Phishing – Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

🎣 PHISHING — OVERVIEW

Phishing is the single most common entry point for cybercrime in India and worldwide. It is a fraudulent technique where criminals disguise themselves as trusted entities — banks, government departments, well-known companies or even personal contacts — to trick victims into revealing sensitive information such as passwords, OTPs, credit card numbers, Aadhaar details and net banking credentials. The word "phishing" is derived from "fishing" — criminals cast a wide net of fake messages and wait for victims to take the bait. Phishing attacks arrive via email, SMS (Smishing), phone calls (Vishing), WhatsApp, social media and even fake websites that appear identical to genuine ones. India recorded over 5 lakh phishing incidents in 2023 alone — and this number grows every year as more Indians move online for banking, shopping and government services. Phishing is not limited to technically naive users — even experienced professionals are targeted through highly personalised Spear Phishing attacks that use specific personal information to appear credible. All phishing attacks are cognisable criminal offences under the IT Act 2000 and Bharatiya Nyaya Sanhita 2023.

5 Lakh+

Phishing Incidents in India (2023)

₹1,200 Cr+

Lost to Phishing-Based Fraud

76%

Cyber Fraud Starts with Phishing

1930

National Cyber Helpline 24×7

⚠️ How Phishing Attacks Are Carried Out

Sending fake bank / government emails with urgent account warning links
Creating pixel-perfect clone websites of SBI, HDFC, IRCTC, Aadhaar, Income Tax
Sending SMS with short malicious links disguised as TRAI, EPFO, RBI alerts
Calling victims posing as bank, KYC officer, RBI or telecom official (Vishing)
Sending WhatsApp messages with "free recharge", "prize" or "job offer" links
Spear phishing — personalised emails using victim's name, employer and role
Clone phishing — resending a legitimate email with the link replaced by a malicious one
Search engine phishing — paying to rank fake bank/government websites at the top of Google

✅ How to Protect Yourself from Phishing

Never click links in emails or SMS — always type URLs directly in the browser
Check the full URL carefully before entering any login credentials or card details
Verify the sender's complete email address — not just the display name
No bank, RBI or government department ever asks for OTP, PIN or password
Enable spam filters and phishing protection in your email client
Use a password manager — it will refuse to autofill on fake websites
Enable 2-factor authentication on all accounts as a second line of defence
When in doubt, call the organisation directly on their official helpline to verify

🔍 Types of Phishing Attacks

📧

Email Phishing — Bulk Deceptive Email Attack

The most common form of phishing. Fraudsters send mass emails impersonating banks (SBI, HDFC, ICICI), e-commerce platforms (Amazon, Flipkart), government departments (Income Tax, EPFO, Aadhaar) or courier services — warning of "account suspension," "KYC expiry," "undelivered parcel" or "refund pending." The email contains a link to a cloned website where the victim enters credentials, which are instantly captured. Millions of such emails are sent daily using automated tools — even a 0.1% click rate yields thousands of victims.

🎯

Spear Phishing — Targeted Personalised Attack

Unlike mass email phishing, spear phishing targets specific individuals using personal information gathered from social media, LinkedIn, data breaches and company websites. The attacker knows the victim's name, designation, employer, colleagues' names and recent activities — crafting a highly believable email that appears to come from a known person such as the CEO, HR department or a trusted vendor. Used against corporate executives, government officials, defence personnel and high-net-worth individuals. The personalisation makes it extremely difficult to identify as fraud.

📱

Smishing — SMS Phishing Attack

Phishing conducted via SMS text messages. Victims receive messages that appear to come from TRAI, RBI, EPFO, their bank, IRCTC or telecom operators — warning that their SIM card will be deactivated, KYC is pending, a parcel is held at customs or a refund is ready. The message includes a short URL (often using bit.ly or similar shorteners to hide the destination) that leads to a fake credential-harvesting website. Smishing is extremely effective because SMS messages feel more urgent and personal than emails.

📞

Vishing — Voice Call Phishing Attack

Phishing conducted over telephone calls. Fraudsters call victims posing as bank customer care executives, RBI officials, TRAI representatives, Income Tax officers or courier companies — using spoofed caller IDs that show official numbers. They create urgency ("your account will be blocked in 2 hours") and extract sensitive information — account numbers, card details, OTPs and net banking credentials — through scripted conversations designed to seem completely legitimate. Vishing is highly effective against senior citizens and people with limited digital literacy.

🔗

Clone Phishing — Duplicate Email Attack

Attackers obtain a copy of a legitimate email previously sent by a bank, e-commerce platform or government service — and create an almost identical duplicate with the real links replaced by malicious ones. The fake email appears to come from the same sender address (spoofed) and references a real previous transaction, delivery or communication. Because it closely mirrors genuine communication the victim has already received, it is extraordinarily difficult to detect as fraud without examining every link carefully.

🐋

Whaling — CEO / Executive Targeted Phishing

A highly specialised form of spear phishing targeting senior executives — CEOs, CFOs, Directors and government officials — whose credentials provide access to the most sensitive data and largest financial authorisation limits. Whaling emails often impersonate legal notices, regulatory filings, board communications or critical business correspondence. A successful whaling attack can give criminals access to corporate banking systems, confidential contracts, employee data and strategic business plans — losses in single incidents regularly exceed ₹1 crore.

🌐

Pharming — DNS-Based Phishing Without Any Click

A sophisticated attack where criminals compromise the DNS (Domain Name System) settings on the victim's router or internet provider — redirecting legitimate website URLs to fake servers without any link-clicking required. The victim types the correct URL of their bank in the browser, but is silently redirected to an identical-looking fake page. Because the address bar shows the correct URL, there is no visible warning. Pharming attacks require no user action beyond simply opening a browser and navigating to a website they use every day.

🔍

Search Engine Phishing — Fake Websites on Google

Fraudsters pay for Google Ads or use SEO techniques to rank fake websites at the top of search results for queries like "SBI net banking login," "HDFC customer care number," "IRCTC login" or "Aadhaar update portal." Victims who click the top search result — believing it to be official — land on convincing fake websites that steal their credentials. This type of phishing specifically exploits users' trust in Google's ranking and their habit of clicking the first result without verifying the URL.

💬

WhatsApp / Social Media Phishing

Fraudulent messages spread via WhatsApp, Instagram DMs, Facebook posts and Telegram — offering free recharges, job opportunities, government subsidies, prize money or investment returns. Links lead to fake data-collection pages or malware download sites. WhatsApp phishing is particularly dangerous because messages appear to come from trusted contacts whose phones have already been compromised — making victims far more likely to click than they would for an unknown email. These chains spread exponentially across contact lists.

🏛️

Government / EPFO / Aadhaar / Income Tax Phishing

Phishing attacks impersonating Indian government services — Aadhaar UIDAI, EPFO, Income Tax Department, DigiLocker, TRAI, e-Shram, PM Kisan, Ayushman Bharat and passport services. Fake portals harvest Aadhaar numbers, PAN numbers, date of birth and bank details under the guise of "KYC update," "subsidy claim," "refund processing" or "account linking." Stolen government identity data is then used for financial fraud, SIM swap fraud and further identity theft across multiple platforms simultaneously.

🚨 SPEAR PHISHING ATTACK — SPECIAL ALERT — MOST DANGEROUS PHISHING TYPE

The Spear Phishing Attack is the most dangerous and sophisticated phishing method — it cannot be defeated by simply "being careful" because it is meticulously researched and personally targeted. Unlike mass phishing, the attacker knows exactly who you are. Here is exactly how a spear phishing attack is planned and executed against a corporate target:

🔎

Step 1 — Reconnaissance & Intelligence Gathering

Attacker studies the target's LinkedIn profile, company website, social media, news articles and data breach databases — learning their name, designation, email format, colleagues' names, recent projects, vendors they work with and travel history. This research takes days or weeks.

✉️

Step 2 — Crafting the Believable Lure

Using gathered intelligence, attacker crafts a highly personalised email: "Hi [Name], as discussed in Tuesday's call with [colleague's name], please review the updated vendor invoice for [actual project name] and approve payment to [new account]." Every detail matches the victim's real context.

🖥️

Step 3 — Email Sent with Spoofed Address

Email arrives from what appears to be the CEO's, vendor's or colleague's address — possibly a spoofed domain like "company-india.com" instead of "company.com." The email may contain a malicious attachment (PDF, Word doc with macro) or a link to a fake login portal — both designed to steal credentials or install malware.

💸

Step 4 — Credentials Stolen / Payment Diverted

Victim clicks the link or attachment — believing it is completely legitimate. Credentials are harvested, malware is installed or a fraudulent payment is authorised. By the time the real colleague or vendor is contacted to verify, the money is already transferred and the attacker has disappeared.

⚠️ ALWAYS VERIFY PAYMENT REQUESTS OR CREDENTIAL SUBMISSIONS BY CALLING THE SENDER DIRECTLY ON THEIR KNOWN PHONE NUMBER — NOT BY REPLYING TO THE EMAIL. A SINGLE VERIFICATION CALL CAN PREVENT LOSSES OF CRORES.

🔒 HOW TO IDENTIFY A PHISHING EMAIL OR WEBSITE — COMPLETE GUIDE

Most phishing attacks can be identified before any damage is done by checking these specific indicators. Train yourself and your family to run through these checks before clicking any link or entering any credentials. Each check takes under 10 seconds.

📨

Check the Full Sender Email Address

The display name may say "SBI Bank" or "Income Tax India" but the actual email address is "sbi-alert@gmail.com" or "incometax-refund@yahoo.in." Banks and government departments only use their official domain — e.g. @sbi.co.in, @incometax.gov.in.

⚠️ GMAIL / YAHOO SENDER = 100% FRAUD

🌐

Hover Over Links Before Clicking

Before clicking any link in an email or SMS, hover your mouse over it — the actual destination URL appears in the browser status bar. If it does not match the organisation's official domain exactly, do not click. On mobile, long-press the link to preview the URL.

⚠️ ALWAYS PREVIEW — NEVER CLICK BLINDLY

🔐

Check for HTTPS and Correct Domain

Legitimate banking and government websites always use HTTPS. But phishing sites also use HTTPS now — so the padlock alone is not enough. The DOMAIN must be exactly correct: "onlinesbi.sbi" not "onlinesbi.com.in" or "sbi-login.net." One character difference = fake site.

⚠️ CHECK FULL DOMAIN — NOT JUST PADLOCK

⚡

Urgency and Fear Language in the Message

Phrases like "Your account will be BLOCKED in 2 hours," "IMMEDIATE ACTION REQUIRED," "Your KYC expires TODAY" are designed to create panic and prevent careful thinking. Legitimate organisations do not send threatening ultimatums via SMS or email links. Urgency is the primary psychological weapon of phishing.

⚠️ URGENCY = RED FLAG. SLOW DOWN AND VERIFY.

✍️

Spelling Errors and Poor Grammar

Many phishing emails — especially those originating from overseas fraud gangs — contain spelling mistakes, grammatical errors, awkward phrasing or unusual capitalisation. "Dear Valued Costumer" or "Your acount has been suspending" are clear signs of a phishing attempt from non-native English speakers.

⚠️ ERRORS = LIKELY PHISHING — BUT SPEAR PHISHING IS ERROR-FREE

📎

Unexpected Attachments — PDF, Word, ZIP Files

Phishing emails often include malicious attachments disguised as invoices, court notices, delivery receipts, salary slips or government orders. Opening these files can install keyloggers or ransomware. Never open unexpected attachments even from known senders — call the sender to verify before opening.

⚠️ NEVER OPEN UNEXPECTED ATTACHMENTS

🎁

Unrealistic Offers — Free Recharge, Prize, Job, Subsidy

"You have won an iPhone 15," "Get free 84-day Jio recharge — click now," "Government giving ₹5,000 to all citizens — apply here" — these are classic phishing lures. If an offer seems too good to be true, especially via SMS or WhatsApp from an unknown number, it is definitely a phishing trap designed to steal your data or install malware.

⚠️ TOO GOOD TO BE TRUE = 100% PHISHING

🔑

Asked to Enter OTP, PIN or Password to "Verify"

Legitimate websites never ask for your OTP, UPI PIN, net banking password or ATM PIN as part of a "verification" process — these are authentication credentials, not verification data. Any website or caller asking for these is attempting to steal them. An OTP is a one-time transaction code — sharing it with anyone completes that transaction.

⚠️ NEVER SHARE OTP / PIN / PASSWORD — EVER

🚩 RED FLAGS — HOW TO IDENTIFY A PHISHING ATTEMPT

🔴

Email or SMS Link Does Not Match the Official Website Domain

The most reliable indicator of phishing is a mismatched URL. "sbi-netbanking-update.com," "hdfc-kyc-portal.in," "incometax-refund2024.net" — none of these are real. SBI's official domain is sbi.co.in, HDFC is hdfcbank.com, Income Tax is incometax.gov.in. Any variation, addition or misspelling in the domain name means the website is fake — regardless of how authentic the page looks inside.

🔴

Sender Email Uses Free Domain — Gmail, Yahoo, Outlook — Not Official Domain

Emails from "sbibank.alert@gmail.com," "rbi.official@yahoo.com" or "irctc.support@outlook.com" are definitively fraudulent. The Reserve Bank of India, State Bank of India, IRCTC and every legitimate financial institution use their own registered domains — never free public email services. A Gmail or Yahoo sender claiming to be a bank or government department is 100% phishing without exception.

🔴

Message Creates Extreme Urgency — "Act Now or Account Blocked"

Urgency is the central mechanism of phishing. By creating a tight deadline — "blocked in 2 hours," "expires today," "last warning before legal action" — attackers force victims to act quickly without verifying. Legitimate banks and government departments send multiple formal notices over days or weeks before taking any action. Any message threatening immediate consequences via a link is a phishing attack, not a genuine notice.

🔴

WhatsApp Forward Offering Government Scheme / Free Benefit with Link

Messages forwarded on WhatsApp claiming "PM Modi announces free ₹5,000 for all citizens," "Free gas cylinder scheme — apply here," "TRAI giving free recharge to all users" — with a link to "register" or "claim" — are invariably phishing attacks. The Indian government announces all schemes through official channels, Gazette notifications and the Press Information Bureau — never through WhatsApp forwarded messages with registration links.

🔴

Email Asks You to "Confirm" Personal Details — Account Number, Aadhaar, Card Number

Banks and government institutions never send emails asking you to "confirm" or "re-enter" your account number, Aadhaar number, PAN, debit card number or CVV. They already have this information. Any request to "verify your details by entering them again" is a data-harvesting phishing page — the institution has no system that requires customers to re-confirm data they already hold.

🔴

Website Looks Identical to Official Site but URL Is Different

Phishing sites invest significant effort in replicating the exact visual appearance of legitimate banking and government websites — same logo, same colours, same layout, same disclaimer text. The only giveaway is the URL. This is why checking the URL — the full domain, not just the page content — is absolutely non-negotiable before entering any credentials. A perfect-looking website means nothing if the domain is wrong.

🔴

Caller Knows Your Personal Details — Name, Account Number, Last Transaction

Fraudsters use data purchased from breaches or dark web to open conversations with specific personal details — creating immediate trust. "We have a record of your account 12XXXX67 at our Lajpat Nagar branch" sounds legitimate. This is deliberate. Knowing your details does not make a caller genuine — it means your data was leaked. Never share OTP or passwords regardless of how much detail the caller already knows.

🔴

Email / SMS Comes Immediately After a Real Transaction or Inquiry

A sophisticated phishing technique times the fake message to coincide with a real event — you receive a genuine bank transaction alert, and within minutes a phishing SMS arrives saying "suspicious activity detected on your recent transaction — verify here." The coincidence creates overwhelming believability. This timing is not coincidence — real-time data feeds and transaction monitoring tools allow fraudsters to trigger phishing messages immediately after genuine account activity.

🚨 If You Have Fallen Victim to a Phishing Attack

Immediately change the password of the compromised account from a different, clean and secure device
If banking credentials were phished — call your bank's 24×7 helpline immediately and request an account freeze and card block
Call National Cyber Helpline 1930 immediately — especially if any money has been lost or is at risk
Change passwords of all other accounts that use the same email ID or password — phishers test stolen credentials across all major platforms
Enable Two-Factor Authentication on all accounts immediately — this prevents access even if the password is known
Run a full antivirus scan if you opened any attachment or downloaded any file from a phishing link
Check your email account's "sent" folder and forwarding rules — phishers often set up auto-forwarding to intercept future emails
File complaint at cybercrime.gov.in — provide the phishing URL, sender email/number, screenshots of messages and any transaction IDs
Report the phishing email/website to your email provider (Report Phishing option in Gmail/Outlook) and to CERT-In at incident@cert-in.org.in
File FIR at nearest police station or Cyber Crime Cell — provide all evidence printouts, phishing screenshots and bank statements

📰 REAL PHISHING ATTACK CASES — INDIA

2024 — Delhi — Email Phishing / Fake SBI Portal

Government Employee Loses ₹3.4 Lakh After Clicking "KYC Expiry" Email Link

A Delhi government employee received an official-looking email purportedly from State Bank of India — warning that her net banking KYC would expire within 24 hours and her account would be frozen. The email design was identical to genuine SBI communications — same logo, disclaimer footer and font. She clicked the "Update KYC Now" link, which led to a cloned SBI YONO portal where she entered her User ID, password and the OTP that arrived on her phone. Within 8 minutes, ₹3.4 lakh was transferred across 3 transactions. When she called SBI's real helpline, she was told SBI had sent no such email. Investigation found the phishing site was hosted in Eastern Europe and had already harvested credentials from 1,200 SBI customers across India in that month alone.

2023 — Mumbai — Spear Phishing / Corporate Fraud

CFO Approves ₹1.8 Crore Vendor Payment After Spear Phishing Email from "CEO"

The CFO of a Mumbai-based pharmaceutical company received an email that appeared to be from the company's CEO — referring specifically to an ongoing overseas drug licensing deal the CFO knew about. The email instructed him to urgently transfer ₹1.8 crore to a new overseas vendor account "before the deal closes by end of day." The CFO processed the payment without calling the CEO — as the email mentioned the CEO was in an important meeting abroad (information the attacker had found on LinkedIn). The CEO had not sent the email. Investigation revealed the attackers had monitored the company's email system for 3 weeks before crafting the perfectly timed spear phish — and had compromised the CEO's email display name but not the actual account.

2024 — Hyderabad — Vishing / Bank KYC Call

Retired Banker Loses ₹78,000 to Vishing Call Posing as HDFC KYC Officer

A retired banker — ironically, someone who had spent decades in the banking sector — received a call on his landline from a person with an extremely professional demeanour claiming to be from HDFC Bank's KYC compliance team. The caller correctly referenced the branch where his account was held and his approximate account number ending. He extracted the full card number, expiry date and CVV under the guise of "card renewal for upgraded security features." An OTP arrived, which the victim shared assuming it was for the card upgrade. ₹78,000 was debited in 4 international transactions within 6 minutes. The victim's banking background made him especially shocked — he later said the call was indistinguishable from a genuine bank communication.

2023 — Bengaluru — WhatsApp Phishing / Aadhaar Data Theft

IT Professional's Aadhaar and Bank Details Stolen via "PM Jan Dhan Bonus" WhatsApp Link

A Bengaluru IT professional received a WhatsApp message forwarded by a family member — announcing a "PM Jan Dhan Yojana anniversary bonus of ₹3,000" with a link to "claim before March 31." Despite being an IT professional, he clicked the link — as it came from a trusted family member and referenced a real government scheme. The page asked for Aadhaar number, registered mobile, bank account number and date of birth for "verification." Within 48 hours, a SIM swap was executed using his Aadhaar details, following which ₹1.12 lakh was transferred from his account using OTPs intercepted on the new SIM. The family member's phone had itself been compromised earlier — making the forward appear legitimate. The case highlighted how multi-stage attacks use phishing as an entry point for larger financial fraud.

⚖️ APPLICABLE LAWS

IT Act Sec 43 IT Act Sec 66 IT Act Sec 66C IT Act Sec 66D IT Act Sec 67 BNS Sec 318 BNS Sec 319 BNS Sec 316 DPDP Act 2023 Telecom Act 2023

IT Act Section 43: Any person who, without authorisation, accesses a computer system or network to fraudulently collect personal credentials, banking information or identity data through phishing websites and fake portals — causing wrongful loss — is liable for compensation up to ₹1 crore. This civil remedy is available to all phishing victims and can be pursued alongside criminal proceedings for faster relief.

IT Act Section 66: Dishonestly or fraudulently creating phishing websites, sending phishing emails, operating fake banking portals or deploying credential-harvesting tools — imprisonment up to 3 years or fine up to ₹5 lakh or both. The primary criminal provision for all forms of phishing involving unauthorised access to or manipulation of computer systems and networks.

IT Act Section 66C — Identity Theft: Using credentials, passwords, OTPs, Aadhaar numbers or digital identities obtained through phishing to fraudulently access accounts, initiate transactions or assume another person's digital identity — imprisonment up to 3 years and fine up to ₹1 lakh. Directly and specifically applicable to all credential-harvesting phishing attacks and their subsequent fraudulent use.

IT Act Section 66D — Cheating by Impersonation Using Computer Resources: Creating fake websites impersonating banks, government departments and legitimate companies; sending phishing emails from spoofed addresses; conducting vishing calls using VoIP impersonation — imprisonment up to 3 years and fine up to ₹1 lakh. The most precisely applicable statutory provision for the impersonation element that defines phishing as a crime.

IT Act Section 67 — Publishing Obscene / Fraudulent Electronic Material: Transmitting phishing emails and fraudulent electronic messages designed to deceive recipients — imprisonment up to 3 years and fine up to ₹5 lakh for first conviction. Applicable to the transmission and distribution element of mass phishing campaigns sent to thousands of victims simultaneously.

BNS Section 318 — Cheating: The foundational criminal provision for phishing — deceiving a person by impersonating a trusted entity to fraudulently induce them to surrender credentials, personal data or money — imprisonment up to 7 years and fine. Covers the entire spectrum of phishing from email phishing to vishing calls to WhatsApp phishing schemes.

BNS Section 319 — Cheating by Personation: Fraudulently assuming the identity of a bank, government department, RBI, TRAI or corporate entity to deceive victims into sharing sensitive information or making payments — imprisonment up to 3 years and fine. The criminal impersonation provision most directly matching the mechanism of phishing — falsely presenting oneself as a trusted entity.

BNS Section 316 — Criminal Breach of Trust: Where insiders at banks, telecom companies or government departments provide phishing gangs with real customer data (names, phone numbers, account details) used to make vishing calls or spear phishing emails more convincing — imprisonment up to 7 years and fine. Applicable in cases where the precision of targeting suggests insider data sharing.

Digital Personal Data Protection (DPDP) Act 2023: Phishing attacks that result in the collection, storage or misuse of personal data — Aadhaar numbers, PAN, banking credentials, biometrics — without the data principal's informed consent violate this Act. Data Protection Board of India can impose penalties up to ₹250 crore against entities that facilitate or fail to prevent phishing-based data breaches. Also applicable to companies whose data breaches provide phishing gangs with targeting information.

Telecom Act 2023: Vishing calls conducted using spoofed telecom numbers, fraudulent VoIP services and unregistered bulk SMS platforms violate telecommunications licensing conditions. TRAI and the Department of Telecommunications have authority to block phishing-linked numbers, shut down fraudulent calling operations and penalise telecom service providers that fail to implement anti-spoofing protections for their customers.

📝 Report This Crime

📝 Report Phishing to ABCSS

Cyber Links

Important Links