When Your Face Becomes a Weapon: Deepfake Fraud and India's Regulatory Unpreparedness
Editor-in-Chief of indiacommentary.com. Current Affairs analyst and political commentator. Author of Cyber Scams in India, Digital Arrest, The Money Trap and The Human Hack
View all posts by this Author
By Sunil Garodia
First publised on 2026-06-19 13:35:26
About the Author
Editor-in-Chief of indiacommentary.com. Current Affairs analyst and political commentator. Author of Cyber Scams in India, Digital Arrest, The Money Trap and The Human Hack
View all posts by this Author
A cybersecurity company recently issued a warning that deepfake-enabled fraud is surging in India's financial sector. The warning deserves attention - not because it comes from Seqrite, which is the enterprise arm of Quick Heal Technologies and has its own products to sell, but because the underlying data, corroborated by independent sources, points to a threat that India's regulatory architecture is dangerously unprepared for.
Between October 2024 and September 2025, Seqrite recorded over 265 million threat detections across more than 8 million endpoints, roughly 500 every minute. These are not merely technical events in a log file. Each detection represents a probing of some institution's or individual's digital perimeter. The sheer velocity of attack attempts tells us something that regulatory circulars and industry seminars consistently fail to convey: the adversary does not keep business hours.
The distinguishing feature of the current wave is the weaponisation of identity itself. Attackers can now mimic executives, relationship managers, or customers with high accuracy, enabling fraudulent authorisations, account takeovers, and real-time payment manipulation. These attacks are particularly effective where speed of transaction outweighs verification depth. That last phrase is the operative one. India's entire digital payments architecture, the UPI ecosystem that processes hundreds of millions of transactions daily, is built around frictionlessness. The speed that makes UPI a policy triumph is the same speed that makes it a fraud enabler.
The real-world cases are no longer hypothetical. In Bengaluru in 2025, a 54-year-old woman lost over Rs 33 lakh after trusting a deepfake video of Union Finance Minister Nirmala Sitharaman that appeared to endorse a fake trading platform. Fraudsters created a polished website and assigned her a fictitious financial manager, using the deepfake's credibility to sustain the deception over months. Another Bengaluru resident, aged 79, reportedly lost nearly Rs 35 lakh through a similar deepfake-assisted investment scam. These are not one-click scams. They are prolonged confidence tricks, now strengthened by AI tools.
The demographic pattern is alarming. A 2025 analysis found that 47 percent of Indian adults had either been victims of, or knew someone who had been a victim of, an AI voice-cloning or deepfake scam, nearly double the global average of 25 percent. Of Indian victims of AI voice scams, 83 percent suffered monetary loss, with almost half losing over Rs 50,000. India is not merely keeping pace with global deepfake fraud trends. It is running ahead of them.
Against this backdrop, the regulatory response has been belated and, in critical respects, inadequate. The Supreme Court, hearing a suo motu case on digital arrest scams, described such frauds as "robbery or dacoity" and observed that losses to Indians from online fraud between April 2021 and November 2025 exceeded Rs 52,000 crore, larger than the annual budgets of some smaller states. This is a staggering figure, and it represents only reported losses. The court's rebuke of banks is equally pointed: institutions that are "trustees of public money" have been operating in a manner that makes them, as the bench put it, "platforms through which there is a swift and seamless transmission of stolen proceeds of crime."
The RBI has proposed a compensation scheme under which victims of small-value digital frauds may receive up to Rs 25,000, a one-time relief covering up to 85 percent of the amount lost, with banks contributing 15 percent and customers absorbing 15 percent themselves. This is welcome in principle. But consider the arithmetic: a victim who loses Rs 33 lakh to a deepfake scam is entitled to Rs 25,000 in relief. That is not victim compensation. It is tokenism dressed in regulatory language. The RBI's proposal does not address the liability structure of banks that failed to flag anomalous transactions, nor does it create any meaningful deterrence for institutions that prioritise throughput over verification.
On paper, India is not short of laws. Section 66D of the Information Technology Act, 2000 makes it a criminal offence to cheat by impersonation using a computer resource, punishable by up to three years in prison and a fine. Courts and cybercrime units in India regularly invoke this provision against online impersonation and fraud. But prosecution under Section 66D depends on identifying and apprehending the perpetrators, a task that international cybercrime syndicates, often operating from Myanmar, Cambodia, or Dubai, have made structurally difficult. The statute is available; its enforcement is largely fictional.
The Digital Personal Data Protection Act, 2023, is invoked frequently in industry commentary as the governing framework for breach-related compliance. Under the DPDP Act, financial institutions are expected to safeguard personal data and ensure secure processing across digital interactions. What the industry commentary elides is that the Act's enforcement apparatus, the Data Protection Board, is still not fully constituted, its rules remain in draft, and not a single penalty has been imposed under it. An Act whose implementing machinery does not exist offers compliance optics, not protection.
SEBI, for its part, has proposed principles to ensure that firms using AI for trading, advisory, or client interactions do so transparently and accountably, and has used its own tools to remove over 1.2 lakh misleading social media posts by unregistered financial influencers. This is more purposeful regulatory action than most, but it addresses the symptom, not the infrastructure that generates synthetic faces and voices in minutes and at negligible cost.
Beneath the report's recommendations lies a larger problem. India has built a high-speed, high-trust digital financial system on an identity verification layer that was designed for a pre-AI threat environment. Aadhaar-based e-KYC, video KYC under RBI norms, OTP-based authentication: all of these were conceived when the attacker had to physically show up or manually type.
None of them were built for an era in which a synthetic face can pass a liveness test, a cloned voice can answer a verification call, and a fabricated video can persuade an elderly investor that a public figure personally endorsed an investment scheme.
India's financial regulators need to move from prescribing process compliance to mandating outcome accountability. What we face is, at root, a crisis of trust and verification, and bureaucratic responses will not resolve it. Banks must be made liable when their verification systems fail, not merely encouraged to upgrade them. The DPDP enforcement machinery must be operationalised, not left in perpetual draft. And the compensation ceiling of Rs 25,000 must be re-examined in light of actual loss figures, which run routinely into lakhs.
Fraud has always evolved to exploit the gap between what institutions trust and what can be faked. That gap, in 2026, is wider than it has ever been, and getting wider by the quarter.
The lead image is AI-generated
