I spend my days building and stress-testing MailArmor, an API-first email security stack tuned for Microsoft 365 and Google Workspace, with India-first guardrails (DPDP, CERT-In, Mumbai data residency). This isn’t armchair theory. It’s the distilled field guide I wish I’d had two years ago, written for founders, CISOs, and IT leaders who need outcomes, not buzzwords.
India’s attack surface is exploding cyber incidents more than doubled from 2022 to 2024, and UPI adoption keeps pulling adversaries to our payment rails. The result: faster, cheaper, eerily convincing phish. Below are the five fastest-moving phishing patterns I see in the wild, plus a no-nonsense, budget-aware response plan you can deploy in weeks, not quarters.
1) AI-Driven Deepfake Phishing (Voice & Video)
What it looks like: A “CEO” voice note on WhatsApp asking Finance to “release ₹58 lakh urgently,” or a video clip of a familiar public figure endorsing an “RBI-backed” scheme. India’s regulators have explicitly warned about AI-generated media being used to push scams and false endorsements.
Why it works now:
Seconds of audio/video are enough to clone tone and cadence. Social platforms make distribution trivial; mobile-first teams are primed for quick responses. International casework shows deepfake video calls tricking even seasoned professionals.
How I stop it:
-
Out-of-band verification rules for money movement: mandate a known callback or safe phrase for any request that changes beneficiary, amount, or banking rails. (We enforce this via runbooks + Slack/Teams workflows.)
-
VIP impersonation detections in the mailbox: flag lookalike domains, reply-to mismatches, and anomalous sender relationships; auto-isolate if the sender is new to the org and asks for urgency + payment.
-
Finance playbook: payments over ₹X require dual human verification + evidence (PO, ticket, or contract) attached to the approval trail.
2) OTP-Bot & MFA-Bypass Social Engineering
What it looks like: A bot phones your user “from the bank,” prompting them to key in the code they just received. Attackers also harvest OTPs via slick IVR scripts and Telegram services purpose-built for this job.
Why it works now:
MFA fatigue is real, and IVR bots compress the entire con to under a minute, the same lifespan as many OTPs.
How I stop it:
- Phishing-resistant MFA (passkeys/FIDO2) for email/admins; SMS OTP only as a fallback with geo/time-based policy locks.
- Transaction-level friction for risky actions (new payees, inbox forwarding rules, OAuth grants).
- User training that mirrors the scam: live call-and-response drills (“A bot will ask you for the OTP, hang up. Here’s the internal escalation flow.”).
3) UPI & QR-Code Phishing (Now with “Brushing” & Collect-Request Abuse)
What it looks like: A QR code sent “to receive” money (scanning actually pays the attacker), or packages containing a QR linking to a malicious app/site (“brushing” meets credential theft). As a response, the ecosystem is tightening identity disclosure before payment to blunt fraud.
Why it works now:
Low-friction mobile payments + habit of scanning any code at face value. Attackers chain social engineering with instant rails.
How I stop it:
- Default deny: No scanning QR codes received via email/DMs for payables/receivables. If money is due to us, we generate the QR internally from our UPI handle.
- UPI hygiene: force users to confirm beneficiary identity on screen and ban peer-to-peer push payments initiated from links/QR in emails.
- MX-bypass detection: post-delivery scanning of images for embedded QR and risky URLs inside PDFs/HTML smuggling.
4) Vendor Email Compromise (VEC) & Invoice Fraud in Indian Supply Chains
What it looks like: A real supplier’s mailbox is taken over; the attacker quietly alters bank details on a pro-forma or asks Accounts to “update beneficiary” due to “audit.” Finance pays the right invoice to the wrong account. Financial sector telemetry in India shows phishing and compromised credentials remain primary inroads.
Why it works now:
MSME vendors often lack robust MFA and log monitoring; invoice cycles are predictable; urgency + relationship trust beats policy.
How I stop it:
- Invoice verification gate: any bank-detail change triggers a mandatory callback to a previously verified number from our vendor master (never from the email footer).
- Content-aware rules: auto-flag “update bank details,” “remit to new account,” “swift/IFSC updated,” especially when the sender is new or authentication fails DMARC.
- DMARC at enforcement (p=reject) on our domain; and we score inbound DMARC/DKIM/SPF alignment for vendors to weight trust.
5) Mobile Takeover → Mailbox + Payments Drain
What it looks like: Phone theft or SIM swap leads to rapid UPI and mailbox compromise. Recent police reports show gangs draining accounts within minutes when phones use weak device/app locks.
Why it works now:
Device is the new keyring email, 2FA, UPI, and enterprise apps converge. One weak screen lock or notification preview, and you’ve gifted session tokens plus OTP visibility.
How I stop it:
- Company policy: alphanumeric device passcodes, hidden notification previews, biometric + app-level PINs for UPI/banking.
- Rapid kill-chain: one-tap device lost procedure → auto revoke sessions, rotate email tokens, block SIM/eSIM, and notify bank. (In India, train staff to also call 1930 immediately.)
A Practical, India-Ready Defense Stack (What I Deploy)
1) Mailbox-Native, API-First Email Security
Don’t rely on pre-delivery alone. Use post-delivery analysis to catch delayed detonations, QR/image abuse, and thread hijacks; auto-pull malicious mail from every mailbox it touched. (This approach is aligned with how modern attacks evolve inside M365/Gmail.)
2) Authentication & Trust Controls That Actually Bite
- DMARC p=reject + SPF + DKIM for your domain; monitor alignment on inbound vendors to shape trust.
- FIDO2/Passkeys for admins/finance; conditional access (geo/time/behavior).
- OAuth app governance: alert on risky scopes and new third-party grants.
3) Payment-Rail Specific Guardrails for India
- UPI hardening: verify beneficiary identity, ban external QR/link-initiated payments, and require maker-checker on payouts over ₹X. Recent ecosystem changes improve payee identification design your SOPs to leverage this.
- Vendor master discipline: no bank-detail edits via email alone ever.
4) Human-Centered Controls That Scale
Two playbooks only for non-security teams:
- “Money Movement Request” (exact verification steps + who to call)
- “Account/Device Lost” (1930 + internal revocations)
- Realistic drills quarterly: deepfake voice scenario, OTP-bot call, invoice-change email.
5) Telemetry, Evidence, and Policy Feedback Loop
- Track Post-Delivery Catch Rate (PDCR), Time to Contain (TTC), and User Report to Remediation (URR).
- Centralize evidence (headers, DMARC alignment, link verdicts, QR detection) so each incident tightens a policy.
30-Day Implementation Plan (No Vendor Lock-In Required)
Week 1 – Baseline & Quick Wins
- Turn on DMARC p=none (monitor), fix SPF/DKIM alignment issues.
- Roll out passkeys to admin/finance + conditional access for risky logins.
- Publish the Finance playbook (callbacks + maker-checker + no QR from email).
Week 2 – Mailbox Visibility & Automation (Read-Only → Active)
- Connect API-based detection to M365/Gmail in read-only; baseline risky senders, threads, URLs, QR-in-image.
- Create auto-labels and soft quarantine for invoice and beneficiary-change phrases.
Week 3 – Enforcement on Known Bad
- Switch on auto-removal for high-confidence verdicts (spoofed domains, known kits, QR + payment intent).
- Enforce alphanumeric device passcodes + hidden previews on managed mobiles.
Week 4 – Measure & Iterate
- Move DMARC to quarantine, then reject for subdomains with clean traffic.
- Run a deepfake drill with Finance & Execs; fix gaps surfaced by the exercise.
FAQ (What I’m Asked Most)
Q: We already have a secure email gateway. Why add API-based security? A: SEGs focus on pre-delivery. Modern phish weaponize after delivery (link swaps, thread hijacks). API gives you continuous, post-delivery detection and instantated removal across all mailboxes.
Q: Do I really need passkeys? A: If Finance/Admins can be phished, your company can lose money. Passkeys materially blunt OTP-bot success and credential replay.
Q: What’s the cheapest, highest-impact move this quarter? A: Enforce maker-checker on payouts, ship the Finance playbook, enable basic API detections in read-only, and move DMARC along the path to reject.
Make sure you don't get affected by phishing attacks
Phishing in India is no longer about sloppy misspellings, it’s AI-polished, instant-payment aware, and mailbox-native. Pair API-level visibility with payment SOPs and human drills and you’ll cut risk dramatically without slowing the business.
MailArmor is built for the India you operate in API-first protection for Microsoft 365 and Google Workspace, post-delivery detection and auto-removal, and India-first guardrails (DPDP awareness, CERT-In aligned practices, Mumbai data residency options). It gives your team the two things that matter most: time back and money not lost.
If this playbook resonated, take the next step:
- Get on the early-access list to pilot MailArmor with your team.
- Bring your real mailflow we’ll baseline risk, surface live gaps (QR/UPI abuse, VEC/BEC, OTP-bot fallouts), and show reduction in time-to-contain and post-delivery catch rate within your environment.
- No MX changes, no drama connect via API, start in read-only, and move to safe automation as your confidence grows.
Join the early access now - One serious incident can cost more than a year of protection. Get ahead of it deploy where attackers actually operate: inside the mailbox, after delivery.
