A few years ago, a colleague of mine had her savings account drained in under an hour. She hadn't clicked a phishing link. She hadn't responded to a suspicious email. What happened was a SIM swap: someone called her mobile carrier, convinced a customer service rep that they were her, and transferred her number to a new SIM card. With control of her phone number, they triggered password resets on her bank account. By the time she noticed her phone had lost signal, the money was gone.
She got most of it back after weeks of calls to the bank. But the experience fundamentally changed how both of us think about digital banking security โ because it made clear that the weakest points in the system aren't technical. They're procedural and human.
Why Digital Banking Security Is Harder Than It Looks
Most people understand that they shouldn't click suspicious links or share passwords. The baseline hygiene advice is well-known. What's less understood is the range of attack vectors that don't require any mistake from you directly.
SIM swapping relies on a gap in your carrier's identity verification process. Synthetic identity fraud involves someone building a fake credit history using a combination of real and fabricated information โ often using your actual PAN number or Aadhaar details combined with a different name. Session hijacking occurs when an attacker intercepts an authenticated browser session on a network you're using. None of these require you to do anything wrong. They exploit the systems and people you're trusting, not your behavior.
This doesn't mean personal security practices don't matter โ they do. But it's worth understanding the actual threat model rather than just the simplified "don't click suspicious links" version.
The Attacks Worth Knowing About in 2026
SIM Swap Attacks: As described above โ the attacker transfers your phone number to their control, then uses it to bypass SMS-based two-factor authentication. Particularly effective against bank accounts and cryptocurrency wallets. The protection: use an authenticator app (Google Authenticator, Authy) rather than SMS for your second factor whenever the option is available, and set a SIM PIN with your carrier that must be verified before any number transfer.
Credential Stuffing: When a data breach exposes username-password combinations, attackers run those credentials automatically against hundreds of other sites. If you reuse passwords, a breach on one unimportant site can compromise your bank account. The protection is boring and annoying and completely necessary: unique passwords for every account, stored in a password manager (Bitwarden is free and excellent; 1Password is good if you want to pay for it).
Vishing (Voice Phishing): An attacker calls you posing as your bank's fraud department, creates urgency ("we've detected suspicious activity"), and walks you through "security verification" steps that actually hand them access. These calls can be surprisingly convincing โ they often have your name, partial account numbers, and real transaction history purchased from data brokers. The protection: hang up and call your bank back on the official number printed on your card. Never complete an inbound security verification call, no matter how urgent it sounds.
Deepfake-Assisted Fraud: Emerging in 2025-2026, AI-generated audio and video is being used to impersonate executives in corporate contexts and family members in personal scams. Increasingly sophisticated. The protection at the individual level is establishing verification protocols with family members โ a code word for genuine emergencies, a policy of always calling back on a known number before taking financial action.
What Actually Protects You
The security practices that have the highest impact-to-effort ratio:
Authenticator app for 2FA: Move away from SMS-based two-factor on all financial accounts. An authenticator app generates codes that don't go through your phone carrier, making SIM swapping irrelevant for account access. Setup takes about ten minutes per account.
A password manager with unique passwords: If you're reusing passwords across sites, a single breach anywhere exposes you everywhere. A password manager eliminates this. Use it to generate a unique 16+ character random password for every account. You only need to remember one master password.
Transaction alerts: Turn on push notifications for every transaction above a threshold โ I use Rs. 100. This means you see fraudulent transactions within seconds rather than discovering them on your monthly statement. Most banks in India allow this through their mobile app settings.
Regular account review: Actual eyes on your statement, briefly, every week. Fraudsters often start with small test transactions before larger ones. Catching a Rs. 200 unauthorized transaction immediately prevents the Rs. 20,000 one.
Credit monitoring: For Indian users, check your CIBIL report periodically โ you're entitled to one free report per year, and some credit monitoring services offer alerts for new credit inquiries. A new credit inquiry you didn't authorize is an early signal that someone may be trying to open accounts in your name.
The SIM PIN Most People Don't Know About
Your mobile carrier almost certainly allows you to set a SIM PIN โ a separate PIN that must be provided before any changes to your account, including number transfers. This directly protects against SIM swap attacks by adding a verification step at the carrier level.
The process varies by carrier: for Jio and Airtel, you can typically request this through customer care or by visiting a store. It's worth calling your carrier specifically to ask how to set up a "port protection" or "SIM lock" on your account. This single step significantly raises the difficulty of a SIM swap attack against you.
When Something Goes Wrong
If you suspect your account has been compromised, the sequence matters:
- Call your bank immediately โ use the number on the back of your card, not a number from a search result or a link. Ask them to freeze the account and initiate a fraud review.
- Change passwords on affected accounts from a device and network you haven't used recently.
- If you suspect SIM swap, contact your carrier immediately and ask them to restore your number and add a note to your account requiring in-person verification for future changes.
- File a complaint with cybercrime.gov.in โ this creates an official record, which banks often require for fraud reimbursement.
Recovery is possible but slow. The people I know who've been through financial fraud describe weeks of calls, documentation, and waiting. Prevention is genuinely worth the hour of setup it takes.
The Boring Reality
The security gap for most people isn't knowledge โ it's implementation. Everyone knows they should use unique passwords. Fewer people actually do. Everyone knows they should enable 2FA. Many accounts still don't have it.
The threats are real and getting more sophisticated. The protection is unglamorous: a password manager, an authenticator app, transaction alerts, and the discipline to call your bank back before acting on any urgent-sounding request.
That's the whole system. Not complicated. Just consistent.
Tags
Taresh Sharan
support@sharaninitiatives.com