BankopediaBankopedia

Phishing

Definition

Phishing — Meaning, Definition & Full Explanation

Phishing is a cybercrime technique in which fraudsters impersonate legitimate banks, government agencies, or trusted organizations through deceptive emails, SMS messages, or fake websites to trick users into revealing sensitive financial and personal information. Once obtained, this information is used to commit identity theft, steal money, or sell credentials to other criminals. Phishing attacks are among the most common cyber threats facing Indian banking customers and are a primary vector for unauthorized account access and fund diversion.

What is Phishing?

Phishing is a form of social engineering fraud that exploits human psychology rather than technical vulnerabilities. The term combines "fishing" and "phishing" — the attacker casts a wide net of deceptive messages hoping some recipients will "bite." Unlike ransomware or malware that silently infiltrate systems, phishing relies on victims voluntarily providing information or clicking malicious links. The fraudster creates a near-identical copy of a legitimate entity's communication or website, complete with authentic-looking logos, branding, and language. When unsuspecting users interact with these fake channels, they may enter login credentials, credit card numbers, PIN codes, Aadhaar details, or one-time passwords (OTPs). Phishing attacks often create artificial urgency — claiming account suspension, fraud alerts, or pending transactions — to bypass rational decision-making. The stolen data is then weaponized for unauthorized fund transfers, opening fake accounts, or sold on the dark web. Phishing is distinct from spamming (mass unsolicited messages) because it targets specific individuals or institutions with intent to defraud.

How Phishing Works

Phishing operates through a structured sequence:

Free • Daily Updates

Get 1 Banking Term Every Day on Telegram

Daily vocab cards, RBI policy updates & JAIIB/CAIIB exam tips — trusted by bankers and exam aspirants across India.

📖 Daily Term🏦 RBI Updates📝 Exam Tips✅ Free Forever
Join Free

  1. Reconnaissance: Attackers identify high-value targets (corporate employees, bank customers, senior executives) and research their financial institutions, communication patterns, and online presence.

  2. Spoofing: Fraudsters create fake channels that mimic legitimate ones. Email spoofing involves forging the sender address to appear as if from a bank. SMS spoofing sends SMS from a number that looks like the bank's official shortcode. Website cloning replicates the visual design of a bank's login page.

  3. Message deployment: Phishing emails, SMS (smishing), or voice calls (vishing) are sent en masse or to targeted lists. The message impersonates a known entity and requests immediate action — "Verify your account," "Confirm transaction," or "Update security details."

  4. Credential capture: When the victim clicks the link in the email or SMS and lands on the fake website, they enter their credentials or OTP. Some phishing sites include malware download prompts disguised as security software updates.

  5. Data harvesting and exploitation: The fraudster captures all entered data in real time. Within minutes, the attacker may attempt to log in to the victim's actual account, perform unauthorized transactions, or sell the credentials.

Variants include:

  • Spear phishing: Targeted attacks on specific high-value individuals, often using personal information from LinkedIn, social media, or public databases.
  • Business Email Compromise (BEC): Impersonating a company executive to trick employees into transferring funds.
  • Pharming: Redirecting users from legitimate URLs to fake sites through DNS spoofing.

Phishing in Indian Banking

The Reserve Bank of India (RBI) and Indian banking sector treat phishing as a critical security threat. RBI's guidelines on cyber security, issued under the Payment Systems Act and Banking Regulation Act, mandate that banks implement multi-factor authentication, real-time transaction alerts, and customer education programs to combat phishing. The RBI's 2021 Cyber Security Framework explicitly requires banks to monitor phishing campaigns targeting their customers and report incidents to the Indian Computer Emergency Response Team (CERT-In).

Major Indian banks—State Bank of India (SBI), HDFC Bank, ICICI Bank, Axis Bank—have established dedicated fraud cells and run public awareness campaigns warning customers never to share OTPs, PINs, or login credentials via email or phone. The National Payments Corporation of India (NPCI), which operates UPI and RuPay, issues security directives to prevent phishing-enabled unauthorized UPI transfers.

A significant challenge in India is the widespread use of SMS and voice calls for phishing, particularly among users with limited digital literacy. Fraudsters often impersonate government agencies (Income Tax Department, Aadhaar enrollment centers, police) or use fake KYC update messages to harvest Aadhaar, PAN, and bank details.

The JAIIB and CAIIB exam syllabi (under "Cyber Security and Digital Banking" modules) include phishing awareness, prevention techniques, and customer protection protocols. Candidates are expected to understand the difference between phishing, legitimate bank communication, and emergency procedures if a customer suspects they have been phished.

Practical Example

Priya, a salaried professional in Bangalore, receives an SMS: "URGENT: HDFC Bank blocked your account due to unusual activity. Click here to verify: hdfc-verify.in." Alarmed, she clicks the link. The website looks identical to HDFC Bank's login page. She enters her user ID, password, and OTP. Within 30 seconds, she receives a legitimate HDFC Bank SMS: "Debit Card used for ₹50,000 transfer to unknown account." Priya has fallen victim to phishing. The fraudster used the captured credentials to initiate a transfer. Priya immediately calls HDFC's real customer care number (1800-270-3333), not any number in the phishing message, and reports the fraud. HDFC blocks further transactions, initiates a chargeback, and files a complaint with CERT-In and the local cybercrime police unit. Priya's account is restored, but the lesson is clear: banks never ask for passwords or OTPs via email or SMS.

Phishing vs Smishing

Attribute Phishing Smishing
Medium Email or website link SMS (text message)
Target device Computer (primarily) Mobile phone
Ease of detection Higher—email headers can be verified Lower—SMS appears to come from a shortcode
Common in India Moderate; declining with email security Very high; exploits poor SMS literacy

When each occurs: Phishing dominates corporate espionage and large-scale retail fraud targeting desktop users. Smishing is the primary vector for Indian mobile banking fraud because SMS is more trusted than email and harder to verify. Both use similar social engineering tactics but smishing poses a greater immediate risk in India's mobile-first banking landscape.

Key Takeaways

  • Phishing is a social engineering attack in which fraudsters impersonate legitimate entities to trick users into revealing sensitive financial and personal information.
  • The three main phishing channels are email (phishing), SMS (smishing), and voice calls (vishing); phishing attacks work by creating fake websites or messages that mirror legitimate ones.
  • RBI mandates that all Indian banks implement multi-factor authentication, customer education, and real-time fraud monitoring to prevent phishing.
  • Phishing attacks in India frequently target Aadhaar, PAN, bank account details, and OTPs through fake government agency impersonations.
  • Never share OTPs, passwords, PINs, or security codes via email, SMS, or phone—legitimate banks will never request these.
  • If phished, immediately contact your bank on its official verified phone number (from your bank statement or the bank's website), not any number provided by the phishing message.
  • Victims of phishing have legal recourse under the Information Technology Act, 2000 and can file complaints with CERT-In or local cybercrime cells.
  • JAIIB and CAIIB exam candidates must understand phishing prevention, detection, and customer protection protocols as part of digital banking security modules.

Frequently Asked Questions

Q: How do I know if an email from my bank is genuine or phishing?

A: Legitimate bank emails never ask you to click links to log in, confirm passwords, or enter OTPs. Always verify the sender's email address against your bank statement or official website. Look for poor spelling, generic greetings ("Dear Customer" instead of your name), and mismatched logos. When in doubt, open your bank's website directly (by typing the URL in your browser, not clicking email links) and log in to check your account, or call your bank's official customer care number.

Q: What should I do immediately if I suspect I have been phished?

A: Call your bank's official customer care number immediately—do not use any number in the phishing message. Inform them of the exact time and nature of the breach (credentials shared, OTP provided, etc.). Ask them to freeze your account, block your debit and credit cards, and monitor for unauthorized transactions. File a complaint with your local cybercrime police unit and with CERT-In at cert-in.org.in. Do not click any links

Related Terms

Financial fraudFraudInsurance FraudSkimmingOnline ShopliftingAffiliate Fraud
← All P terms