10 Cybersecurity Tips Every Indian Should Know

One Attack Every 11 Minutes

In 2025, India recorded over 14 lakh cybersecurity incidents. Let that number settle. 14 lakh. Financial fraud cases alone accounted for losses exceeding Rs 7,000 crore. Ransomware attacks hit hospitals, manufacturing companies, and even municipal corporations. And the average Indian internet user now faces a cyberattack attempt roughly once every 11 minutes — though most get blocked by automated security systems before reaching anyone.

Those aren't abstract numbers from some faraway country. That's here. That's us.

India has over 900 million internet users in 2026, making it one of the largest connected populations on the planet. With rapid adoption of UPI payments, digital banking, e-governance portals, and online shopping, the attack surface for cybercriminals has grown enormously. CERT-In reported a sharp increase in phishing attacks, ransomware incidents, and financial fraud over the past year.

What makes India particularly vulnerable is the speed of digital adoption. Hundreds of millions of people came online for the first time during and after the pandemic, many through smartphones that serve as their primary — and often only — computing device. Many of these users haven't had years of experience spotting scams. Criminals know this. They target that gap relentlessly.

But here's the thing: most cyberattacks go after easy targets. Low-hanging fruit. By following a few practical habits, you can dramatically reduce your risk. Here are 10 cybersecurity tips tailored for Indian internet users, along with what to do if something goes wrong.

---

1. Use Strong, Unique Passwords for Every Account

Reusing passwords is probably the single biggest security mistake people make. Simple as that. If one service gets breached, attackers will try those same credentials on your email, bank, and social media accounts. Called credential stuffing, this technique is automated and devastatingly effective. Databases of leaked passwords are freely traded on dark web forums, and attackers use bots to test millions of username-password combinations against popular services within hours of a breach.

What to do:

• Use a password manager like Bitwarden (free and open-source) or 1Password. A password manager generates and stores complex, unique passwords for every account, so you only need to remember one master password.
• Generate passwords that are at least 16 characters long with a mix of letters, numbers, and symbols.
• Never use personal information like your name, birthdate, or phone number in passwords. Attackers can easily find this from social media profiles and data broker sites.
• Consider using passphrases instead of traditional passwords. A phrase like "mango-rickshaw-monsoon-cricket" is both easier to remember and harder to crack than a shorter, more complex password like "M@ng0#21".

How password managers work: When you visit a website, the password manager auto-fills your credentials. When you create a new account, it generates a random, strong password and saves it. Your vault is encrypted with your master password, which never leaves your device. Even if the password manager's servers were breached, attackers would only get encrypted data that's useless without your master password.

---

2. Enable Two-Factor Authentication (2FA) Everywhere

A password alone isn't enough. Enable two-factor authentication on every account that supports it — especially email, banking, and social media.

• Prefer authenticator apps (Google Authenticator, Authy, or Microsoft Authenticator) over SMS-based OTPs, because SIM-swapping attacks are a real threat in India. In a SIM-swap attack, the criminal convinces your telecom provider to transfer your phone number to a new SIM card, letting them receive your OTPs.
• For critical accounts, consider a hardware security key like YubiKey. Physical devices. Strongest form of authentication available. Immune to phishing attacks.
• Backup codes: When you enable 2FA, most services provide one-time backup codes. Save these securely (in your password manager, not as a screenshot on your phone). If you lose access to your authenticator app, these codes are your only way back in.

SIM-swapping deserves extra attention for Indian users specifically. Criminals use social engineering, forged documents, or even bribed telecom store employees to port your number. Once they've got your number, they can intercept OTPs sent via SMS and gain access to your bank accounts, email, and social media. Using an authenticator app instead of SMS eliminates this attack vector entirely. Seems like an easy switch for the protection it gives you.

---

3. Be Extremely Cautious with UPI and Digital Payments

UPI has changed how India pays for things. Massively. But it's also become a major target for scammers. In 2025, UPI fraud cases increased by over 30% compared to the previous year. Here are the common tricks:

• Fake payment requests: Scammers send a "collect" request disguised as a refund. Remember — you never need to approve a request to receive money. If someone claims they're sending you money and asks you to approve a request, it's a scam. Every single time.
• Screen sharing scams: Fraudsters posing as bank support ask you to install screen-sharing apps like AnyDesk or TeamViewer. Don't do it. Once they can see your screen, they can watch you enter your UPI PIN and transfer money from your account.
• Fake customer care numbers: Always find official support numbers from the company's website or app, not from Google search results. Scammers pay for Google Ads to place fake customer care numbers at the top of search results. Sneaky.
• QR code scams: Fraudsters share QR codes claiming you need to scan them to receive money. Scanning a QR code initiates a payment FROM your account, not TO it. Never scan a QR code to receive money.
• Fake payment screenshots: Scammers show you a doctored screenshot of a completed payment as proof they've paid. Always verify payments in your own UPI app before handing over goods or services.

Golden rule: No bank or payment service will ever ask for your UPI PIN, OTP, or password over a call or message. Anyone who asks? Hang up. Immediately.

What to do if you fall for a UPI scam: Act within the first 30 minutes. Call your bank's customer care (the number on the back of your debit card, not from Google), request a temporary block on your account, and file a complaint on the National Cyber Crime Reporting Portal. Under RBI guidelines, if you report within 3 working days and the fraud wasn't due to your negligence, you may be eligible for a full refund.

---

4. Protect Your Aadhaar and PAN Data

Your Aadhaar number and PAN are sensitive identity documents. Treat them like you'd treat a password. In the wrong hands, these can be used for identity theft, fraudulent loan applications, SIM card activation, and opening bank accounts in your name. I think most people don't realize just how much damage a leaked Aadhaar number can cause.

• Lock your Aadhaar biometrics through the UIDAI website or mAadhaar app when not in use. Prevents unauthorized biometric authentication. You can unlock them temporarily whenever you need to use biometric verification, then lock them again.
• Use a masked Aadhaar (which hides the first 8 digits) whenever you need to share a copy for KYC or verification. The masked version is legally valid for most purposes.
• Never share photos of your Aadhaar or PAN on social media or messaging apps. Once an image is shared on WhatsApp or Telegram, you've lost control over who can access it.
• Regularly check your Aadhaar authentication history at resident.uidai.gov.in. Shows you every time your Aadhaar was used for authentication, helping you spot unauthorized usage.
• Virtual ID: Use your Aadhaar Virtual ID (a 16-digit temporary number that maps to your Aadhaar) instead of your actual Aadhaar number whenever possible. You can generate a Virtual ID from the UIDAI website and it can be revoked and regenerated at any time.

A common scam involves callers claiming to be from "Aadhaar verification" or "UIDAI" asking you to update your Aadhaar details over the phone. UIDAI never makes such calls. Aadhaar updates can only be done online or at official Aadhaar enrolment centres. Period.

---

5. Keep Your Devices and Apps Updated

Software updates frequently include patches for security vulnerabilities. Delaying updates leaves your devices exposed to known exploits — and when a vulnerability gets publicly disclosed, attackers actively scan the internet for unpatched devices, sometimes within hours.

• Enable automatic updates on your smartphone, laptop, and all installed apps.
• Pay special attention to updates for your browser, operating system, and banking apps. Browsers are particularly critical because they're your gateway to the internet and are frequently targeted.
• Uninstall apps you no longer use. Every installed app is a potential attack vector. An app you installed once and forgot about could be collecting data in the background, and if it stops receiving updates, known vulnerabilities go unpatched indefinitely.
• Check app permissions regularly. Go to your phone's settings and review which apps have access to your camera, microphone, location, contacts, and storage. Revoke permissions that aren't necessary for the app's core function. A calculator app doesn't need access to your contacts or location. Obviously.
• Be cautious with sideloaded APKs (Android apps installed from outside the Play Store). These bypass Google's security scanning and may contain malware. If you must sideload apps, only do so from sources you trust completely.

---

6. Be Wary of Phishing Attacks

Phishing emails and messages are getting frighteningly sophisticated — we've got a detailed guide on how to spot phishing scams targeting Indian users if you want to go deeper. In India, common phishing attempts include:

• Fake messages from "SBI," "HDFC," or other banks claiming your account is blocked.
• Emails pretending to be from the Income Tax Department during filing season.
• WhatsApp messages offering fake government subsidies or job opportunities.
• Fake e-commerce delivery notifications with links to "track your parcel."
• Messages about "winning" a lottery or a prize from a company like Reliance or Tata.

How to spot phishing:

• Check the sender's email address carefully. Official emails come from domains like @sbi.co.in, not @sbi-alerts.com or @sbi.security-update.in.
• Hover over links before clicking to see the actual URL. On mobile, long-press the link to preview the URL without opening it.
• Look for spelling errors and urgency-driven language ("Your account will be closed in 24 hours!"). Legitimate organisations rarely create that kind of panic.
• When in doubt, visit the official website directly by typing the URL in your browser instead of clicking any link.
• Be especially cautious during tax filing season (July-September), festival sales (October-November), and after major data breaches when attackers have fresh personal data to use in targeted phishing.

AI-powered phishing: In 2026, attackers are using AI tools to generate phishing messages that are free of the spelling errors and awkward phrasing that used to be telltale signs. Personalized using publicly available data from social media profiles, these messages are even more convincing than before. Best defence? Never click links in unexpected messages, regardless of how legitimate they appear. I suspect we'll see this get even worse before it gets better.

---

7. Use a VPN on Public Wi-Fi

Free Wi-Fi at cafes, airports, and hotels is convenient but dangerous. Attackers on the same network can intercept your traffic and steal login credentials through man-in-the-middle attacks. They can also set up fake hotspots with names like "Airport_Free_WiFi" that look legitimate but route all your traffic through the attacker's device.

• Use a reputable VPN service whenever you connect to public Wi-Fi. ProtonVPN (has a free tier) or Mullvad are trustworthy options. If you want to go further in protecting your digital footprint, explore our list of privacy-focused app alternatives that minimize data collection.
• Avoid accessing banking apps or making transactions on public networks, even with a VPN. Not worth the risk.
• If you must use public Wi-Fi without a VPN, ensure every website you visit uses HTTPS (look for the padlock icon in the address bar). Never enter passwords or financial information on HTTP (non-encrypted) websites.
• Turn off auto-connect for Wi-Fi on your phone. Many phones are configured to automatically connect to open networks, which means your device could connect to a malicious hotspot without you realising it. Happens more often than you'd think.
• Consider using your mobile data instead of public Wi-Fi for sensitive tasks. With Jio and Airtel offering affordable data plans, mobile data is often both faster and more secure than public Wi-Fi.

---

8. Secure Your Home Wi-Fi Network

Your home router is the gateway to all your connected devices. Poorly secured? Neighbours or drive-by attackers can exploit it. For a full walkthrough of router settings, network segmentation, and firewall configuration, see our complete home network security guide.

• Change the default admin password on your router. Default credentials are publicly known for every router model. A quick Google search for your router's model number reveals the default username and password. If you've never changed these, your router is essentially unlocked.
• Use WPA3 encryption if your router supports it; otherwise, use WPA2. Never use WEP, which can be cracked in minutes with freely available tools.
• Create a strong Wi-Fi password that's different from your router admin password. At least 12 characters long.
• Consider setting up a guest network for visitors instead of sharing your main password. Most modern routers support this. Guest network should be isolated from your main network so guest devices can't access your computers, NAS drives, or smart home devices.
• Update your router's firmware periodically. Router manufacturers release firmware updates that fix security vulnerabilities, but unlike phones, routers don't update automatically. Log into your router's admin panel every few months and check for updates.
• Disable WPS (Wi-Fi Protected Setup): WPS allows devices to connect using a PIN or button press, but the PIN mechanism has known vulnerabilities that allow attackers to brute-force the connection.

---

9. Back Up Your Data Regularly

Ransomware attacks encrypt your files and demand payment for the decryption key. In India, ransomware attacks increased by over 50% in 2025, targeting not just large enterprises but also small businesses, hospitals, and individual users. Regular backups make you resilient against such attacks — even if your files are encrypted, you can restore them from a clean backup without paying the ransom.

• Follow the 3-2-1 backup rule: 3 copies of your data, on 2 different media types, with 1 copy stored offsite (cloud).
• Use services like Google Drive, OneDrive, or an external hard drive.
• Test your backups periodically to ensure they can be restored. A backup that can't be restored isn't a backup. It's a false sense of security.
• For critical data, consider versioned backups that keep multiple versions of each file. Protects against situations where ransomware encrypts your files and the encrypted versions sync to your cloud storage before you notice.
• What to back up: Photos, important documents (Aadhaar, PAN, educational certificates, property documents), financial records, and any work files. Most people lose years of family photos in a ransomware attack because they never backed up their phone's camera roll. Don't let that be you.

For small businesses: Invest in automated backup solutions that run daily without manual intervention. Cost of a backup solution (Rs 500-2,000 per month) is negligible compared to the average ransomware demand (Rs 5-50 lakh for small businesses) and the cost of lost business data.

---

10. Educate Your Family

You might be tech-savvy. Great. But cybercriminals often target the weakest link in a household. Elderly parents and young children are especially vulnerable. In India, a disproportionate number of financial fraud victims are above 50 years of age — they may be less familiar with digital scam tactics, and scammers know exactly how to exploit that.

• Teach your parents to verify callers claiming to be from banks or government agencies. Establish a family rule: if someone calls asking for money, personal information, or access to your phone, hang up and call back using the official number from the bank's website or the back of your debit card.
• Set up parental controls on devices used by children. Both Android and iOS have built-in parental control features that limit screen time, block inappropriate content, and prevent unauthorised app installations and purchases.
• Have regular conversations about online safety. Share real-world examples of scams from the news to make the risks tangible. Abstract warnings about "being careful online" are less effective than showing a specific news story about a local scam.
• Help family members set up password managers and 2FA on their accounts. Walk them through it step by step. Make sure they understand how to use it independently.
• Create a family security checklist: Lock Aadhaar biometrics for everyone in the household. Enable 2FA on all bank and email accounts. Install a password manager on everyone's phone. Set up automatic backups for photos and important documents. Review app permissions together once a quarter.

---

Bonus: Securing Your Social Media Accounts

Social media accounts are frequently targeted because they contain personal information useful for identity theft and social engineering. Some specific steps:

• Instagram and Facebook: Enable 2FA, review login activity regularly (Settings > Security > Login Activity), and remove connected apps you no longer use. Be cautious of DMs from accounts claiming to be Instagram support — those are always scams.
• WhatsApp: Enable two-step verification (Settings > Account > Two-step verification), which adds a PIN requirement when re-registering your number. Never share your WhatsApp verification code with anyone, even if they claim to be from WhatsApp.
• LinkedIn: Limit the personal information visible on your profile. Phone numbers and email addresses should be hidden from public view. Scammers use LinkedIn data to craft targeted phishing emails that reference your job title and company.
• X (formerly Twitter): Use an authenticator app for 2FA (SMS-based 2FA is no longer free on X). Review connected apps and revoke access for any you don't recognise.

---

What to Do If You're a Victim

If you suspect you've been targeted by a cyberattack or financial fraud:

1. Report immediately on the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the helpline 1930. Sooner you report, higher the chance of recovering lost funds. The 1930 helpline operates 24/7 and can initiate an immediate freeze on the recipient's bank account.
2. Contact your bank to freeze your account if there's unauthorized financial activity. Most banks have 24/7 customer care numbers specifically for reporting fraud.
3. File a complaint with your local police station as well. While cyber crimes are handled by specialised cells, having a local FIR on record strengthens your case.
4. Change passwords for all compromised accounts from a different, trusted device. If your email was compromised, change the email password first — attackers often use email access to reset passwords on other accounts.
5. Monitor your accounts closely for the next several weeks. Attackers sometimes make small test transactions before larger thefts, or they might wait days or weeks before exploiting stolen credentials.
6. If your Aadhaar or PAN was compromised, check for unauthorised loans or accounts opened in your name through CIBIL (cibil.com) and lock your Aadhaar biometrics immediately.

Do These Three Things Today

Look, I know that's a lot of advice. And honestly, you probably won't do all of it in one sitting. That's fine. But here are three things you can do right now — today, before you close this tab — that'll make the biggest immediate difference:

1. Install a password manager (Bitwarden is free) and start changing your most important passwords. Bank account. Email. UPI app. You don't have to do all your accounts today — just the ones that matter most. Takes maybe 20 minutes.

2. Enable 2FA on your email and bank accounts using an authenticator app, not SMS. Your email is the master key to everything else. If someone gets into your email, they can reset every other password you have. Lock it down.

3. Lock your Aadhaar biometrics through the mAadhaar app. Takes 30 seconds. You can unlock them anytime you actually need biometric verification. There's no reason to leave them unlocked 24/7.

Those three steps, done today, will put you ahead of 90% of Indian internet users in terms of security. Not sure if that's a comforting statistic or a scary one, but either way — it's worth doing. Stay informed, stay cautious, and help spread awareness in your circle. Forward this to your parents. Share it with that uncle who clicks on every WhatsApp link. Security isn't just personal — it's a community effort.