practising bankers alike.

The Information Technology Act 2000 and key sections

The Information Technology Act 2000, amended in 2008, is India primary cyber law. It gives legal recognition to electronic records and digital signatures and criminalises a range of cyber offences. Candidates should memorise the headline sections of the IT Act 2000 most relevant to banking fraud.

• Section 43: penalty and compensation for unauthorised access, downloading, or introducing a virus or contaminant.
• Section 43A: compensation where a body corporate is negligent in protecting sensitive personal data.
• Section 66: computer-related offences such as hacking, punishable with imprisonment up to three years or fine.
• Section 66C: identity theft, including fraudulent use of passwords or electronic signatures.
• Section 66D: cheating by personation using a computer resource, the section most often applied to phishing and vishing.
• Section 66E: violation of privacy; Section 67: publishing obscene material in electronic form.
• Section 70: protected systems; Section 72: breach of confidentiality and privacy.

Two institutional pillars sit alongside the Act. The Indian Computer Emergency Response Team, CERT-In, is the national nodal agency for cyber incidents, and its 2022 directions require certain incidents to be reported within six hours of detection. The RBI Cyber Security Framework of 2016 mandates a board-approved cyber security policy, a Security Operations Centre, and prompt incident reporting for banks. Together with the customer-protection circular, these form the compliance backbone every banker must know. Reviewing the current policy environment alongside our RBI rates and resources page helps tie the legal theory to live regulation.

Customer protection and the limited-liability circular

Legal deterrence matters little to a defrauded customer unless their money is restored. The RBI Customer Protection circular on Limiting Liability (2017) addresses exactly this, setting out when a customer bears zero liability for an unauthorised electronic transaction.

• Zero liability: where the fraud results from bank negligence or a system failure, or where the customer reports an unauthorised transaction within three working days.
• Limited liability: a capped amount, depending on account type, where the customer reports within four to seven working days.
• Shadow reversal: banks must credit the disputed amount within ten working days of notification.

The circular places a clear duty on banks to provide easy, 24x7 reporting channels and to register customer mobile numbers and email IDs for transaction alerts. The burden of proving customer liability rests on the bank, which strongly incentivises robust controls. For exam purposes, remember the reporting timelines and the principle that prompt reporting protects the customer. These customer-protection rules, the IT Act and the RBI and CERT-In frameworks form a single integrated answer to cyber crime: technology to prevent, law to deter, and regulation to remediate.

Conclusion and next steps

Mastering phishing, ransomware and the IT Act 2000 gives you both exam marks and the professional judgement to protect customers in the real world. The pattern is consistent: recognise the attack, apply the right control, and invoke the correct legal and regulatory provision. Keep the section numbers and reporting timelines at your fingertips, because examiners love scenario questions on the IT Act 2000 that test them. Ready to lock in this knowledge? Practise scenario-based questions on our IIBF mock tests and keep exploring more study guides on the iibf.store blog. For the authoritative framework, study the official guidance from the Reserve Bank of India and incident-reporting directions from CERT-In.