Cyber Law • Data Security • March 2026
In This Article
01. India’s Phishing Crisis in Numbers
02. How Phishing Works: The Psychology of the Con
03. India’s Unique Vulnerabilities: UPI, Aadhaar and Digital India
04. The Global Picture: How the US and UK Are Responding
05. AI-Powered Phishing: The Next Frontier
06. The Legal Framework: What Protection Do Indians Have?
India’s Phishing Crisis in Numbers
Phishing — the art of tricking people into revealing sensitive information by impersonating a trusted entity — has become the most successful and most devastating form of cybercrime in India. It is not a sophisticated hack exploiting obscure software vulnerabilities. It is a con. And it works because it exploits not technology, but human psychology: trust, urgency, fear, and the desire to be helpful.
The numbers are staggering. In 2025, India recorded 28.15 lakh cybercrime cases, up from 22.68 lakh in 2024 — a 24% surge in a single year. Financial losses reached £22,495 crore. CERT-In reports that phishing was the initial attack vector in 38% of all reported fintech frauds. The I4C projects total annual losses exceeding £1.2 lakh crore when account takeovers and payment app compromises are included.
India Phishing: Key Statistics 2025–2026
28.15 lakh cybercrime cases reported in 2025 • £22,495 crore in financial losses • 3.4 billion phishing emails sent globally every day • 38% of Indian fintech frauds traced to phishing • 9.42 lakh SIM cards blocked for cybercrime links • £782 crore allocated for cybersecurity in Union Budget 2025–26
How Phishing Works: The Psychology of the Con
Phishing succeeds not because people are foolish, but because the attacks are designed to exploit fundamental human responses. A phishing email or message typically creates a sense of urgency (“Your account will be suspended in 24 hours”), authority (“This is from the RBI / your bank / the Income Tax Department”), fear (“Suspicious login detected on your account”), or greed (“You have won £10 lakh in a lucky draw”).
The mechanics are simple. The attacker sends a message that appears to come from a trusted source — a bank, a government agency, an employer, a delivery service. The message contains a link to a website that looks identical to the real one. The victim enters their credentials, OTP, UPI PIN, or bank details. The attacker harvests the information and drains the account, often within minutes.
What makes phishing uniquely dangerous is that it bypasses all technical security measures. Firewalls, encryption, two-factor authentication — none of these matter if the user voluntarily hands over their credentials to an attacker they believe is legitimate. As security researchers have noted, you cannot patch a human brain.
India’s Unique Vulnerabilities: UPI, Aadhaar and Digital India
India’s phishing problem is uniquely severe because of the scale and speed of its digital transformation. The country processes over 15 billion UPI transactions monthly — more real-time digital payments than any nation on earth. Over 86% of households are now connected to the internet. This massive digital expansion under the Digital India initiative has created unprecedented convenience, but it has also created an equally unprecedented attack surface.
UPI-based phishing is the dominant attack vector. Fraudsters send fake payment requests, counterfeit QR codes, or messages impersonating bank support desks. A common tactic involves calling victims and convincing them to enter their UPI PIN under the pretence of “receiving” a payment — when in fact they are authorising a debit. NPCI data shows an 85% rise in UPI fraud in FY2024 alone.
Aadhaar and KYC phishing has emerged as a particularly Indian vulnerability. Attackers pose as bank representatives or telecom operators requesting “KYC updates” to maintain service. The victim is directed to a fraudulent portal that harvests their Aadhaar number, PAN, bank details, and OTP. NASSCOM-DSCI research indicates that synthetic identities compiled using genuine and fabricated information have increased by 450% since 2022.
The rural dimension makes India’s vulnerability distinct from Western economies. In states like Jharkhand, Bihar, and Uttar Pradesh, millions of people who were unbanked until recently are now using smartphones for financial transactions with minimal digital literacy. Tribal communities new to banking are targeted with basic phishing schemes that would be immediately recognised by urban users. Senior citizens have lost over £2,000 crore through impersonation and coercion-based scams.
Cross-border criminal networks compound the problem. MHA reports indicate that over 50% of cyber frauds targeting Indians in 2025 originated from criminal compounds in Cambodia, Myanmar, and Laos, making domestic law enforcement extraordinarily difficult.
The Global Picture: How the US and UK Are Responding
United States: The FBI’s Internet Crime Complaint Center (IC3) received 300,487 phishing reports in 2024 — a tenfold increase from 26,379 in 2018. The average cost of a successful phishing breach in the US is $4.8 million, and breaches take an average of 254 days to detect and contain. The FTC, FBI, and CISA coordinate anti-phishing efforts, but the absence of a comprehensive federal privacy law (as discussed in our previous article on US data protection reform) means there is no unified framework for holding companies accountable when phishing succeeds due to inadequate data security practices.
United Kingdom: The UK’s National Cyber Security Centre (NCSC) operates the Suspicious Email Reporting Service, which has received over 25 million reports since its launch. The UK’s approach combines the Computer Misuse Act 1990, the Fraud Act 2006, and GDPR-derived data protection obligations to create a layered enforcement framework. The UK has also been a pioneer in “authorised push payment” (APP) fraud regulation, requiring banks to reimburse victims of sophisticated phishing-led transfer fraud — a consumer protection measure that neither India nor the US has yet adopted.
The AI escalation: Globally, AI-crafted phishing emails now achieve 54% click rates compared to 12% for human-written ones. Credential theft rates for AI-generated phishing stand at 33.6% versus 7.5% for traditional attacks. Voice-cloned and deepfake-enhanced phishing — where the attacker uses AI to replicate a CEO’s voice or a family member’s video call — has emerged as a particularly devastating vector in 2025–2026.
| Dimension | India | United States | United Kingdom |
|---|---|---|---|
| Scale (2025) | 28.15 lakh cases; £22,495 Cr losses | 300,487 IC3 reports; $4.8M avg breach cost | 25M+ suspicious emails reported to NCSC |
| Primary vector | UPI fraud, KYC phishing, fake QR codes | BEC, credential theft, ransomware delivery | APP fraud, invoice fraud, tax refund scams |
| Key law | IT Act 2000; BNS 2023; DPDPA 2023 | CAN-SPAM Act; CFAA; state laws | Computer Misuse Act; Fraud Act; UK GDPR |
| Victim reimbursement | Limited; RBI guidelines, case-by-case | Reg E protections for unauthorised transfers | Mandatory APP fraud reimbursement |
AI-Powered Phishing: The Next Frontier
The convergence of artificial intelligence and phishing is transforming the threat landscape in ways that legacy security systems cannot address. AI enables attackers to generate grammatically perfect, contextually aware phishing emails at industrial scale — eliminating the spelling mistakes and awkward phrasing that once served as tell-tale signs of a scam. In India, this is particularly dangerous because AI-generated phishing can now be delivered in Hindi, Tamil, Bengali, and other regional languages with native fluency.
Deepfake technology has added a terrifying new dimension. In 2024, a fintech CFO lost $1.2 million after receiving a deepfake audio call that perfectly replicated his CEO’s voice. In India, similar attacks using voice-cloned calls impersonating family members in distress (“digital arrest” scams) have become widespread, with senior citizens being the most vulnerable targets.
The defence must now be equally AI-powered. The RBI’s enhanced fraud-risk directives require banks and NBFCs to deploy AI-enabled monitoring, zero-trust architecture, and compulsory reporting of high-value frauds. The Department of Telecommunications is planning mandatory device-SIM binding and a reworked Financial Fraud Risk Indicator by April 2026.
The Legal Framework: What Protection Do Indians Have?
India’s legal framework for combating phishing spans multiple statutes:
Information Technology Act, 2000: Section 66C (identity theft), Section 66D (cheating by personation using computer resource), and Section 43 (unauthorised access) provide the primary criminal provisions. Section 72A addresses breach of confidentiality and privacy.
Bharatiya Nyaya Sanhita, 2023: Sections 318 (cheating), 319 (cheating by personation), and 336 (forgery) apply to phishing that involves impersonation and document fraud. Section 318(4) specifically addresses electronic cheating.
Digital Personal Data Protection Act, 2023: While primarily a data protection statute, the DPDPA imposes obligations on data fiduciaries to implement “reasonable security safeguards” to prevent data breaches, including those caused by phishing. Organisations that fail to protect user data can face penalties up to £250 crore.
RBI Circulars: The RBI’s Master Direction on Digital Payment Security Controls (2024) and the framework on limiting liability of customers in cases of unauthorised electronic transactions provide regulatory guidance on bank liability when phishing leads to unauthorised transfers.
Reporting Phishing in India
Helpline 1930: Immediate cybersecurity assistance • cybercrime.gov.in: National Cyber Crime Reporting Portal • CERT-In: incident@cert-in.org.in for organisational incidents • Your bank: Report within 3 working days for maximum liability protection under RBI guidelines
Protecting Yourself: A Practical Guide
1Never share OTP, UPI PIN, or CVV with anyone — no bank, government agency, or service provider will ever ask for these over phone, SMS, or email.
2Verify before clicking. If you receive an email or message claiming to be from your bank, do not click the link. Instead, open your bank’s app directly or call the number on the back of your card.
3Check the URL. Fraudulent websites often use slight misspellings (sbi-onIine.com instead of sbi-online.com). Look for “https://” and a padlock icon, but remember that phishing sites now also use SSL certificates.
4Be suspicious of urgency. Messages creating panic (“Your account will be blocked in 2 hours”) are almost always scams. Legitimate organisations do not threaten you into immediate action via SMS or WhatsApp.
5Never scan unknown QR codes. A QR code can direct you to a phishing site or, worse, trigger a UPI debit if you enter your PIN. Only scan QR codes from merchants you physically verify.
6Report immediately. If you suspect you have been phished, call 1930 immediately, notify your bank within 3 working days (for maximum liability protection under RBI rules), and file a complaint at cybercrime.gov.in.
7For organisations: Conduct regular phishing simulation exercises for all employees, implement email authentication protocols (SPF, DKIM, DMARC), deploy AI-enabled threat detection, and maintain an incident response plan that can be activated within minutes of a successful phishing attack.
How Juris Altus Can Help
We advise individuals and organisations on cybercrime response, data breach management, and regulatory compliance across jurisdictions.
|
• Cybercrime complaints & FIRs • Bank liability disputes (RBI framework) • DPDPA 2023 compliance |
• Corporate phishing response plans • Data breach notification advisory • Cross-border cybercrime litigation |
Ravinder Singh Dhull
Advocate, Punjab & Haryana High Court (Bar No. P-991/2003) | Founding Partner, M & D Law Associates LLP | Former Additional Advocate General of Haryana | Architect of the LexPatra and Juris Altus legal technology platforms.
Cybercrime
UPI Fraud
Data Security
IT Act 2000
BNS 2023
DPDPA 2023
AI Phishing
CERT-In
Digital India
This article is for informational purposes only and does not constitute legal advice. If you are a victim of phishing, call 1930 immediately and report at cybercrime.gov.in. For legal representation in cybercrime matters, consult qualified counsel.