Phishing Attacks Targeting Indian Businesses: How to Recognize and Prevent Them
Phishing attacks cost Indian businesses thousands of crores annually. Learn to recognise the latest tactics and build defences that actually work.
Phishing Is India's Number One Cyber Threat
In 2025, CERT-In recorded over 1.3 million phishing incidents targeting Indian organisations, a 36% increase from the previous year. Phishing is no longer the domain of poorly written emails from fictional Nigerian princes. Modern phishing attacks are sophisticated, targeted, and devastatingly effective. They impersonate real colleagues, replicate legitimate websites pixel for pixel, and exploit genuine business processes to steal credentials, funds, and data.
For Indian businesses, the threat is particularly acute. India's rapid digital transformation has created a vast attack surface. UPI transactions, cloud-based business tools, GST portals, banking apps, and government digital services are all being weaponised by attackers who understand Indian business culture, communication patterns, and regulatory workflows.
How Modern Phishing Attacks Target Indian Businesses
1. GST and Tax-Related Phishing
Attackers send emails or SMS messages impersonating the GST Network, Income Tax Department, or the Goods and Services Tax portal. Messages claim that the recipient's GST registration is about to be suspended, a refund is pending, or a compliance deadline has been missed. The urgency drives the recipient to click a link that leads to a convincing replica of the government portal, where they enter their credentials.
In Q4 2025, a coordinated GST phishing campaign compromised the credentials of over 15,000 Indian businesses, leading to fraudulent input tax credit claims worth an estimated Rs 340 crore.
2. UPI and Payment-Related Phishing
India's UPI ecosystem processes over 14 billion transactions monthly, making it a prime target. Attackers send collect requests from accounts impersonating vendors or clients, or send phishing links that mimic bank login pages. A common tactic involves sending an SMS claiming a UPI transaction has failed and asking the user to "verify" their PIN through a linked website.
3. Business Email Compromise (BEC)
BEC attacks are the most financially damaging form of phishing for Indian businesses. The attacker compromises or spoofs a senior executive's email account and sends instructions to the finance team to transfer funds to a "new vendor account" or "updated bank details." Because the email appears to come from the CEO or CFO, and because the request aligns with normal business processes, it frequently succeeds.
A Bengaluru-based IT services company lost Rs 12 crore in 2025 through a single BEC attack where the attacker impersonated the UK-based client's procurement director and redirected an invoice payment.
4. Spear Phishing via LinkedIn and Social Media
Attackers research target organisations through LinkedIn, company websites, and social media to craft highly personalised phishing messages. They reference real projects, use correct internal jargon, and impersonate known colleagues. This reconnaissance makes spear phishing emails nearly indistinguishable from legitimate communications.
5. Voice Phishing (Vishing)
Phone-based phishing is surging in India. Callers impersonate bank officials, RBI investigators, police officers, or even TRAI representatives, claiming the victim's phone number will be disconnected. They create urgency and fear, then extract OTPs, account numbers, or remote access to devices. CERT-In reported a 78% increase in vishing complaints in 2025.
6. QR Code Phishing (Quishing)
With QR codes ubiquitous in Indian commerce, attackers place malicious QR codes in physical locations, emails, or messages. Scanning the code redirects to a phishing site or triggers a UPI collect request. This attack vector exploits the trust people have developed in QR-based payments.
Red Flags: How to Recognise Phishing Attempts
Train every employee to watch for these indicators:
- Urgency and pressure: "Your account will be suspended in 24 hours," "Immediate action required," or "Pay now to avoid penalty." Legitimate organisations rarely demand instant action via email or SMS.
- Mismatched sender details: The display name says "HDFC Bank" but the email address is noreply@hdfc-secure-alerts.com. Always check the actual email address, not just the display name.
- Suspicious links: Hover over (but do not click) any link. If it does not point to the official domain of the claimed sender, it is likely phishing. Look for subtle misspellings: g00gle.com, incometax-india.gov.in instead of incometaxindia.gov.in.
- Unexpected attachments: Invoices, purchase orders, or compliance notices you were not expecting, especially in .exe, .zip, .js, or macro-enabled .docm formats.
- Requests for credentials or OTPs: No legitimate bank, government agency, or service provider will ever ask for your password, PIN, or OTP via email, SMS, or phone call.
- Generic greetings: "Dear Customer" or "Dear Sir/Madam" instead of your actual name can indicate a mass phishing campaign.
- Grammatical errors and odd formatting: While modern phishing is increasingly well-crafted, many campaigns still contain subtle language errors, inconsistent formatting, or unusual fonts.
Building a Phishing-Resistant Organisation
Technical Controls
Email authentication: Implement SPF, DKIM, and DMARC for your business domain. DMARC with a policy of "reject" prevents attackers from spoofing your domain in phishing campaigns targeting your customers and partners.
Email filtering: Deploy an email security gateway that scans incoming messages for known phishing indicators, malicious attachments, and suspicious URLs. Solutions like Proofpoint, Mimecast, or Microsoft Defender for Office 365 catch the majority of phishing attempts before they reach inboxes.
DNS filtering: Block access to known phishing domains at the network level using DNS-based security solutions. If an employee does click a phishing link, the connection is blocked before the malicious site loads.
Multi-factor authentication: Even if an attacker obtains an employee's password through phishing, MFA prevents them from accessing the account. Deploy MFA on all business-critical systems, especially email, banking, and cloud services.
Browser isolation: For high-risk users such as finance teams and executives, browser isolation technology renders web content in a remote environment, preventing phishing sites from executing malicious code on the user's device.
Human Controls
Regular phishing simulations: Send realistic simulated phishing emails to all employees monthly. Track click rates, report rates, and credential submission rates. Use results to identify individuals and departments that need additional training.
Reporting culture: Make it easy and safe to report suspicious emails. Implement a one-click "Report Phishing" button in the email client. Celebrate employees who report phishing attempts rather than those who never fall for them. Fear of punishment drives under-reporting.
Verification procedures: Establish mandatory verification protocols for financial transactions. Any request to change bank details, transfer funds, or share sensitive information must be verified through a separate channel, such as a phone call to a known number, regardless of who the request appears to come from.
Process Controls
Payment approval workflows: Require multi-person approval for financial transactions above a defined threshold. A single employee should never be able to initiate and complete a large fund transfer based on an email request alone.
Vendor verification: Maintain a verified vendor database with confirmed bank details. Any request to change payment details triggers a verification call to the vendor using contact information already on file, not contact details provided in the request itself.
Incident response playbook: Document exactly what happens when a phishing attack succeeds: who is notified, how credentials are reset, how affected systems are isolated, and how the breach is reported to CERT-In.
The Cost of Inaction
| Impact | Average Cost for Indian SME |
|---|---|
| Credential theft leading to data breach | Rs 3.5 crore |
| BEC fund transfer fraud | Rs 45 lakh - Rs 12 crore |
| Ransomware via phishing attachment | Rs 1.2 crore (ransom + downtime) |
| Regulatory penalty (CERT-In non-reporting) | Rs 25 lakh - Rs 1 crore |
| Reputational damage and customer loss | Incalculable |
What to Do If You Have Been Phished
Speed is critical. If you suspect a phishing attack has succeeded:
- Isolate the affected account immediately. Change the password and revoke all active sessions.
- Alert your IT or security team. They need to assess the scope of the compromise.
- Report to CERT-In within six hours if personal data or business systems have been compromised.
- Notify affected parties. If customer data was exposed, transparency is both a legal obligation and the right thing to do.
- Conduct a forensic investigation. Determine how the attack succeeded, what data was accessed, and whether the attacker has persistent access to any systems.
- Document and learn. Every successful phishing attack is a learning opportunity. Update your training, controls, and processes based on what you discover.
Phishing is not a problem that can be solved with technology alone or training alone. It requires a layered defence that combines technical controls, human awareness, and robust processes. Indian businesses that invest in all three layers will be far better positioned to withstand the onslaught.
AnantaSutra builds security awareness into every client engagement. Our AI-powered communication tools include built-in protections against phishing and spoofing, and our team helps businesses establish the technical and human controls needed to stay safe in an increasingly hostile digital landscape.