What are the most common phishing tactics used against Indians in 2025?

The top phishing attack vectors in India in 2025 are: WhatsApp message links impersonating banks and government schemes, fake KYC update SMS with links, UPI collect requests disguised as refunds, QR code replacement fraud at merchants, fake customer care numbers on Google Search, job offer fraud on LinkedIn and Telegram, electricity/gas bill overdue notices with fake payment links, and investment fraud on WhatsApp groups offering guaranteed high returns. CERT-In reported over 1.39 million cybersecurity incidents in India in 2023.

How do I identify a fake KYC update message from a bank or Aadhaar in India?

Legitimate banks and UIDAI never send KYC update requests via WhatsApp or SMS with a link to click. Red flags: urgency ('your account will be blocked in 24 hours'), shortened URL, asking for Aadhaar number, OTP, debit card PIN, or net banking password, sender number is a regular mobile number not a short code, message has grammatical errors. Official KYC updates are done through the bank's official app or by visiting a branch. Report such messages to 1930 (Cyber Crime Helpline).

What is social engineering and how do Indian cybercriminals use it?

Social engineering manipulates people psychologically into revealing confidential information. Indian cybercriminals use: (1) Authority — impersonating RBI, SEBI, or police officers, (2) Urgency — 'your account will be frozen', (3) Fear — 'your Aadhaar is linked to a drug trafficking case', (4) Greed — 'you have won a lottery', (5) Sympathy — fake NGO donation pages after natural disasters. Recognising these psychological triggers is the first line of defence.

How do I safely report a phishing website or scam link to Indian authorities?

Report via: (1) National Cyber Crime Reporting Portal: cybercrime.gov.in, (2) Call 1930 (24x7 National Cyber Crime Helpline), (3) CERT-In: incident@cert-in.org.in for technical reports, (4) Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish, (5) PhishGuard's built-in Report button on any scan result page adds the URL to our India-specific phishing database. The faster these are reported, the faster they get taken down and blocked for all Indian users.

What is the difference between phishing, vishing, smishing, and quishing?

These are all social engineering attacks through different channels: Phishing uses email, Vishing uses voice calls (fake bank/police calls), Smishing uses SMS text messages, Quishing uses QR codes. India has seen a massive surge in all four: vishing via TRAI/CBI impersonation calls, smishing via fake IRCTC refund and PM Kisan SMS, and quishing at merchants and Diwali gift campaigns. PhishGuard's URL scanner covers phishing and quishing links across all these channels.

How do I teach elderly parents or grandparents to avoid phishing scams in India?

Key lessons for seniors: (1) Banks and government NEVER ask for OTP, PIN, or Aadhaar number by phone or WhatsApp, (2) Receiving money does NOT require entering your PIN, (3) Any message saying 'your account is blocked' needs verification by calling the bank's number printed on your card — not the number in the message, (4) Install PhishGuard as a bookmark and teach them to paste any suspicious link before clicking. NPCI's 'Dekho Sochna Phir Karo' campaign has useful offline materials in regional languages.

What are the biggest phishing red flags to watch for in India?

Universal red flags: urgency and threats ('act now or account blocked'), requests for OTP, PIN, CVV, or Aadhaar number, promises of cashback, lottery winnings, or government scheme benefits, links that do not match the official domain (e.g. 'sbi.net' instead of 'sbi.co.in'), QR codes in unexpected locations, caller IDs from regular mobile numbers for 'bank customer care', and job offers requiring upfront fees. When in doubt, verify using PhishGuard or call the organisation's official number.

How does PhishGuard help protect Indian senior citizens from digital fraud?

PhishGuard is designed for everyone regardless of technical knowledge. The scan result uses a simple traffic-light system: Green (Safe), Amber (Suspicious), Red (Phishing). The one-click interface requires only pasting a URL. The awareness section explains common Indian scam patterns in plain language. PhishGuard works on any phone browser — no app installation needed. Sharing the website with elderly family members and bookmarking it is one of the simplest protective measures you can take for your family's digital safety.

What is the difference between a secure website and a safe website?

A secure website uses HTTPS encryption (padlock icon) — this ONLY means the connection between your browser and the server is encrypted. It does NOT mean the website is legitimate or safe. Over 80% of phishing sites now use HTTPS. A safe website is one you have verified is operated by a legitimate, trustworthy organisation with a real domain history, valid identity-verified SSL, and no history of malicious activity. PhishGuard checks both technical security AND legitimacy to give you a true safety verdict.

How can I stay updated on new phishing scams targeting Indians?

Follow: (1) PhishGuard Blog for India-specific phishing alerts updated regularly, (2) CERT-In advisories at cert-in.org.in, (3) RBI's consumer awareness page at rbi.org.in/Scripts/bs_viewcontent.aspx, (4) NPCI's fraud awareness resources, (5) Cyber Dost on Twitter/X (@CyberDost) — MHA India's official cybercrime awareness handle, (6) Press Information Bureau (PIB) fact-checks for government impersonation scams. PhishGuard's blog covers active campaigns with scan report links so you can test URLs mentioned in news alerts.

Phishing Awareness Guide India — How to Spot & Avoid Online Scams

What is Phishing?

Phishing is a cyberattack where criminals impersonate trusted organisations — your bank, government, or delivery company — to steal your login credentials, OTPs, card numbers, or Aadhaar details. In India, phishing is the #1 vector for UPI fraud, bank account takeovers, and identity theft.

Unlike traditional hacking, phishing doesn't break your passwords — it tricks you into handing them over voluntarily, believing you're on a legitimate site.

Types of Phishing Attacks

Six attack patterns that Indian users face most frequently.

Email Phishing

Mass emails impersonating SBI, HDFC, IRCTC, or PayTM. Urgent subject lines like "Your account will be suspended." Links go to fake login pages.

Spear Phishing

Targeted attacks using your name, employer, or account details to appear legitimate. Common against company employees and executives.

Smishing (SMS)

"Your KYC is pending — update within 24 hours." or "Your parcel is held." SMS with short links redirecting to fake banking portals.

Vishing (Voice)

Callers posing as bank officials, TRAI, or CBI agents. They create urgency ("your SIM will be blocked") and extract OTPs verbally.

QRishing

Fake QR codes placed on payment points or sent via WhatsApp claiming to be UPI refunds, cashback, or lottery prizes. Redirect to phishing pages.

Clone Phishing

A legitimate email you received is duplicated with a malicious link replacing the original. Appears to come from the same sender you already trust.

8 Red Flags to Spot Immediately

Domain mismatch: sbi-netbanking-alert.com instead of onlinesbi.sbi. The real brand name is buried or misspelled.

Urgent language: "Your account will be blocked in 2 hours." Legitimate banks never create this kind of artificial urgency.

Brand-new domain: Sites registered less than 30 days ago are extremely high risk. PhishGuard flags these automatically.

HTTP (no padlock): Any banking or payment page without HTTPS is immediately suspicious — never enter credentials.

Asks for OTP by phone/chat: No legitimate bank, PhonePe, or Paytm representative will ever ask you for your OTP.

Shortened URLs: bit.ly, tinyurl links hide the real destination. Always expand and verify before clicking.

Generic greeting: "Dear Customer" instead of your name suggests mass-sent phishing email.

Unexpected attachment: PDF or ZIP files in unsolicited emails — especially from "banks" or "courier services" — often contain malware.

Common Scams in India (2026)

UPI/PhonePe/Google Pay Scams

Fake payment requests disguised as "collect" (you pay, not receive). Fake cashback QR codes. Always verify who is requesting money.

KYC Update Fraud

SMS/WhatsApp claiming your Aadhaar-linked SIM or bank account KYC is expired. Link leads to fake UIDAI or bank portal harvesting PAN and Aadhaar.

Parcel Delivery Scams

Fake India Post or FedEx SMS claiming your parcel is held — pay a small fee to release. The payment page captures card details.

Job Offer Scams

WhatsApp messages offering part-time work (₹3000/day for liking YouTube videos). Victims pay registration fees and then lose access.

PM Kisan / Government Scheme Fraud

Fake government portals for PM-KISAN, PMAY, MNREGA claiming your linked account needs verification. Harvests bank account details.

Safety Best Practices

Scan before you click

Paste any suspicious link into PhishGuard before opening. Takes 3 seconds and could save your account.

Enable 2FA on every account

Even if a hacker has your password, 2FA stops them from logging in. Use Google Authenticator or SMS 2FA on all banking apps.

Never share OTP — ever

No bank, TRAI, CBI, or government official will ever call and ask for your OTP, PIN, or CVV. Hang up immediately.

Check the full URL before logging in

Hover over links (desktop) or long-press (mobile) to see the actual URL. onlinesbi.sbi ≠ sbi-onlinebanking.com.

Report to Cyber Crime

Call 1930 (National Cyber Crime Helpline) or file at cybercrime.gov.in. Report phishing emails to report@phishing.gov.in.

Don't get trapped.
Know the signs.

What is Phishing?

Types of Phishing Attacks

Email Phishing

Spear Phishing

Smishing (SMS)

Vishing (Voice)

QRishing

Clone Phishing

8 Red Flags to Spot Immediately

Common Scams in India (2026)

UPI/PhonePe/Google Pay Scams

KYC Update Fraud

Parcel Delivery Scams

Job Offer Scams

PM Kisan / Government Scheme Fraud

Safety Best Practices

Scan any suspicious link now — free

Don't get trapped.Know the signs.

What is Phishing?

Types of Phishing Attacks

Email Phishing

Spear Phishing

Smishing (SMS)

Vishing (Voice)

QRishing

Clone Phishing

8 Red Flags to Spot Immediately

Common Scams in India (2026)

UPI/PhonePe/Google Pay Scams

KYC Update Fraud

Parcel Delivery Scams

Job Offer Scams

PM Kisan / Government Scheme Fraud

Safety Best Practices

Scan any suspicious link now — free

Don't get trapped.
Know the signs.