A new Digital Threat Report by SISA, CERT-In and CSIRT-Fin warns that AI, deepfakes, session hijacking and business-logic abuse are accelerating cyber risks across the BFSI sector, exposing serious gaps between regulatory compliance and operational resilience.

SISA, CERT-In and CSIRT-Fin Flag Expanding Threats to Financial Systems

The420 Correspondent
8 Min Read

India’s banking, financial services and insurance sector is entering a more dangerous phase of cyber risk, with artificial intelligence, deepfakes, session hijacking, business-logic abuse and supply-chain compromise accelerating faster than many institutional safeguards can adapt, according to the Digital Threat Report 2025-26 prepared jointly by SISA, CERT-In and CSIRT-Fin.

The report says six of the seven cyber-threat predictions made in its previous edition have already reached full-scale realisation. It describes this as evidence that the traditional path from threat research to experimentation and widespread exploitation is collapsing, allowing emerging attack methods to produce operational and financial damage far more quickly.

Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference

Financial-sector cyber risk, it says, is no longer confined to data theft or isolated breaches. It now threatens transaction integrity, customer trust, operational continuity, third-party relationships, automated decision systems and the digital infrastructure supporting wider economic activity. Some attacks may appear as legitimate sessions, approved payments, ordinary user behaviour or valid system activity until the damage is already underway.

AI and Deepfakes Reshape Financial Fraud

The report identifies artificial intelligence and human deception as one of three structural risk clusters reshaping the payments ecosystem. It says deepfake impersonation has become industrialised, with real-time executive video fakes, adversarial large language models and rapidly changing attack variants placing pressure on conventional verification systems.

Social engineering, business email compromise, credential theft and session hijacking have also intensified. Phishing campaigns are becoming more context-aware and difficult to distinguish from genuine communication, while AI allows fraudulent content to be generated, tested and deployed at machine speed.

According to the report, cyberattacks targeting India’s BFSI sector are estimated to be 1.6 times the global average. It also cites an increase in incidents from 1.4 million in 2021 to 2.9 million in 2025.

The document says trust can no longer rest solely on what employees or customers see and hear. Financial institutions must increasingly validate behaviour, identity, device activity and transaction context rather than depend on human perception alone.

It also warns that identity attacks are moving beyond the login stage. Attackers are targeting session tokens, OAuth permissions, federated identities, service accounts, API keys and other non-human credentials. In such cases, multifactor authentication may not be technically broken. Instead, attackers gain control after authentication and use legitimate sessions to maintain access.

Compliance May Not Equal Real-World Security

A central concern raised in the report is the gap between regulatory compliance and operational resilience. It says an organisation may successfully complete an assessment and demonstrate that security controls exist, yet those same controls may fail when tested under real adversarial pressure.

The report identifies three recurring weaknesses: implementation drift, where operations move away from the original purpose of a control; scope-boundary failures, where attackers operate outside the area covered by the control; and framework evolution lag, where technology changes faster than the standards governing it.

Encryption may protect stored information but fail to safeguard data while it is being used. A virtual private network may secure a connection but not a compromised endpoint. Multifactor authentication may verify access without preventing session replay or hijacking. Cloud attestations may also fail to reveal identity drift, exposed storage or weaknesses in federated trust.

The report says financial organisations should treat compliance as a minimum baseline rather than proof of complete security. It recommends continuous validation, runtime testing, stronger secrets governance, behavioural monitoring, identity lifecycle reviews and adversarial testing after formal assessments.

It also proposes a four-layer model for understanding cyber failure. The framework groups weaknesses into design gaps, enforcement gaps, signal gaps and response gaps.

Design gaps arise when systems are built for normal use rather than hostile manipulation. Enforcement gaps occur when controls exist but fail under real conditions. Signal gaps emerge when suspicious activity is not recorded, correlated or interpreted correctly. Response gaps arise when organisations receive warnings but cannot contain the attack quickly enough.

The report says breaches involving phishing, fraudulent onboarding, cryptocurrency theft, payment manipulation and invisible malware frequently result from several of these weaknesses aligning across different systems.

Financial Institutions Urged to Build Continuous Defences

The report warns that attackers are increasingly exploiting business logic rather than simply breaking technical barriers. OTP workflows, payment limits and transaction checks may work correctly during ordinary use but fail under parallel requests, repeated submissions, manipulated sequencing or exception paths.

Similarly, authenticated users may gain access to records outside their legitimate scope when applications confuse authentication with authorisation. Such activity can appear technically valid because the attacker is using the system’s intended functions in an unintended sequence.

The document also highlights attacks that operate beyond conventional visibility. Fileless malware may execute entirely in memory, while command-and-control traffic can blend into ordinary HTTPS or content-delivery network activity. Encrypted DNS, IPv6 traffic and incomplete logging can leave organisations unable to reconstruct how an attacker entered, moved through systems or removed data.

Looking ahead, the report expects the threat landscape to be shaped by seven major shifts involving AI-driven social engineering, identity and session compromise, attacks on real-time payment logic, adversarial AI, supply-chain risk, invisible attack paths and growing exposure across critical financial infrastructure.

It recommends an 18-month implementation roadmap beginning with foundational controls, followed by continuous capability development and longer-term architectural reform. Immediate priorities include complete asset inventories, stronger identity controls, removal of exposed secrets, better patching, integrated security testing and improved visibility across cloud, application and payment environments.

The report also calls for adversarial assurance to become a permanent institutional function alongside compliance. This would include red-team exercises, adversarial business-logic testing, AI security testing and continuous attack-surface management.

Its central conclusion is that cybersecurity in the BFSI sector must become a continuous business discipline focused on preserving trust, maintaining operational continuity and enabling secure growth. Periodic assessments alone, it says, are no longer sufficient in an environment where attacks can move at machine speed and financial consequences may become irreversible before traditional detection systems can respond.

About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.

Stay Connected