Phishing Scams in India 2026: Spot and Stop Them
A detailed guide to identifying and avoiding phishing scams prevalent in India, with real examples, URL analysis techniques, and steps to protect your family.
My mother almost gave away her Aadhaar number
She's a retired school principal. Sharp. Cautious. Not the kind of person you'd expect to fall for anything online. But last month she got an SMS saying her PAN card would be deactivated in 48 hours unless she "verified" it through a link. The message looked official. The link opened a page that was a dead ringer for the Income Tax Department website. She'd already entered her PAN number and was about to type her Aadhaar when I walked into the room.
That shook me. If she can be tricked, anyone can.
The scammers aren't sending badly spelled Nigerian prince emails anymore. They're sending perfectly crafted messages in Hindi and English, impersonating banks, the Income Tax Department, delivery services, UPI apps — the institutions Indians interact with every single day. I spent a few weeks after that incident documenting every common phishing template targeting Indians, talking to security professionals, and putting together the guide I wish my mother had read before that SMS showed up.
Why phishing works so well (it's not because people are dumb)
Before we get into the specific scams, let's talk about why these work. It's not because victims are careless or unintelligent. My mother ran a school with 800 students for 25 years. She's one of the sharpest people I know.
Phishing works because it targets emotions, not intellect. Fear ("your account will be blocked"), greed ("you've won a prize"), urgency ("within 24 hours"), and authority ("this is from the Income Tax Department") are the four triggers scammers rely on. When any of these kicks in, your brain shifts from careful analysis to quick reaction. It's not a failure of intelligence — it's how human brains are wired.
The timing helps too. These messages arrive when you're busy, distracted, or stressed. You get a "bank alert" while you're cooking dinner, or a "delivery notification" during a work meeting. You glance at it, see something that looks official, and tap without thinking. The scammers know you're not going to sit down with a magnifying glass and analyze every message. They're counting on you being rushed.
And then there's the sheer volume. India saw over 79 million phishing attempts in 2025 alone. That's not a targeted operation — it's a numbers game. Send a fake SBI message to ten million people, and even if only 0.1% fall for it, that's 10,000 compromised accounts. At that scale, even a tiny success rate prints money.
The scams you're most likely to see
KYC update scams
You get an SMS or email saying your bank account, wallet, or mobile connection will be suspended unless you complete a KYC update right now. There's a link to a fake site that looks exactly like your bank's portal.
"Dear Customer, your [Bank Name] account will be blocked within 24 hours due to incomplete KYC. Update now: http://bankname-kyc-update.com/verify"
This one works because KYC updates are a real thing that banks actually require from time to time. People genuinely worry about their accounts getting frozen, especially since RBI tightened enforcement. The "24 hours" deadline triggers panic, and panic shuts down critical thinking.
What gives it away: banks don't send KYC links via SMS — they tell you to visit a branch or use the official app. The URL will be slightly wrong (sbi-kyc-update.com instead of onlinesbi.sbi.co.in). Generic greetings like "Dear Customer" instead of your name. And there's always a fake deadline.
I've collected a few variations of this scam. Some reference specific regulations ("as per RBI Circular dated...") to sound official. Others include partial account numbers — usually just the last four digits — which makes people think the scammer already knows their details. The truth is, they send the same message to millions of people and the last four digits are either generic or randomly generated. But it's enough to create doubt.
Income tax refund scams
An email or SMS says the Income Tax Department approved a refund for you — just click the link and enter your bank details. The specific rupee amount (not a round number, like Rs 15,490) makes it feel real. And refunds do happen, so the concept isn't suspicious by itself.
"Your income tax refund of Rs 15,490 has been approved. Claim your refund by verifying your account details at: http://incometax-refund-verify.in/claim"
The real portal is incometax.gov.in — anything else is fake. The IT Department never asks for bank details via email. Refunds go to whatever bank account you linked in your return. Check the sender's email domain — official correspondence comes from @incometax.gov.in or @gov.in.
These scams peak during tax filing season (July-September) for obvious reasons, but they run year-round. The odd, specific rupee amount is a deliberate design choice — round numbers like "Rs 15,000" feel made up, but "Rs 15,490" feels like a real calculated amount. It's a small psychological trick that makes a big difference in how many people click.
Package delivery scams
"Your package couldn't be delivered. Reschedule by paying a Rs 25 fee." Given how much online shopping we do, there's a decent chance you actually have something in transit when this hits — which is exactly what makes it effective.
"Your India Post package (tracking: IP2839471IN) could not be delivered. Reschedule delivery by paying Rs 25 fee: http://indiapost-redelivery.com/pay"
That tracking number looks legit. The fee seems tiny and reasonable. But India Post and private couriers don't charge redelivery fees via random SMS links. Real tracking updates come from the courier's official app or site, and the URL won't be the courier's actual domain.
The small amount is key to this scam's success. People think "it's just Rs 25, what's the worst that can happen?" But the Rs 25 isn't the point. The point is the payment page where you enter your card number, expiry date, and CVV. They don't care about the Rs 25. They want your card details so they can drain the account later, or sell those details in bulk.
UPI collect request scams
This one breaks my heart because it's so simple and so devastating. Someone calls pretending to be from your bank, a retailer, or even the police. They say they're "sending you money" — a refund, a prize, whatever — and you just need to "accept" it. What they actually send is a collect request (a debit request). You enter your PIN thinking you're receiving money, and it goes straight out of your account.
The confusion between a credit and a collect request is the whole trick. Understanding how UPI payments actually work makes these scams much easier to spot.
Remember this and never forget it: you NEVER need to enter your UPI PIN to receive money. If someone says you do, it's a scam. No exceptions. No edge cases. Never.
I've heard a variation where the scammer sends a collect request for Re 1 first, saying "I'm sending Re 1 to verify your account, just accept it." The victim sees the small amount, enters their PIN, loses Re 1, and now trusts the scammer. Then comes the real collect request for a much larger amount. The Re 1 was just a trust-building exercise.
Job offer scams
WhatsApp message or email offering work-from-home — data entry, product reviews, social media likes — with pay that's too good. The clever part: initial tasks are real and they actually pay you small amounts. That builds trust. Then they ask you to "invest" money to unlock higher-paying tasks, and it disappears.
"Hi! We are hiring part-time workers for [Company Name]. Earn Rs 5,000-15,000 daily from home. Simple tasks. No experience needed. Contact us on WhatsApp: +91-XXXXXXXXXX"
No real job pays Rs 15,000 a day for "simple tasks." Companies don't recruit through random WhatsApp messages. Any job that requires you to pay money to earn money is a scam, every single time.
These scams are particularly cruel because they target people who are genuinely looking for work. College students, people between jobs, homemakers looking for extra income — people who are hopeful and vulnerable. The initial small payments (they might actually pay Rs 200-500 for a few tasks) make the scam feel legitimate and make the victim emotionally invested. By the time they're asked to "invest" Rs 5,000 to unlock premium tasks, they've already convinced themselves it's real. I've talked to people who lost Rs 50,000-1,00,000 to these schemes before they realized what was happening.
Loan approval scams
You get a call saying you've been pre-approved for a loan at a great rate. Just pay a small "processing fee" or "GST" upfront to get the money released. Once you transfer the fee, they're gone. Sometimes they'll even send you a fake sanction letter with a bank's logo to make it look real. They might ask for multiple payments — first a processing fee, then a "verification fee," then an "insurance fee" — milking the victim as long as possible.
Legitimate lenders deduct processing fees from the loan amount — they never ask for money in advance. Random pre-approval calls from unknown numbers are always suspicious. If it sounds real, hang up and call the bank directly using the number from their official website, not whatever number called you.
Electricity/gas disconnection scams
This one's been growing fast. You get an SMS saying your electricity bill is overdue and your connection will be cut today. There's a number to call or a link to pay immediately. People panic — nobody wants their power cut off, especially with a fridge full of food or during summer. The link goes to a fake payment portal, or the phone number connects you to a scammer who asks for your bank details.
Your electricity board will send multiple notices before disconnection and won't threaten to cut power via SMS with a random payment link. Bill payments should only go through official apps (like the Tata Power or BSES apps), the utility's official website, or trusted bill payment platforms.
How to read a URL — the single most useful thing I can teach you
This is the skill that would've saved my mother. If you learn one thing from this post, make it this.
What a URL actually looks like
https://www.sbi.co.in/web/personal-banking/accounts
| | | |
| | | └── Path (page on the site)
| | └── Domain (the actual website)
| └── Subdomain
└── Protocol (https = secure)
The domain is the only part that matters. Scammers are clever about manipulating it:
| Fake URL | Why It Looks Legit | What's Actually Happening |
|---|---|---|
sbi-online.co.in.verify-kyc.com | Contains "sbi" and "co.in" | Real domain is verify-kyc.com |
www.onlinesbi.sbi.co.in.scamsite.net/login | Looks like SBI's URL | Real domain is scamsite.net |
incometax.gov.in.refund-claim.xyz | Contains "gov.in" | Real domain is refund-claim.xyz |
hdfc-netbanking.com | Looks like HDFC | Real HDFC is hdfcbank.com |
paytm-kyc.in | Contains "paytm" | Not Paytm's actual domain |
The trick to reading URLs: go right to left. The last two parts before the first slash are the real domain. In sbi.co.in.verify-kyc.com, the domain is verify-kyc.com. Everything before that — the sbi.co.in — is just a subdomain dressed up to fool you.
Before clicking any link in any message:
- Does the domain match the official website exactly? If not, don't click.
- Is it HTTPS? Banking and government sites always use HTTPS. But scam sites use it too now, so HTTPS alone isn't proof.
- Unnecessary hyphens or extra words?
sbi-kyc-update.comisn't SBI. Real domains are short and clean. - Check the TLD.
.gov.infor government,.co.inor.comfor companies..xyz,.tk,.buzzare red flags. - When in doubt, type the official URL into your browser yourself.
I taught this trick to my mother by sitting with her for ten minutes and going through five examples together. She now checks every URL before tapping, and she's caught two more phishing attempts on her own since then. Ten minutes of practice is all it takes. Teach your family the same way — don't just tell them, sit with them and do it together with real examples.
Going deeper: checking email headers
If a suspicious email lands in your inbox and you want to verify it, the headers tell you the real story.
Gmail: Open the email → three dots (More) → "Show original"
Outlook: Open the email → File → Properties → "Internet headers"
From: "State Bank of India" <alert@sbi-verify.com>
Return-Path: <bouncer@cheaphosting.xyz>
Received: from mail.scamserver.net (192.168.1.100)
That display name says "State Bank of India" — easy to fake. The From address is sbi-verify.com — not SBI's real domain. The Return-Path goes to cheaphosting.xyz — clearly bogus. The Received header shows it came from scamserver.net. Legitimate SBI emails come from @sbi.co.in or @onlinesbi.sbi.co.in. Anything else, trash it.
Most people won't check email headers regularly, and that's fine. But if you get an email that looks almost-but-not-quite right and you're on the fence, the headers give you a definitive answer. It's worth knowing how to do it even if you only use it a few times a year. Think of it as learning to check the expiry date on food packaging — you don't do it with every item, but when something looks off, you know where to look.
Spotting phishing with your senses (not just your brain)
Beyond the technical checks, there are gut-level signals that something's wrong. Pay attention to them.
Emotional pressure. If a message makes your stomach drop, your heart race, or your hands move before your brain catches up — stop. That emotional reaction is exactly what the scammer designed the message to trigger. Legitimate institutions don't communicate through panic.
Unusual timing. A bank "alert" at 11 PM? A tax notice on a Sunday? Government and financial institutions generally operate during business hours. Messages that arrive at odd times are worth extra suspicion.
Tone mismatch. Real bank communications tend to be dry and formal. If an "official" message uses excessive punctuation (!!!), ALL CAPS, or overly friendly language, something's off.
Requests for things that should already exist. Your bank already has your PAN number — they don't need you to "verify" it. The Income Tax Department already has your bank account linked to your PAN — they don't need you to enter it again. If someone's asking you to provide information they should already have, ask yourself why.
The "too perfect" problem. Sometimes scam messages are actually better designed than real bank communications. I've seen fake SBI pages that looked cleaner and more modern than the actual SBI website. If something looks almost too polished — especially when your bank's real website is clunky and outdated — that's worth noting.
You already clicked. Now what?
Don't spiral. Just move fast.
First 30 minutes. Change your passwords for the affected accounts — if you put bank credentials into a fake site, change your net banking password now. Call your bank's helpline and report it — ask them to freeze things temporarily if needed. Major bank numbers: SBI 1800-11-2211, HDFC 1800-202-6161, ICICI 1800-102-4242, Axis 1860-419-5555. Check your recent transactions for anything you didn't do.
Save those bank helpline numbers in your phone right now, before you need them. When you're in the middle of a panic, the last thing you want is to be Googling for phone numbers — especially since scammers also post fake helpline numbers that show up in search results. Having the real numbers saved means you can call immediately.
First 24 hours. Report at cybercrime.gov.in with all the details — the message, the link, what you entered. Call the national cybercrime helpline at 1930 (they can actually freeze transactions that are still in progress). Forward the phishing SMS to 1909 (TRAI's DND service). Run a full malware scan if you downloaded anything from the fake site.
When you report at cybercrime.gov.in, be specific. Include screenshots of the message, the URL you clicked, what information you entered, and any transaction details. The more detail you provide, the better the chances of action. Also note down the complaint number they give you — you'll need it for follow-ups and for your bank's dispute process.
Longer term. Watch your bank statements closely for the next 3-6 months. Turn on transaction alerts for every debit, no matter how small. If your Aadhaar or PAN was compromised, consider putting a fraud alert on your CIBIL profile to stop anyone from opening credit accounts in your name. Check your credit report for any unauthorized inquiries or accounts — you might not see the impact immediately, but stolen identity details can be used weeks or months later.
Under RBI guidelines, if you report unauthorized transactions within 3 working days, your liability caps at Rs 25,000 maximum — and often zero if the bank's security was at fault. Report fast.
Protecting the people who are most vulnerable
I keep thinking about my mother in that moment. How close she came. And how many people don't have someone walking into the room at the right time.
Our parents and grandparents are increasingly online — UPI payments, WhatsApp, e-commerce — but they didn't grow up with this stuff, and scammers target them disproportionately.
Have the conversation. Sit down and walk through the scam types above with real examples. Show them what a genuine SBI SMS looks like next to a fake one. This isn't condescending. It's protective.
The way you frame it matters. Don't say "you need to be more careful" — that sounds like criticism. Say "these scams are so good that even cybersecurity experts get fooled sometimes — here's what to watch for." Make it about the scammer's skill, not their vulnerability. When I talked to my mother about it, I showed her news articles about tech-savvy young people who'd also been scammed. That made her feel less embarrassed about almost falling for it and more receptive to learning the warning signs.
Set up their phone. Enable spam call detection (built into most Android phones, or use Truecaller). Turn on SMS filtering. Put biometric lock on their UPI apps so a scammer can't transact even with remote access. Enable alerts for every bank transaction.
Here's a specific phone setup checklist that takes about 20 minutes:
- Install Truecaller for spam detection
- Enable SMS filtering in the default messaging app
- Turn on biometric authentication for all banking and UPI apps
- Set up transaction alerts via SMS for all bank accounts
- Disable "install from unknown sources" in settings
- Remove any remote access apps (AnyDesk, TeamViewer) unless actually needed
- Set a screen lock timeout of 30 seconds or less
Create a family rule. "If you get any message asking you to click a link, update KYC, or verify anything — call me first before doing anything." Make it easy. Make it automatic. Write the rule on a sticky note and put it next to their phone if you have to. The goal is to create a reflex: unfamiliar message → call family member → don't touch anything until you've talked. This one simple habit would've prevented my mother's close call and probably most of the scams I hear about from friends and relatives.
Block remote access abuse. Some scammers talk people into installing AnyDesk or TeamViewer for "tech support." Explain: no bank or company will ever ask them to install screen-sharing software. If possible, use parental controls to restrict installation of unknown apps.
Set UPI limits. Most UPI apps let you cap per-transaction and daily amounts. For elderly family members, set something reasonable — say Rs 5,000 per transaction, Rs 20,000 per day. Even if a scam works, the damage is limited.
How to set up 2FA on the accounts that matter most
Google account: myaccount.google.com/security → "2-Step Verification." Options: Google Prompts (tap "Yes" on your phone — easiest), authenticator app (Google Authenticator or Authy — recommended), or a hardware security key like YubiKey (most secure).
WhatsApp: Settings → Account → Two-step verification → Set a 6-digit PIN and add a recovery email. This stops someone who clones your SIM from hijacking your account.
UPI apps (PhonePe/Google Pay): UPI already has built-in 2FA — device binding plus your PIN. But also: enable app lock (biometric or PIN), turn on login alerts for new device access, and periodically review your linked bank accounts — remove any you don't use.
Email (Outlook/Yahoo/other): Most providers support 2FA via authenticator apps. Enable it on every email account, especially the one tied to your bank and government portals. Your email is the skeleton key to your digital life — compromising it means password resets for everything else.
Social media (Instagram, Facebook, Twitter): All of these support 2FA through authenticator apps. Turn it on. Social media accounts get compromised more often than people realize, and a hacked Instagram or Facebook account can be used to scam your friends and family by impersonating you.
A quick note on authenticator apps vs. SMS: always choose the authenticator app option when it's available. SMS-based OTPs can be intercepted through SIM swap attacks — where a scammer convinces your telecom provider to transfer your number to their SIM. It happens more often than you'd think in India, and it completely bypasses SMS-based verification. Authenticator apps generate codes on your device, so they're not affected by SIM swaps.
Inside the scam operation
Understanding how these things run makes them easier to recognize. Most phishing campaigns hitting Indians aren't lone operators — they're organized, almost industrial.
Phishing kits — pre-built packages with cloned bank website templates, hosting scripts, SMS/email blasters, credential-harvesting backends, and money mule instructions — sell on Telegram channels and dark web marketplaces for Rs 2,000-5,000. Your own data might already be floating around in those same markets — it's worth checking if your info has been exposed on the dark web.
The barrier to entry for running a phishing operation is shockingly low. Someone with basic technical skills can buy a kit, set it up on a cheap hosting provider, buy a list of phone numbers, and start sending messages — all within a few hours and for less than Rs 10,000 total investment. The return? Even a small campaign targeting a few thousand people can net lakhs if a handful of victims enter their banking credentials.
The money chain moves fast. Victim enters credentials on fake site → data hits the scammer in real time (often via Telegram bot) → scammer logs into the real bank account immediately → money goes to mule accounts (opened with fake or stolen identities) → mule withdraws cash (keeps a cut) → cash gets converted to cryptocurrency. This whole thing can happen within minutes of you entering your password. That's why speed matters when you realize what happened.
The mule accounts are worth understanding. Scammers recruit people — often college students or people in financial trouble — to open bank accounts in their own names and let the scammers route money through them. The mule gets a commission (usually 5-10%) and thinks they're doing harmless work. They're not. They're committing money laundering, and when the police trace the funds, the mule is the one who gets caught first. If anyone ever asks you to let them use your bank account for "business transactions" in exchange for a commission, that's a mule recruitment attempt.
Where to report
| Platform | Contact | What For |
|---|---|---|
| National Cybercrime Portal | cybercrime.gov.in | All cyber fraud |
| Cybercrime Helpline | 1930 | Urgent financial fraud (can freeze in-progress transactions) |
| TRAI DND | Forward SMS to 1909 | Spam and phishing SMS |
| RBI Sachet | sachet.rbi.org.in | Banking fraud, unauthorized transactions |
| Local Police | Nearest station | FIR for significant losses |
| Bank Helpline | Varies | Freeze account, dispute charges |
Reporting matters even if you don't think anything will happen. Every report adds to a pattern that helps authorities identify and shut down scam operations. The 1930 helpline in particular has gotten better at freezing transactions in progress — they work directly with banks to put holds on suspected fraud. The faster you call after realizing what happened, the higher the chance of getting your money back.
What actually keeps you safe
Phishing will keep getting better. AI-generated content is making fake messages harder to distinguish from real ones. Deepfake voice calls are becoming a real threat — scammers can now clone a voice from a few seconds of audio, which means you might get a call that sounds exactly like your son or daughter asking for an urgent money transfer. For a broader look at staying safe online, our cybersecurity best practices guide covers the habits worth building. But the core of it hasn't changed:
Verify independently. Don't trust links in messages. Go to the official site or app yourself — type the URL manually if you have to. Slow down. Scammers manufacture urgency because rushed decisions help them. Any time a message says "within 24 hours" or "immediately" or "your account will be blocked," that urgency is the scam. Take 60 seconds before acting on anything alarming. Guard your PIN. UPI PIN, OTP, CVV — never share them with anyone, for anything, ever. No bank employee, no customer service rep, no police officer will ever legitimately ask for these. Update your software. Security patches fix the holes scammers crawl through. Talk to your family. This isn't a solo responsibility — it's a household one.
Build the habit of doubting every unsolicited message. Not in a paranoid way — in a practical way. When something arrives that you didn't expect, asking for money, personal details, or clicks, treat it as suspicious by default. Check it properly before responding. That single habit — defaulting to suspicion for anything unsolicited — would prevent the vast majority of successful phishing attacks.
I think about my mother sometimes, sitting there with her phone, one field away from handing over her Aadhaar number to a stranger. She's fine. She's more careful now. But that moment — how close it was, how easy it would've been — is what made me write this. Whoever's reading this: show it to someone you're worried about. That's probably the most useful thing you can do with the next five minutes.
Priya Patel
Senior Tech Writer
AI and machine learning specialist with 6 years covering emerging technologies. Previously a senior tech correspondent at TechCrunch India, she now writes in-depth analyses of AI tools, LLM developments, and their real-world applications for Indian businesses.
Stay Ahead in Tech
Get the latest tech news, tutorials, and reviews delivered straight to your inbox every week.
No spam ever. Unsubscribe anytime.
Comments (0)
Leave a Comment
All comments are moderated before appearing. Please be respectful and follow our community guidelines.
Related Articles
WhatsApp Tips and Hidden Features for Indians
WhatsApp hidden features: chat lock, formatting tricks, storage tips, privacy settings, and power user shortcuts.
Privacy-Focused Alternatives to Every App You Use Daily
Replace everyday apps with privacy-focused alternatives: messaging, email, search, storage, and more for Indian users.
Best Home Projectors in India: Complete Guide
A complete guide to the best home projectors in India across budget, mid-range, and premium segments, with tips on throw distance, lumens, and room setup.