Phishing in the FinTech era has transformed from isolated cyber tricks into a systemic threat that challenges law, regulation, and consumer protection. India’s digital payments ecosystem—led by UPI and handling nearly half of the world’s real-time transactions—has expanded at record speed, but its legal architecture has not kept pace. The result is a troubling paradox: while technology delivers speed and scale, it also enables “authorised but fraudulent” transfers that blur traditional categories of negligence, deception, and service deficiency. Victims are left navigating fragmented remedies across criminal law, consumer forums, and RBI circulars, often with inconsistent outcomes.

This paper examines that gap. It traces the anatomy of phishing in FinTech, reviews India’s patchwork legal framework, and analyses how courts, regulators, and consumer commissions currently allocate liability. Comparative study of the EU’s PSD2, the UK’s reimbursement model, and U.S. Regulation E highlights alternative policy choices, from prevention by design to socialised risk-sharing. A key insight is that India’s system lacks both clarity of liability rules and the institutional capacity to investigate frauds quickly. Forensic bottlenecks—such as weak blockchain tracing, delays in mutual legal assistance, and evidentiary hurdles under Section 65B of the Evidence Act—mean that even strong liability laws will struggle without enforcement support.

The article argues for statutory recognition of authorised-but-fraudulent transfers, default reimbursement rules, stronger authentication standards, and a unified FinTech fraud response authority. By linking comparative lessons with India’s forensic realities, it charts a reform path to safeguard consumers, stabilise trust, and preserve innovation in the digital economy.