The existence of technology has triggered various violations and crimes against personal data, which ultimately lead to acts of fraud and pornography. The concept of protection is intended to provide restrictions for each individual when sharing or exchanging their personal data. The protection of personal data is still partial and sectoral, so it cannot provide optimal protection. Phishing is a form of online fraud that is carried out by tricking victims into clicking on fake links that have the potential to reveal personal information and data, such as usernames, passwords, card details, and so on. The objectives of this research are: (1) to analyze the regulations regarding phishing crime modes in Indonesia; and (2) to analyze the forms of legal protection for bank customers who are victims of phishing crimes. This research uses a normative- empirical type of research. So far, regulations regarding phishing crime modes have been implemented through various regulations, such as Consumer Protection Law and Electronic Information and Transaction Law, but these laws cannot clearly describe the concept of phishing. Policies regarding personal data protection have just undergone a harmonization process through PDP Law. PDP Law exists as a legal umbrella for managing data processing and protecting personal data. Along with the development of phishing crimes, legal protection is really necessary to guarantee legal certainty for each individual. This legal protection is enforced through preventive and repressive efforts. Preventive protection is carried out by the OJK and Kominfo through outreach and education, which includes coaching, supervision, and complaint services. Banks also carry out preventive efforts through outreach and education activities regarding transaction security. Currently, the crime of phishing can be threatened with Article 65 and Article 67 of the PDP Law as a form of enforcement of repressive efforts.