‘Digital trust’, not passwords, on target: CERT-In
NEW DELHI: Threats from cyber criminals targeting financial institutions are rapidly evolving beyond conventional hacking, with attackers increasingly exploiting ‘digital trust’ rather than directly targeting passwords or transactions, according to the Indian Computer Emergency Response Team’s (CERT-In) Digital Threat Report 2025-26.
The report, a copy of which is with this newspaper, warns that cybercriminals are manipulating vulnerabilities across biometric onboarding, artificial intelligence (AI)-driven decision-making, partner applications, real-time payment systems, APIs and third-party ecosystems, creating a new threat landscape for the banking, financial services and insurance (BFSI) sector.
“Modern financial attacks are moving from direct compromise to trust-chain manipulation,” the report said, noting that threats are now embedded across identity systems, AI, payment logic and supply chains, where no single institution has complete visibility over emerging risks.
CERT-In said six of the seven forward-looking predictions made in the previous edition of the report have already materialised,stressing on the pace at which cyber threats are evolving and outstripping traditional institutional security controls.
Among the most significant developments, deepfake-enabled fraud has become “industrialized”, with attackers deploying real-time executive video deepfakes, adversarial large language models (LLMs) and polymorphic attack variants to evade detection. Social engineering and Business Email Compromise (BEC) campaigns have also intensified, while credential theft and session hijacking have emerged as the primary methods for gaining initial access to systems.