Indian Phishing in 2026: SMS, Vishing, and UPI Scams

Last updated: April 26, 2026

Phishing in the Indian context has distinct shapes — SMS-based (“smishing”), voice-based (“vishing”), and UPI-payment-targeting scams. The threat landscape is different from US/EU enterprise phishing, and the defences are sometimes different too. This article covers the Indian phishing patterns we see in 2024-26, the regulatory backdrop, and the practical advice for individuals and organisations.

The Indian phishing landscape

SMS / smishing is dominant. Reasons:

• Mobile-first user base — most internet users access via smartphones
• SMS is trusted (banks legitimately use it for OTPs)
• SMS sender IDs are easier to spoof than email “from” addresses, despite TRAI regulations
• UPI payments are integrated into messaging
• Indian languages used in SMS phish blend with legitimate communication patterns

Common Indian phishing categories

1. Bank impersonation SMS

“Your HDFC account has been blocked. Click here to verify: bit.ly/[short]”. Users click, land on a fake login page that captures credentials and OTP via AiTM-style proxy. Banking transactions execute under their session.

Modern variants use shortened URLs that bypass simple URL filtering, dynamically-generated subdomains, and phishing kits with bank-specific look-alikes (HDFC, ICICI, SBI, Axis) at near-pixel perfection.

2. KYC update scams

“Your KYC will expire today. Update now to avoid account suspension.” Targets users of various digital wallets, bank accounts, or government services. Users panic-click, surrender PII or financial details to fake KYC pages.

3. UPI fraud

The classic: “Send me ₹1, I’ll send back ₹1000 for testing.” Victim sends ₹1; attacker counter-sends an “incoming payment request” disguised as a confirmation. Victim approves — actually sending more money.

Variants include fake refund pages, fake delivery confirmation requiring “verification payment,” and impersonation scams during UPI handle disputes.

4. Government / Aadhaar scams

“Your Aadhaar will be deactivated. Update at:” leads to a phishing page collecting Aadhaar number, OTP, and biometric details (where simulated biometric flow is convincing enough).

5. Job / WFH scams

Targeting unemployed or aspirational job seekers — fake job offers requiring upfront “registration fees” or processing payments. Common in 2024-26 with WFH normalisation.

6. Vishing — voice phishing

Fraudsters call claiming to be bank representatives, government officials, or service providers. Combined with smishing — victim receives an SMS that primes them, then a “follow-up call” from the fraudster sounds legitimate.

Recently with AI voice cloning, vishing has moved to a new threat tier — calls from voices that sound exactly like the victim’s family member asking for emergency funds.

The regulatory backdrop

• TRAI regulates SMS sender IDs (DLT — Distributed Ledger Technology framework for sender registration). Theoretically prevents spoofed sender IDs; in practice gaps remain
• RBI guidelines require banks to communicate via specific channels with specific structures; deviations should signal phishing to user
• DPDP Act §8 — entities causing financial harm via insufficient security have liability
• Banking Ombudsman handles fraud disputes; banks have customer-protection obligations under RBI Master Direction on Customer Protection (Limited Liability)

Defences for individuals

• Never click links in unsolicited SMS or email from “your bank”
• Open the bank’s app or website directly, not via link
• Never share OTP, even with someone claiming to be a bank representative
• Don’t approve UPI requests for “incoming” payments — banks send confirmations, not approval requests
• Verify caller identity — call back via a known number, not the one displayed
• Use UPI’s payment limit feature
• Enable transaction alerts and review them

Defences for organisations

• DLT registration for legitimate SMS sender IDs
• Customer education campaigns specifically addressing Indian phishing patterns
• Email security with attachment + link detonation
• FIDO2 / passkey rollout for employees and high-value customers
• Customer-facing fraud-detection — anomaly detection on transactions, especially first-time payee transfers
• Phone-based authentication channels separated from SMS

The takeaway

Indian phishing has its own shape — SMS-led, mobile-first, UPI-integrated, language-localised. The defences combine technology (FIDO2, transaction monitoring), regulation (TRAI / RBI), and user education. For organisations, the highest-leverage step is replacing SMS-based authentication with FIDO2 / app-based push for sensitive operations. For individuals, the rule is consistent: never click links in SMS, never share OTP, always verify by calling the known number.