Phishing Vishing and Smishing Frauds: IIBF Cyber Crime Exam Guide

For bankers preparing for the IIBF Prevention of Cyber Crime certification, few topics carry more practical weight than the trio of social-engineering frauds: phishing, vishing and smishing. These attacks bypass technology and target human trust, making them the most common entry point for financial fraud against bank customers in India. Understanding how to recognise, report and prevent phishing vishing and smishing frauds is central to both the exam and your day-to-day duties at the counter.

This guide breaks down each fraud type, the legal framework under the IT Act 2000, the reporting timelines mandated by CERT-In, and the customer-protection rules every banker must know.

What Phishing, Vishing and Smishing Frauds Actually Are

All three are forms of social engineering — deception that manipulates a victim into surrendering credentials, OTPs or money. The difference lies only in the channel used to deliver the lure. For the IIBF Prevention of Cyber Crime exam, you must be able to distinguish them precisely.

• Phishing uses fraudulent emails or websites that impersonate a bank, payment app or government body. Victims are tricked into clicking a link to a cloned login page that harvests usernames, passwords and card details.
• Vishing (voice phishing) is conducted over a phone call. The fraudster poses as a bank officer, KYC team or RBI official and pressures the victim to share an OTP, CVV, PIN or to install a remote-access app like AnyDesk.
• Smishing (SMS phishing) uses text messages containing malicious links — fake KYC-update alerts, fake reward redemptions, or fake parcel-delivery notices that lead to credential-stealing pages.

A defining trait of all three is urgency and fear: "your account will be blocked", "your card is suspended", "claim within 2 hours". Genuine banks never ask for OTPs, full card numbers, PINs or net-banking passwords through any channel. Reinforcing this single message to customers prevents the majority of frauds. You can test your grasp of these distinctions on the practice mock tests built around the cyber-crime syllabus.

The Legal Framework: IT Act 2000 and the IPC/BNS

Phishing, vishing and smishing frauds are prosecuted under a combination of the Information Technology Act, 2000 and the general penal code. Knowing the specific sections is frequently tested in the certification.

• Section 66 (IT Act) — covers computer-related offences such as hacking and dishonest or fraudulent acts referred to in Section 43, punishable with up to 3 years imprisonment or a fine up to Rs 5 lakh.
• Section 66C — identity theft, the fraudulent use of another person's electronic signature, password or unique identification feature. This squarely covers credential theft via phishing.
• Section 66D — cheating by personation using a computer resource. This is the principal section for vishing and phishing where the fraudster impersonates a bank, punishable with imprisonment up to 3 years and a fine up to Rs 1 lakh.
• Section 43 — provides for civil liability and compensation for unauthorised access, downloading or damage to a computer system.

Alongside the IT Act, cheating and forgery provisions of the Bharatiya Nyaya Sanhita (which has replaced the Indian Penal Code) apply to the underlying fraud. The IT Act, 2000 was substantially amended in 2008 to introduce Sections 66C and 66D, a detail worth remembering. For deeper coverage of cyber law within the banking syllabus, the structured material in the CAIIB course pairs well with dedicated cyber-crime study.

CERT-In Directions and the 6-Hour Reporting Rule

The Indian Computer Emergency Response Team (CERT-In), constituted under Section 70B of the IT Act, is the national nodal agency for cyber-security incidents. Its April 2022 Directions remain the operative compliance baseline for banks and intermediaries as of 2026.

• 6-hour reporting: Any cyber incident — including phishing campaigns targeting a bank's customers, data breaches and unauthorised access — must be reported to CERT-In within 6 hours of being noticed. This tight window is one of the most heavily examined facts in the syllabus.
• Log retention: Service providers and intermediaries must enable and securely maintain system logs for a rolling period of 180 days within Indian jurisdiction.
• Clock synchronisation: All ICT systems must synchronise clocks to the NTP servers of NIC or NPL (or traceable equivalents), so incident timelines are consistent.
• KYC by intermediaries: Data centres, VPS, cloud and VPN providers must maintain validated subscriber records.

For banks, these directions operate on top of RBI's own cyber-security framework and incident-reporting expectations. A phishing site spoofing a bank's domain is therefore not just a customer problem — it triggers a mandatory regulatory clock. Candidates should memorise the 6-hour CERT-In window and the 180-day log retention figure, as both appear regularly. You can reinforce these dates by drilling them in the rapid-recall match game.

Customer Protection, Zero Liability and the 1930 Helpline

RBI's circular on "Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions" (2017) governs who bears the loss after a phishing, vishing or smishing fraud, and is critical knowledge for frontline staff.

• Zero liability applies where the loss is due to bank negligence or a third-party breach and the customer reports the unauthorised transaction within 3 working days.
• Limited liability (capped, tiered by account type) applies where the customer reports within 4 to 7 working days.
• Shadow reversal: banks must credit the disputed amount within 10 working days of notification.

For reporting, the key channels are the National Cyber Crime Reporting Portal (cybercrime.gov.in) and the 1930 helpline, the toll-free number that feeds the Citizen Financial Cyber Fraud Reporting and Management System. Reporting on 1930 within the "golden hour" allows transaction interdiction, helping freeze funds before they are withdrawn or layered. Bankers should counsel customers to call 1930 immediately, file on the portal, and inform the branch the same day. Keeping current with related circulars via the IIBF news updates and tracking policy benchmarks on the RBI rates reference page helps you stay exam-ready and compliant.

For authoritative guidance, refer to the official resources of the Reserve Bank of India and the Indian Institute of Banking & Finance.

Frequently Asked Questions

Conclusion: Master Cyber Crime Prevention and Pass with Confidence

Phishing, vishing and smishing frauds sit at the intersection of human psychology, banking operations and cyber law — which is exactly why they dominate the IIBF Prevention of Cyber Crime certification. Lock down the IT Act sections (66C, 66D), the CERT-In 6-hour rule, the 180-day log retention, and the RBI zero-liability and 1930-helpline timelines, and you will handle most exam questions and real customer incidents with ease. Ready to test yourself? Attempt a full-length cyber-crime mock test now, and browse more exam guides on the iibf.store blog.