India lost ₹22,495 crore to cybercrime in 2025. That figure comes directly from the Ministry of Home Affairs — not from a cybersecurity company trying to sell a product. It represents real money taken from real people: students who lost their savings to fake job offers, retired government employees who fell for “digital arrest” calls, small business owners whose bank accounts were drained through UPI fraud.
The number that sits behind that ₹22,495 crore is equally sobering: 28.15 lakh cybercrime cases were recorded in 2025 alone — up from 22.68 lakh the year before. That is nearly one reported case every 11 seconds, around the clock, every day of the year.
And yet, the conversation about cybersecurity in India continues to treat it as a technical subject for IT professionals. It isn’t. In 2026, cyber awareness is a basic life skill — as necessary as knowing how to cross a road safely or how to check if a medicine is genuine before taking it.
This guide explains what is actually happening in India’s cyber threat landscape, the specific attacks that are targeting ordinary people right now, the legal framework that protects you, and the practical steps that genuinely reduce your risk — not theoretical advice, but specific actions you can take this week.
Part 1: The Scale of What Is Actually Happening
India is the second most targeted nation for email-based attacks globally
The World Economic Forum’s Global Risk Report 2026 ranks cybersecurity as India’s number one national risk — ahead of economic downturns, climate-related disasters, and armed conflict. This is not hyperbole. It reflects the convergence of several specific conditions that make India a particularly attractive target:
India processes over 10 billion UPI transactions monthly, increasing real-time fraud risks at a scale unmatched anywhere else in the world. This volume of digital money movement, combined with the rapid expansion of first-time internet users in Tier 2 and Tier 3 cities, has created an attack surface that criminals — many operating from overseas — are exploiting systematically.
Weekly average cyber attacks in India have hit 3,195 per organisation in early 2026, which is 62% higher than the global average. These are not random; they are targeted, organised, and increasingly powered by artificial intelligence.
India is simultaneously experiencing unprecedented cyber threats from AI-powered deepfake fraud costing the nation an estimated ₹70,000 crore in 2025, and coordinated attacks on critical infrastructure driven by geopolitical tensions.
The human cost beyond the headlines
Statistics about crores and billions create distance. The actual stories bring the scale into focus.
In 2025, a retired teacher in Hyderabad received a video call from someone dressed in a police uniform, in front of what appeared to be a police station, claiming she was under investigation for money laundering. The caller — using AI-generated video — kept her on a live call for six hours, during which she transferred ₹14 lakh from her fixed deposits to “secure” her money. She lost everything.
This was not an isolated incident. Digital arrests — where fraudsters impersonate police officers using AI-generated uniforms and background noise to simulate real police stations — emerged as one of the fastest-growing psychological-based cybercrimes in 2025, accounting for 9% of total cybercrime losses.
The attackers are sophisticated. Many are operating from high-security compounds in Southeast Asia — Cambodia, Myanmar, and Laos — where MHA data indicates over 50% of cyber frauds targeting Indians in 2025 originated. These are not teenagers with laptops; they are organised criminal enterprises with scripts, technology, and shift-based operations.
Part 2: The Threats That Are Targeting Ordinary Indians Right Now
Threat 1: UPI and Banking Fraud — The Highest Volume Attack
UPI fraud is the most common form of cybercrime in India by case volume. The attacks have evolved significantly from the early days of simple fake payment requests.
The “receive payment” trap: A stranger on OLX, Facebook Marketplace, or WhatsApp claims to be sending you a payment and asks you to enter your UPI PIN to “accept” it. Many victims — including educated, technically literate people — have fallen for this. The UPI PIN authorises payments from your account, never to it. Entering your PIN in response to a payment request transfers money out of your account, not into it.
QR code fraud: A seller sends you a QR code to “verify” your account or receive a refund. Scanning and proceeding with that QR code initiates a payment from your account. QR codes only initiate payments — they cannot receive them.
Fake customer care numbers: When people search for “SBI customer care number” or “PhonePe helpline” on Google, fraudulent listings sometimes appear above the genuine ones. Calling these numbers connects you to criminals who ask for your account details, OTP, or remote access to your device. Legitimate banks and payment apps never ask for your OTP, UPI PIN, or account password on a call.
Practical protection: Save the official customer care numbers of your bank and payment apps in your contacts before you ever need them. Find those numbers on the back of your debit card or on the official website — not through a search engine query during an emergency.
Threat 2: Investment Fraud — The Highest Financial Loss Category
Investment scams accounted for over 75% of total financial losses from cybercrime in India in 2025. The scale of money lost to fake stock trading platforms, cryptocurrency investment schemes, and fraudulent “portfolio management” apps has exceeded every other crime category combined.
The typical script: A stranger adds you to a WhatsApp or Telegram group that appears to be a community of successful investors sharing stock tips. Over days or weeks, the group shows “proof” of members making extraordinary returns. You are invited to join a platform — a fake app or website — and deposit money. Initial small withdrawals are allowed to build trust. Eventually, you are encouraged to deposit larger amounts, after which the platform either disappears or invents reasons why you cannot withdraw your money.
Fraudsters used AI-generated deepfakes of well-known investors, SEBI officials, and business celebrities to lend credibility to these schemes. Videos of genuine interviews and public appearances were manipulated to make it appear these individuals were endorsing the fraudulent platforms.
The rule that protects you: No legitimate SEBI-registered investment platform solicits clients through WhatsApp groups or Telegram channels. SEBI-registered advisers have registration numbers verifiable at sebi.gov.in. Any investment opportunity that cannot be verified through official SEBI channels is a fraud.
Threat 3: “Digital Arrest” and Impersonation Scams
India in 2026 is experiencing a surge in deepfake-based attacks. Fraudsters impersonate police officers, CBI officials, customs officers, TRAI representatives, and RBI officials using AI-generated voice recordings and video calls to coerce victims into compliance.
The psychological mechanism is specific and deliberate. The fraudster claims:
- Your Aadhaar number has been used to open a bank account involved in money laundering
- A parcel in your name has been intercepted containing drugs or illegal goods
- Your phone number is connected to a cybercrime case under investigation
The victim is told they are under “digital arrest” — a term with no legal existence in India — and must remain on a video call while “proceedings” take place. During this extended call, they are psychologically isolated, instructed to tell no one, and eventually directed to transfer money to “clear” their name.
The critical fact: There is no such thing as a “digital arrest” under Indian law. The Code of Criminal Procedure (now replaced by the Bharatiya Nagarik Suraksha Sanhita, 2023) does not permit arrest via video call. No legitimate police officer, CBI official, TRAI representative, or RBI official will conduct an investigation through WhatsApp or Skype and demand money transfers to resolve it.
If you receive such a call: hang up immediately, do not transfer any money, and call the 1930 helpline or file a report at cybercrime.gov.in.
Threat 4: AI-Powered Phishing — Now Personalised and Convincing
Traditional phishing emails were easy to spot: poor grammar, generic greetings, obvious urgency. In 2026, AI-generated phishing is different.
Attackers scrape publicly available information — your LinkedIn profile, your social media posts, your company’s website — and use AI to craft messages that reference your specific job title, recent projects, mutual connections, and professional context. The message appears to come from your organisation’s domain (via email spoofing), mentions a specific project you are genuinely working on, and requests a credential or action that seems plausible.
Phishing attacks now account for 3.4 billion phishing emails sent daily globally, and the human element remains the root cause of 74% to 95% of data breaches. AI has made the “human element” part harder — the messages that fool people are now genuinely sophisticated.
For Indian users specifically: Phishing attacks targeting Indian bank customers mimic HDFC, SBI, ICICI, and Axis Bank communication with increasingly accurate logos, email templates, and language. SMS phishing (smishing) targeting UPI users mimics communication from NPCI, PhonePe, and Google Pay.
The protection is not about detecting bad grammar anymore — it’s about verifying the action being requested through an independent channel. If an email from “your bank” asks you to click a link to verify your account, close the email and log into your bank’s official app or website directly. Never click verification links in emails or SMS messages, regardless of how legitimate they appear.
Threat 5: SIM Swap Fraud
SIM swap fraud is one of the most technically sophisticated attacks targeting Indian individuals. The attacker gathers your personal details — name, address, date of birth, Aadhaar number, account number — through phishing, data breaches, or social engineering. They then contact your mobile operator, impersonate you, and request that your phone number be transferred to a new SIM card in their possession.
Once they control your phone number, they receive all OTPs sent to that number — giving them access to your bank accounts, email, UPI apps, and any other service that uses SMS-based two-factor authentication.
Indicators that a SIM swap has occurred: your phone suddenly shows “No Service” or “SIM Not Registered” when it was working normally; you stop receiving calls and SMS; you receive an unexpected message confirming a SIM change you didn’t request.
If you suspect SIM swap: Call your mobile operator’s customer care immediately from another phone. Block your SIM and inform your bank simultaneously. Report to 1930.
Part 3: The Legal Framework — Your Rights and Protections
The Digital Personal Data Protection Act 2023 — What It Means for You
The activation of the Data Protection Board of India in late 2025 and the enforcement of the Digital Personal Data Protection Act have elevated cybersecurity from an IT function to a boardroom governance imperative.
For individual citizens, the DPDP Act 2023 creates specific rights:
Right to information: You can ask any organisation holding your personal data what data they hold and for what purpose. Organisations must respond within 48 hours.
Right to correction and erasure: You can request that inaccurate data about you be corrected, and that data no longer needed for its stated purpose be erased.
Right to grievance redressal: Every data fiduciary (organisation handling your data) must provide a grievance officer. If the grievance is not resolved, you can escalate to the Data Protection Board.
Consent requirements: Organisations must obtain your specific, informed consent before processing your personal data. Blanket consent buried in terms and conditions is no longer sufficient.
Penalties for organisations: Organisations that violate data protection obligations face penalties of up to ₹250 crore per breach. This is a meaningful deterrent that makes data mishandling significantly more costly for businesses.
A critical upcoming date: November 2026 is when enhanced obligations for consent managers become operational. After this date, how your consent is obtained and managed by digital platforms becomes subject to stricter enforcement.
The IT Act and Bharatiya Nyaya Sanhita — Criminal Cyber Offences
The Information Technology Act 2000 (amended 2008) and the Bharatiya Nyaya Sanhita 2023 (which replaced the IPC) together define criminal cyber offences in India:
Hacking (Section 66 IT Act): Unauthorised access to a computer, computer system, or network is a criminal offence carrying imprisonment up to 3 years and/or fine up to ₹5 lakh.
Identity theft (Section 66C IT Act): Fraudulently using another person’s electronic signature, password, or any other unique identification feature is punishable with imprisonment up to 3 years and fine up to ₹1 lakh.
Phishing and cheating using computer resources (Section 66D IT Act): Cheating someone by impersonating another using a computer resource — which covers most UPI fraud and banking phishing — carries imprisonment up to 3 years and fine up to ₹1 lakh.
Cyberstalking (Section 354D BNS): Monitoring, following, or contacting a person online against their will is a criminal offence under the new criminal code.
Publishing obscene content (Section 67 IT Act): Publishing or transmitting obscene content in electronic form carries imprisonment up to 3 years for first conviction, up to 5 years for subsequent convictions.
CERT-In’s Mandatory Reporting Requirements
Under CERT-In’s cybersecurity incident reporting rules, organisations must report cyber incidents within 6 hours of detection. Critical Information Infrastructure operators must also notify NCIIPC, while personal data breaches must be reported under the DPDP Act 2023.
For individuals, the practical implication is twofold: your data held by an organisation that suffers a breach must be reported to you; and when you are a victim of cybercrime, early reporting to 1930 significantly increases the chances of fund recovery by triggering the Cyber Financial Crime Reporting and Management System (CFCFRMS) which can freeze fraudulent transactions.
Part 4: What Cyber Awareness Actually Means in Practice
Most cyber awareness articles give you a list of tips that sound reasonable but don’t change behaviour because they’re too abstract. This section is different — it tells you the specific actions that address the specific threats Indian users face, and explains why each one matters.
Action 1: Activate two-factor authentication on your email — today, not tomorrow
Your email account is the master key to your digital life. Every “forgot password” link for every other account you own gets sent to your email. If someone gains access to your email, they can reset the passwords of your bank, your UPI app, your social media, and everything else.
Two-factor authentication (2FA) adds a second step to logging in — typically an OTP or an authenticator app — so that even if your password is stolen, your account cannot be accessed without the second factor.
How to enable on Gmail:
- Go to myaccount.google.com
- Click “Security” in the left panel
- Under “How you sign in to Google,” click “2-Step Verification”
- Follow the setup process — use Google Authenticator app rather than SMS if possible (SMS OTPs can be intercepted through SIM swap; authenticator apps cannot)
Authenticator apps available in India: Google Authenticator (free, Android and iOS), Microsoft Authenticator (free), and Authy (free with backup capability). All three work without internet access after initial setup.
After securing your email, enable 2FA on your internet banking, UPI apps that support it, and any financial service account.
Action 2: Understand what your UPI PIN does — and never share it
The UPI PIN is an authorisation code for outgoing payments from your bank account. It is equivalent to your ATM PIN. There is no scenario — none — in which you would be asked to enter your UPI PIN to receive money, verify your account, or accept a refund.
Write this down and tell every family member: Your UPI PIN only goes in when you are sending money. If someone is asking you to enter your PIN for any other reason, it is fraud.
This applies regardless of who is asking — a customer service representative, a delivery person, a marketplace seller, or a “bank official.” The PIN is entered in the payment app for outgoing transactions only.
Action 3: Create a “pause and verify” habit for any urgent financial request
The single most effective psychological defence against social engineering is deliberate delay. Attackers create urgency — “your account will be blocked in 2 hours,” “you must transfer now to avoid arrest,” “the offer expires in 30 minutes” — because urgency bypasses rational evaluation.
The habit: when any message or call creates financial urgency, stop. Put the phone down. Wait 15 minutes. Then call the institution directly using the number on your debit card or the official website — not the number the caller gave you, not a number from a search engine query.
In that 15-minute pause, the psychological pressure dissipates. The clarity that follows almost always reveals the fraud.
Action 4: Verify before you invest — the SEBI check
Before putting money into any investment opportunity, verify it takes under 60 seconds.
Go to sebi.gov.in → Intermediaries/Market Infrastructure Institutions → Register with SEBI → Search for the company or adviser name.
If the entity is not in SEBI’s database, it is not a registered investment adviser. Do not invest. Full stop. The WhatsApp group showing impressive returns, the Telegram channel with “expert tips,” the app with a professional interface — none of these are substitutes for SEBI registration.
Action 5: Know the 1930 helpline and use it immediately if defrauded
India has a dedicated helpline 1930 that offers immediate cybersecurity assistance. Early reporting to the 1930 helpline significantly increases the chances of fund recovery in cases involving UPI, banking, or online payment fraud.
The 1930 helpline connects to the Cyber Financial Crime Reporting and Management System (CFCFRMS), which can flag and freeze transactions before the money moves beyond recovery. The critical window is the first few hours after a fraud occurs — once money has been transferred through multiple accounts and withdrawn, recovery becomes exponentially harder.
If you are defrauded:
- Call 1930 immediately
- File a report at cybercrime.gov.in
- Contact your bank’s fraud helpline to freeze your account if needed
- Do not transfer any more money — even if the fraudster claims it will “unlock” your first transfer (this is a secondary fraud targeting victims who are already desperate)
Action 6: Lock your Aadhaar biometrics when not in use
Aadhaar biometric authentication — using your fingerprint to authenticate transactions — is used for AEPS (Aadhaar-enabled Payment System) transactions, which allow bank withdrawals at point-of-sale terminals using biometrics.
Fraudsters have used cloned fingerprints (lifted from documents and surfaces) to perform AEPS transactions draining bank accounts linked to Aadhaar. The protection is simple and free.
How to lock your Aadhaar biometrics:
- Go to myaadhaar.uidai.gov.in
- Log in with your Aadhaar number and OTP
- Select “Lock/Unlock Biometrics”
- Lock the biometrics
When you need to use biometric authentication legitimately — for example, at a government office — unlock temporarily, complete the transaction, and re-lock.
Action 7: Audit app permissions on your smartphone
Most Indians have 40–80 apps installed on their smartphones. Many of these apps have accumulated permissions far beyond what they need to function. A photo editing app with access to your contacts, microphone, and location is a data harvesting concern. A free game with SMS read permission can intercept OTPs.
How to audit on Android: Settings → Privacy → Permission Manager → review each permission category (Location, Microphone, Camera, SMS, Contacts) and revoke any app that doesn’t have a clear reason to need it.
How to audit on iPhone: Settings → Privacy & Security → review each permission category and apply the same principle.
Specific red flags: any app with SMS read access that isn’t your primary SMS app; any flashlight or calculator app with microphone access; any keyboard app with “full access” enabled.
Action 8: Secure your home Wi-Fi — it’s the gateway to everything
Your home Wi-Fi router is the entry point for every device in your home — your phone, laptop, smart TV, and any smart home devices. A poorly secured router can be compromised to intercept traffic, redirect your banking sessions to fake sites, or provide attackers persistent access to your home network.
Three non-negotiable Wi-Fi security steps:
- Change the router admin password from the default (admin/admin or as printed on the sticker) to a unique, strong password
- Use WPA3 or WPA2-AES encryption (not WPA or WEP) — configurable in the router’s admin panel
- Never share your Wi-Fi password on public posts or with people who don’t need ongoing access
Part 5: Cyber Safety for Specific Groups Who Face Higher Risk
Senior citizens — the primary target of emotional manipulation attacks
Older Indians are disproportionately targeted by digital arrest scams, fake customer care fraud, and “your relative is in trouble” emotional manipulation attacks. The targeting is deliberate — seniors are perceived as having savings, being less familiar with digital fraud patterns, and being more responsive to authority-figure impersonation.
For families: Have an explicit conversation with elderly parents and relatives about digital arrest scams. Tell them specifically: no government agency will ever call on WhatsApp to arrest them, no legitimate official will ever ask for money over a video call, and they should call a family member before taking any financial action in response to an urgent call. Create a family code word they can use if they feel pressured — a signal to stop and call you immediately.
For seniors themselves: Treat any call that creates fear about legal trouble as a potential scam by default. Hang up, call a family member, and verify through official channels before doing anything.
Students and young adults — targets for fake job and task-based fraud
Task-based scams have surged among young Indians — fraudsters offer simple online tasks (liking YouTube videos, reviewing products, clicking ads) with promises of easy money, then ask participants to invest their own money to “unlock” higher-paying tasks or release earnings already accumulated. Many victims in 2025 lost money by entering their UPI PIN thinking they were receiving a payment.
The test for any “online job” offer: does it require you to invest your own money at any point? If yes, it is a scam. Legitimate freelancing and gig work pays you; it never requires upfront investment.
Women — targeted by sextortion and account takeover
Sextortion — where attackers obtain or fabricate intimate images and threaten to share them unless money is paid — accounted for 4% of cybercrime losses in 2025 and is growing rapidly. New threats including sextortion have emerged as some of the fastest-growing psychological-based cybercrimes targeting women.
Critical guidance: Do not pay. Payment does not end sextortion — it confirms the victim will pay and typically results in escalating demands. Report immediately to cybercrime.gov.in and the 1930 helpline. Evidence suggests that reporting stops the attack in most cases because the attackers are running volume operations and move on when resistance is encountered.
The Cyber Crime Prevention against Women and Children (CCPWC) scheme provides dedicated support — cyber forensic labs and trained personnel across 33 states and union territories are available for victim support.
Part 6: The Institutional Framework Protecting India’s Cyberspace
Understanding that institutions are working on these problems — and knowing how to access them — is part of being cyber aware.
CERT-In (Indian Computer Emergency Response Team): The national nodal agency for cybersecurity incident response. Provides vulnerability alerts, security guidelines, and coordinates response to major incidents. Website: cert-in.org.in
I4C (Indian Cyber Crime Coordination Centre): Under the Ministry of Home Affairs, coordinates cybercrime law enforcement across states. Operates the 1930 helpline and cybercrime.gov.in portal.
NCIIPC (National Critical Information Infrastructure Protection Centre): Protects India’s critical information infrastructure — banking, power, telecom, transport systems.
Data Protection Board of India: Activated in late 2025, the board adjudicates complaints about violations of the DPDP Act. Individuals can file complaints when their data rights are violated by organisations.
RBI’s Ombudsman Scheme for Digital Transactions: If you suffer an unauthorised transaction and your bank is unresponsive, the RBI Banking Ombudsman at bankingombudsman.rbi.org.in provides escalation.
The government has allocated ₹782 crore for cybersecurity in the Union Budget 2025-26, and over 9.42 lakh SIM cards and 2,63,348 IMEIs linked to cyber frauds have been blocked as active enforcement measures. The infrastructure for response is real — but it works most effectively when individuals report promptly.
The Bottom Line: Awareness Is the First and Most Important Layer
The human element remains the root cause of 74% to 95% of data breaches. This statistic is repeated in every major cybersecurity report — not to assign blame to victims, but because it identifies where the most effective prevention lies.
Technical tools — antivirus, two-factor authentication, strong passwords, secure Wi-Fi — are necessary and worth implementing. But they work alongside awareness, not instead of it. No antivirus blocks a victim who voluntarily enters their UPI PIN on a fraudster’s instruction. No two-factor authentication prevents someone from being psychologically pressured into sharing their OTP.
The awareness that actually protects Indian users in 2026 comes down to a few specific beliefs and habits:
Know that no legitimate authority in India arrests people through WhatsApp. Know that UPI PINs only authorise outgoing payments. Know that investment opportunities not registered with SEBI are fraudulent by default. Know that the 1930 helpline exists and that calling it quickly is the most important thing you can do in the first minutes after fraud occurs.
Share these four things with everyone in your family — especially those who are new to digital financial services, who are elderly, and who use the internet on smartphones without a clear understanding of how the threats work.
Digital safety in 2026 is not about being technically sophisticated. It is about being specifically informed about how fraud actually works — and how to recognise it before it costs you money you cannot get back.
This article is for public education and awareness purposes only. All statistics cited are drawn from publicly available government and institutional sources including the Ministry of Home Affairs, CERT-In, the World Economic Forum, IBM, and SentinelOne. Cyber threat information is accurate as of May 2026 — the threat landscape evolves rapidly. For immediate assistance with cybercrime, call 1930 or visit cybercrime.gov.in.
Author: Mahesh — independent cybersecurity writer and digital safety educator. Focused on making cybersecurity accessible and actionable for everyday Indian users since 2019. No commercial relationship with any cybersecurity product or service mentioned in this article.
