Phishing in India 2026: The Local Threats Every Business Must Know

Phishing in India has entered a new era. In 2026, scammers are no longer just sending generic, poorly translated emails from far-off places. Today, they leverage localized current affairs, regional languages, and high-frequency business events to target Indian SMEs and corporate teams. Here is a breakdown of the four most active phishing patterns we are seeing in our VAPT audits and corporate engagements this year.

1. The GST Suspension Phishing Campaign

As GST compliances grow stricter, accountants and finance teams are under immense pressure to file GSTR-1, GSTR-2B, and GSTR-3B on time. Scammers exploit this pressure by sending emails that appear to originate from the GST Network (GSTN) or the Ministry of Finance.

These emails claim that your GSTIN has been suspended due to an inoperable mismatch in input tax credit (ITC) or GSTR-2B reconciliation. They contain a link that directs users to a cloned GST portal (e.g., services-gst.org.in instead of services.gst.gov.in). Once the accountant enters the corporate credentials, the threat actors hijack the session, modify bank details, or execute fraudulent filings.

2. Cloned CERT-In Vulnerability Warnings

Cybersecurity is top-of-mind for IT admins, making "security alerts" highly effective social engineering bait. We have observed a surge in emails mimicking CERT-In (Indian Computer Emergency Response Team) notices.

The email warns that your company's public-facing servers are vulnerable to a critical zero-day exploit. It instructs the IT admin or system engineer to download a "security patch tool" from an attached link. Running this executable launches a silent installer that deploys ransomware (often LockBit or BlackCat variants) across the active Active Directory network, disabling the company's core operations within minutes.

3. The WhatsApp CEO Impersonation (UPI Scam)

WhatsApp is the primary business communication tool in India, which scammers exploit. Using public directory records or LinkedIn, attackers identify the company's Founder, CEO, or Managing Partner, and their junior employees (usually in HR, finance, or operations).

The attacker purchases a virtual SIM card, sets up a WhatsApp Business account with the CEO's name and photo, and messages the employee. The message typically states: "I am in a critical board meeting right now and cannot take calls. I need you to immediately transfer INR 50,000 via UPI to this vendor to secure a contract. I will reimburse you by evening." Under pressure, employees often make the transfer without verification.

4. Vendor Email Compromise (VEC) in Supply Chains

In manufacturing and import-export sectors, transactions involve high values and complex invoicing. In a Vendor Email Compromise attack, threat actors do not target you directly; they compromise the email account of one of your domestic or international suppliers.

They monitor ongoing negotiations. When it is time to pay an invoice, the hijacked supplier account sends a follow-up email: "Please note our domestic bank account has changed due to an annual audit. Kindly wire the payment to this new HDFC bank account in Mumbai." Because the email is sent from the supplier's actual inbox, it bypasses spam filters and raises no immediate red flags.

How to Protect Your Team

Firewalls and email filters are essential, but the final line of defense is human awareness. We recommend four immediate steps:

• Implement Out-of-Band Verification: Establish a strict corporate policy that any change in vendor bank details or urgent financial transfers must be verified via a phone call using a previously established number, never via email or WhatsApp text.
• Enforce MFA Globally: Multi-factor authentication must be mandatory for all corporate emails, accounting platforms (like Tally, ERPs), and banking portals.
• Localize Employee Training: Swap generic security examples with Indian scenarios. Your team should know what a fake GST notice, an IT Department SMS, or a fake e-challan alert looks like.
• Configure Email Protections: Ensure SPF, DKIM, and DMARC (with a p=reject policy) are configured on your domains to prevent attackers from spoofing your email address.