‘Digital trust’, not passwords, on target: CERT-In

CERT-In said six of the seven forward-looking predictions made in the previous edition of the report have already materialised,
Representational image.
Representational image.(Express Illustrations)
Updated on
2 min read

NEW DELHI: Threats from cyber criminals targeting financial institutions are rapidly evolving beyond conventional hacking, with attackers increasingly exploiting ‘digital trust’ rather than directly targeting passwords or transactions, according to the Indian Computer Emergency Response Team’s (CERT-In) Digital Threat Report 2025-26.

The report, a copy of which is with this newspaper, warns that cybercriminals are manipulating vulnerabilities across biometric onboarding, artificial intelligence (AI)-driven decision-making, partner applications, real-time payment systems, APIs and third-party ecosystems, creating a new threat landscape for the banking, financial services and insurance (BFSI) sector.

“Modern financial attacks are moving from direct compromise to trust-chain manipulation,” the report said, noting that threats are now embedded across identity systems, AI, payment logic and supply chains, where no single institution has complete visibility over emerging risks.

CERT-In said six of the seven forward-looking predictions made in the previous edition of the report have already materialised,stressing on the pace at which cyber threats are evolving and outstripping traditional institutional security controls.

Among the most significant developments, deepfake-enabled fraud has become “industrialized”, with attackers deploying real-time executive video deepfakes, adversarial large language models (LLMs) and polymorphic attack variants to evade detection. Social engineering and Business Email Compromise (BEC) campaigns have also intensified, while credential theft and session hijacking have emerged as the primary methods for gaining initial access to systems.

The report said cyber attacks are no longer manually orchestrated but are increasingly generated, refined and executed at machine speed. “Phishing campaigns have also become highly personalised and context-aware, making them almost indistinguishable from legitimate communications and leaving the BFSI sector the most targeted industry,” it said.

To counter these threats, CERT-In has recommended that financial institutions adopt active liveness detection as a standard feature for digital onboarding and implement continuous session assurance through behavioural biometrics, device posture monitoring and token binding for high-privilege sessions.

It also called for expanding identity governance beyond human users to include service accounts, machine identities and agentic AI, while enabling cross-database identity verification for high-assurance account openings wherever legally permissible.

According to the report, the challenge extends beyond the growing volume of cyberattacks to a more fundamental shift in how digital trust is exploited. It said financial institutions can no longer rely on simply adding new security tools

to existing frameworks, but must transition from static controls to continuous assurance, isolated defences to ecosystem-wide trust, and a prevention-focused approach to operational resilience.

X
The New Indian Express
www.newindianexpress.com