1 in 3 Indians who receive a phishing email click the link — CERT-In 2024

Phishing in India: Fake Emails, Cloned Bank Sites & the Links That Steal Everything

The email looks exactly like your bank sent it. The website has a padlock. You log in — and watch your account emptied before you reach the dashboard. Phishing is the most common first step in nearly every major cyber fraud in India. Here's what it looks like, how it works, and how to spot it every single time.

76%Of cyber fraud begins with phishing (CERT-In)
₹9,000 CrLost to phishing-linked fraud annually
3 secTime to spot a fake link (if you know how)
1930Cyber Crime Helpline
See All Phishing Types
The Definition

What Is Phishing — and Why Is It So Effective in India?

Phishing is deception at scale. The attacker doesn't need to break into your bank's servers. They just need to trick you into handing over your credentials yourself — and then use those credentials to walk through the front door of your account.

India is the third most phished country in the world. The reasons are interconnected: a massive new internet user base, high trust in official communications, widespread use of mobile banking, and enormous volumes of personal data circulating from past breaches — all of which make convincing, personalised phishing messages easier to construct.

What makes phishing uniquely dangerous is that it doesn't require a technical vulnerability. It exploits human psychology — urgency, authority, fear, and the reasonable assumption that an email displaying your bank's logo came from your bank.

The HTTPS Padlock Myth — India's Biggest Phishing Misconception

When HTTPS and the padlock icon became widely known as signs of a "safe" website, phishing operators immediately obtained free SSL certificates for their fake domains. Today, over 83% of phishing sites use HTTPS.

HTTPS / Padlock = the connection to that server is encrypted. It says nothing about whether the server itself is trustworthy.
A phishing site can have a padlock AND look identical to your bank. The padlock only protects your data as it travels to the fraudster.
Always verify the domain name, not just the padlock. sbi.co.in ≠ sbi-secure.co.in ≠ sbi.co.in.login-verify.com
Type bank and government URLs directly into the address bar rather than clicking from email or SMS links.
Bookmark the login pages of your bank, UPI app, and email provider. Use bookmarks only — never links from messages.
Every Variant

8 Types of Phishing Attacks Targeting Indians

The delivery method changes — email, SMS, WhatsApp, QR code, search ads — but every phishing attack has the same goal: your credentials or your money.

Email Phishing

Mass-sent fake emails impersonating SBI, HDFC, Income Tax, Amazon, or IRCTC. A convincing clone of the official template leads you to a fake site that harvests your credentials.

Smishing (SMS Phishing)

SMS messages with urgent links — 'Your SIM will be blocked in 24 hours', 'KYC pending — click to verify', 'Package held at customs'. The link leads to a credential-harvesting page.

WhatsApp / Telegram Phishing

Fake job offers, lottery wins, or government scheme links sent via WhatsApp. Often designed to look like forwarded messages from trusted contacts whose accounts were compromised.

Website Spoofing

Pixel-perfect clones of bank portals, income tax login pages, and e-commerce checkout flows. Domains use subtle misspellings or confusable characters — sblnkng.com vs sbinking.com.

QR Code Phishing (Quishing)

Physical QR codes on posters, parking meters, ATM fascias, or restaurant menus pasted over legitimate codes — redirect to phishing sites that steal card details or UPI credentials.

Search Engine Phishing

Fraudsters pay for Google Ads targeting searches like 'SBI bank login', 'IRCTC customer care number'. The top sponsored result is a fake site or a number that connects to a scam call centre.

Spear Phishing

Highly targeted attacks using your name, role, company, and recent activity — often scraped from LinkedIn or data breaches. An attacker poses as your IT department, CEO, or a vendor.

Malicious Attachment Phishing

Emails carrying Word documents, PDFs, or APK files that install keyloggers or RATs when opened. Common pretexts: 'invoice attached', 'your statement', 'job application form enclosed'.

Step by Step

How a Bank Phishing Attack Unfolds — Minute by Minute

Reading this sequence once makes it nearly impossible to fall for the same attack. The deception only works if you don't see the pattern in advance.

01

The Lure Arrives

An email arrives from 'noreply@sbi-netbanking-alert.com'. The subject: 'URGENT: Suspicious login detected — verify your account immediately or it will be suspended in 24 hours.' The SBI logo, colours, and footer are indistinguishable from real SBI communications.

02

You Click the Link

The embedded 'Verify Now' button sends you to https://sbi-secure-login.netbankingverify.com — a page that looks exactly like the real SBI login screen. The address bar shows a padlock (HTTPS) which most users interpret as proof of safety.

03

You Enter Your Credentials

POINT OF NO RETURN

Username, password, date of birth, and account number — entered into a form that looks real but submits data directly to the attacker. Each keystroke is logged and stored in a database accessible from anywhere in the world.

04

The OTP Screen Appears

POINT OF NO RETURN

After submitting credentials, a convincing 'OTP verification' screen appears. Meanwhile, the attacker is already logging into the real SBI with your credentials — triggering the genuine OTP to be sent to your phone. You enter it on the fake screen.

05

Redirect to Real Site — You Suspect Nothing

After the OTP, the page shows 'Verification successful — redirecting…' and sends you to the real SBI website. You're now logged into your real account. Everything looks normal. The attacker, in another window, has just transferred your balance.

06

Discovery — Too Late

You check your balance the next morning. Multiple transfers you didn't authorise. The fake site is gone — the domain was registered 48 hours ago and hosted in a jurisdiction with no extradition. The credentials database has been sold.

A Real Account

"It Said 'Income Tax Refund of ₹18,340 Pending'. I Just Had to Verify My Details." — A Real Account

Deepak (name changed), a 38-year-old software engineer from Bengaluru, received an SMS that correctly referenced his name and the financial year. It informed him that a refund of ₹18,340 from the Income Tax Department was pending and could not be processed because his bank account details were 'not updated' in the IT portal.

The link in the SMS took him to a page that looked exactly like the official incometax.gov.in portal. It had the correct logo, the correct colour scheme, and a reassuring padlock in the address bar. The URL was: incometaxefilng.gov.in-refund.claim-now.net

He entered his PAN, date of birth, and net banking login details. The site then asked for his debit card number, expiry, and CVV to 'confirm the bank account' for the refund transfer. He provided them. Then an OTP arrived. He entered it on the site's 'verification' screen.

Within 11 minutes, ₹96,000 was withdrawn from his savings account across two transactions — ₹49,900 and ₹46,100 (kept below ₹50,000 to avoid certain bank alert thresholds). His net banking account password had also been changed, locking him out.

When he visited the real incometax.gov.in, he saw an official notice: "The Income Tax Department does not send refund links via SMS. Do not click on any link claiming to be from the IT Department." The notice had been there for two years. He had simply never seen it.

The URL Check That Would Have Saved ₹96,000:

The real domain was incometax.gov.in. The phishing URL was incometaxefilng.gov.in-refund.claim-now.net — a completely different domain (claim-now.net) with the official-looking text as a subdomain prefix. Read URLs from right to left: the last segment before the first slash is always the real domain.

One Skill That Blocks 90% of Phishing

How to Read a URL — The Single Most Valuable Anti-Phishing Skill

Every phishing site has one unavoidable weakness: it cannot use the real domain of the organisation it's impersonating. That domain is owned by the real organisation. So phishers construct look-alike URLs designed to fool you if you don't know how domain names work.

The one rule that overrides everything else: the real domain is always the segment immediately to the left of the first single slash in the URL. Everything to its left is a subdomain (which anyone can set) and everything to the right is a path.

Read URLs right to left from the first `/`. The last hostname segment is your ground truth. If it doesn't exactly match the organisation's known domain, you're on a phishing site — regardless of how official everything else looks.

sbi.co.in/login

Real domain: sbi.co.inLegitimate SBI login

sbi.co.in.secure-login.net/login

Real domain: secure-login.netPhishing — real domain is secure-login.net

login.sbi-netbanking.co/account

Real domain: sbi-netbanking.coPhishing — not the same as sbi.co.in

incometax.gov.in/efile

Real domain: incometax.gov.inLegitimate Income Tax portal

incometaxefilng.gov.in-refund.claim-now.net

Real domain: claim-now.netPhishing — .gov.in is just a subdomain here

The Newer Threat

QR Code Phishing (Quishing) — The Scam Indians Don't See Coming

QR codes are now everywhere in India — on restaurant menus, at petrol pumps, on municipal utility bills, at temples, and at parking metres. The vast majority are legitimate. But QR code fraud is growing rapidly because it bypasses the one habit many people have formed: not clicking suspicious links.

Physical sticker QR codes can be pasted over legitimate ones in seconds. A fraudulent code pasted over a restaurant's menu QR or a parking payment point will lead to a fake payment processor that either captures your UPI credentials or initiates a payment to a fraudster's account.

Email and WhatsApp QR phishing bypasses many secure email gateways that scan for suspicious links — because the link is encoded inside an image, invisible to text-based scanners.

How to Stay Safe Around QR Codes

  • Before scanning, check whether the QR sticker is on top of another printed QR — peel edges visible are a red flag
  • After scanning, read the full URL before tapping 'Open' — apply the same domain verification rules
  • QR codes for UPI payments should only go to official payment apps — not browser-based payment pages
  • Never scan a QR code sent via email, WhatsApp, or SMS claiming to be from a bank, TRAI, or government
  • Use a QR scanner app that shows you the URL before opening it, rather than auto-opening
  • If a QR code redirects you to enter a password or OTP, close immediately — legitimate QR payments never require these
Warning Signs

10 Red Flags of a Phishing Email or Message

Any single one should stop you before you click.

01

Sender email domain is slightly wrong — sbi@sbi-alert.co, hdfc@hdfcbankalert.net, incometax@it-refund.in

02

Extreme urgency — 'Your account will be blocked in 24/48 hours unless you act immediately'

03

Link destination doesn't match the sender's claimed organisation when you hover before clicking

04

The page uses HTTP (no padlock) OR has a padlock but the domain name is wrong — HTTPS ≠ legitimate

05

Request for information the organisation already has — your date of birth, full card number, or Aadhaar

06

Poor grammar, odd spacing, inconsistent fonts, or slightly wrong logo colours in the email

07

A government body (TRAI, IT Department, RBI) is requesting payment or personal data via email or SMS

08

Email has an attachment you weren't expecting — always suspicious even from known senders

09

The email was not addressed to you by name — 'Dear Customer' or 'Dear User' instead of your name

10

Promised refund, cashback, or reward that requires you to 'verify' payment details to receive it

Myth Busting

Phishing Myths vs. Reality

Myth

I can always spot a phishing email — they're full of typos and bad English.

Reality

Modern phishing emails targeting Indians are crafted in fluent, formal Hindi and English, use the exact fonts and colours of the brand they impersonate, and personalise with your name and partial account details from breach databases. The 'obvious typo' era of phishing ended years ago.

Myth

The site is safe because it has HTTPS and a padlock.

Reality

HTTPS only means the connection to that server is encrypted. It says nothing about whether the server itself belongs to a legitimate organisation. Over 83% of phishing sites now use HTTPS. The padlock is not a safety seal.

Myth

Only uneducated or elderly people fall for phishing.

Reality

CERT-In data consistently shows that IT professionals, bankers, and engineers are among the most common phishing victims in India — because they are less likely to pause and question what they assume to be routine digital communications.

Myth

I use antivirus so my device will warn me if a site is fake.

Reality

New phishing domains are registered in minutes — often faster than antivirus databases can update. A phishing site created in the last few hours will pass most real-time checks. The final defence is always your own URL verification, not software.

Immediate Actions

Fell for a Phishing Attack? Do This Immediately.

Speed is critical. A compromised password or OTP can be used within seconds.

01

Do not click — close the page immediately

DO FIRST

If you caught it before entering anything: close the browser tab, do not go back, and mark the email as phishing. Do not forward the message to others 'to warn them' — this spreads the link further.

02

Change your password immediately from a clean device

DO FIRST

If you entered credentials: change the password on the affected account right away using a different device or network. Prioritise email and banking accounts as attackers use email access to reset everything else.

03

Contact your bank if financial credentials were shared

Call your bank on the official number (back of card or official website only). Report the phishing and request a temporary block on net banking and card transactions. A fraud report number will be provided.

04

Call 1930 if a transaction has occurred

India's Cyber Crime Financial Fraud Helpline can attempt to freeze destination accounts within the first 30–60 minutes of a transfer. Have your transaction reference ready.

05

Report the phishing site at cybercrime.gov.in

Submit the fake URL, a screenshot of the email or message, and any transaction details. The National Cyber Crime Reporting Portal coordinates with hosting providers and domain registrars for takedowns.

06

Enable two-factor authentication on all accounts

After recovering access, enable 2FA on your banking apps, email, and social accounts. Even if a future phishing attempt steals your password, 2FA prevents login without the second factor.

Report Phishing — Official Channels

Use these to report phishing attempts and recover from attacks

National Cyber Crime Portal

cybercrime.gov.in

Report phishing URLs, fake websites, and credential theft with evidence

Cyber Crime Helpline

1930

Call immediately if money was transferred — account freeze window is 30–60 minutes

CERT-In Incident Reporting

cert-in.org.in

Report phishing emails and fake websites to India's Computer Emergency Response Team

Google Safe Browsing Report

safebrowsing.google.com/safebrowsing/report_phish

Report phishing URLs to Google — helps block the site for billions of Chrome and Android users

Check a URL — VirusTotal

virustotal.com

Scan any suspicious URL against 70+ security engines before clicking

Check a Website — RakshaAI

rakshaai.co/website-safety-checker

Verify any Indian website or link against RakshaAI's fraud database before you interact with it

Frequently Asked Questions

Straight answers to the most common phishing questions in India.

What is phishing?
Phishing is a cyber fraud technique where attackers impersonate a trusted entity — a bank, government body, e-commerce site, or courier — using fake emails, messages, or websites to trick victims into revealing passwords, OTPs, card numbers, or other sensitive credentials. The term comes from 'fishing' — casting a wide net of deceptive messages and waiting for victims to bite.
What does a phishing email look like in India?
Indian phishing emails commonly impersonate SBI, HDFC, ICICI, Paytm, Amazon India, IRCTC, or the Income Tax Department. They typically warn of account suspension, a pending refund, a suspicious transaction, or KYC expiry. They include a button or link that leads to a cloned website where you're asked to enter login credentials, card details, and OTP.
How do I check if a link is a phishing link?
Hover over (or long-press on mobile) the link to see the actual URL before clicking. Look for: misspelled domains (sbi-secure.com vs sbi.co.in), extra subdomains, HTTP instead of HTTPS, random character strings, or URL shorteners hiding the real destination. You can also check links on VirusTotal (virustotal.com) or the RakshaAI website checker before opening.
What is smishing?
Smishing is SMS-based phishing. Fraudsters send text messages impersonating banks, TRAI, IRCTC, or delivery services with a link and an urgent call to action — 'Your SIM will be deactivated in 24 hours', 'Your package is held at customs — pay ₹35 to release'. The link leads to a credential-harvesting fake website.
Can I get hacked just by opening a phishing email?
Simply opening a well-crafted phishing email in a modern, updated email client is generally low risk. The real danger is in clicking links, downloading attachments, or entering credentials on the fake site the link leads to. Always update your email app and browser to reduce the risk of zero-click exploits.
What should I do if I clicked a phishing link?
If you clicked but didn't enter any credentials: close the page immediately and run a malware scan. If you entered any password or OTP: change the password on the affected account immediately from a different device, contact your bank if financial credentials were entered, enable two-factor authentication, and file a report at cybercrime.gov.in.
Free Website Safety Check

Suspicious Link or Email?Check It Before You Click.

Paste any suspicious URL into RakshaAI's website checker before opening it. Or report a phishing attempt you've already received — your report helps protect millions of other Indians from the same fake site.

Check a Suspicious Website

🇮🇳 Protecting 2M+ Indians from phishing & online fraud · 100% Free · No registration required