How to Spot Fake Websites and Phishing Emails

How Meera Lost 1.2 Lakhs to a Fake SBI Page

Meera Sharma is a school teacher in Jaipur. She is 34 years old. She teaches English and Social Science to Class 8 students at a government-aided school near Mansarovar. She has been using online banking for about four years, pays her electricity bill through the AVVNL portal, orders supplies from Amazon, and handles her PPF account through SBI’s internet banking portal without any trouble. She is not the kind of person you would picture falling for an internet scam. Her colleagues come to her when they have trouble with their phones. She is the one who set up the school’s WhatsApp group and taught three other teachers how to use Google Classroom during the pandemic.

On a Wednesday evening in February, while she was making dinner and her daughter was asking about a social science project, Meera received an SMS. The message said her SBI account had been temporarily locked due to suspicious login activity. It said she needed to verify her identity within 24 hours, or the account would be permanently restricted. There was a link at the bottom of the message.

She tapped the link.

The page that opened looked exactly like the SBI internet banking portal. Same blue colour scheme, same logo, same layout, same placement of the login fields. She typed in her customer ID and password. The page asked for her registered mobile number and date of birth. She entered those. Then the page displayed a message saying an OTP had been sent to her phone for verification. An OTP did arrive. She typed it into the page. The screen showed a brief loading animation, then displayed the text “Verification successful. Your account has been restored.” She went back to making dinner.

Forty minutes later, three debit alerts arrived on her phone in quick succession. 40,000 rupees. 40,000 rupees. 40,000 rupees. A total of 1,20,000 rupees transferred out of her savings account. She called SBI’s helpline immediately. The money had already been moved through two intermediary accounts. The URL she had tapped was sbi-onlinebanking-verify.com. The actual SBI internet banking portal is at onlinesbi.sbi. The difference was there in the address bar the entire time. She had not looked at it.

“I kept asking myself, how did I not see it? I use the internet every day. I help other people with their phone problems. But the message scared me, and the website looked so real. I just did not think to check the address.” – Meera Sharma

I see this mistake all the time. People blame themselves, as though they failed some intelligence test. They did not. Phishing works because it targets trust and urgency, not technical knowledge. The scammer who built that fake SBI page did not need to hack into Meera’s computer. He did not need to guess her password. He needed her to be distracted for thirty seconds. The SMS created panic. The fake website looked familiar. And in the gap between fear and verification, Meera handed over everything the scammer needed.

According to CERT-In (the Indian Computer Emergency Response Team), phishing was the single most reported category of cyber incident in India in 2024. It was ahead of malware. Ahead of ransomware. Ahead of network intrusions. The total financial losses from phishing run into hundreds of crores annually, and the victims span every age group, every education level, every income bracket. That SMS Meera received is called “smishing,” which stands for SMS phishing. There are other forms too: email phishing, voice phishing (called “vishing,” where someone calls you pretending to be your bank), and increasingly, phishing through WhatsApp messages and Telegram channels. The medium keeps changing. The underlying trick is always the same: pretend to be someone the victim trusts, create a sense of panic or urgency, and get the victim to hand over their credentials or money before they have time to stop and think about what they are doing.

Meera is not unusual. She is typical. And that is the part that people need to understand. This does not happen to careless people or to people who do not know how the internet works. It happens to people who are busy, or tired, or worried about something else at the moment the message arrives. If there is anything I want readers to take away from Meera’s experience, it is that the fix is not about becoming smarter. It is about building one specific habit: always check the URL before you type anything into a website. Always. Even when you are in a hurry. Especially when you are in a hurry.

Reading URLs, Checking Senders, and Why HTTPS Alone Means Nothing

If Meera had looked at the address bar before she typed her customer ID, she would have caught the scam. The URL is the single most reliable way to tell a real website from a fake one. A scammer can copy a bank’s visual design with pixel-level accuracy — the colours, the logo, the button placement, the fonts, even the footer text. But they cannot use the bank’s actual domain name. They have to register a different one, something that looks close enough to pass a quick glance. And that is where they are vulnerable, because domain names follow a fixed structure, and once you know how to read that structure, no amount of visual mimicry can fool you.

A URL is built like this: protocol://subdomain.domain.extension/path. Take the address https://www.onlinesbi.sbi/personal-banking. The protocol is “https.” The subdomain is “www.” The domain name is “onlinesbi.” The extension (also called the top-level domain) is “.sbi.” The path is “/personal-banking.” The part that tells you who actually owns and controls the website is the domain plus the extension. Everything before it (subdomains) can be set to anything by the domain owner. Everything after it (the path) is just a page within the site.

Scammers exploit this by putting the bank’s name in the subdomain, where people tend to look first, while the actual domain is something unrelated. So sbi.secure-login.com is not an SBI website. The domain there is “secure-login.com.” The “sbi” part is a subdomain that the owner of secure-login.com created. Anyone who owns a domain can create any subdomain they want. It costs nothing and takes seconds. The trick works because most people read URLs from left to right. They see “sbi” at the beginning and assume they are on the right site. To find the actual owner, you need to look at the part just before the first single forward slash after the protocol. That is the domain and extension. That is who you are actually talking to.

Common tricks I see over and over: replacing a letter with a number, like amaz0n.in (zero instead of the letter O); adding an extra word, like flipkart-india.com or paytm-secure.in; using a wrong extension, like hdfcbank.net.in instead of hdfcbank.com; or combining the bank name with generic security words, like sbi-netbanking.co.in instead of the actual onlinesbi.sbi. Some attackers take it further and use characters from other alphabets that look identical to Latin letters on screen. A Cyrillic letter “a” is visually indistinguishable from an English “a” in most fonts, but it is a different character, and it points to a different domain. This technique is called an IDN homograph attack. Modern browsers have built-in protections against it (they display the encoded form of the domain instead of the visual form), but those protections are not universal across all browsers and all situations.

The tricky part is that you cannot rely on the padlock icon or on HTTPS to tell you whether a site is legitimate. For years, security advice told people to “look for the padlock” and “check for https.” That advice made sense in 2008. It is outdated and actively dangerous now. HTTPS means the connection between your browser and the website is encrypted so that nobody can intercept the data while it is in transit. It says absolutely nothing about who is running the website at the other end. A scammer can get an HTTPS certificate in five minutes, for free, through services like Let’s Encrypt. According to the Anti-Phishing Working Group, over 80% of phishing sites now use HTTPS. The padlock means the pipe is secure. It does not mean the person on the other end of the pipe is your bank. Teaching people to trust the padlock as a sign of legitimacy actually makes them more vulnerable, because they see it on a phishing site and think they are safe.

For emails, the skill to develop is checking the actual sender address, not the display name. A scammer can set the display name in an email to “State Bank of India” or “HDFC Bank Security” or “Amazon Customer Service.” That name is arbitrary text and means nothing. What matters is the email address itself. Real SBI emails come from addresses ending in @sbi.co.in. Real HDFC Bank emails come from @hdfcbank.com. Real Amazon India emails come from @amazon.in. If the actual email address is something like “[email protected]” or “[email protected],” it is not from the bank. In Gmail, click the small downward arrow or the three dots next to the sender’s name to reveal the actual email address. On your phone, tap the sender name. It takes two seconds. Get into the habit of doing it for every email that asks you to click a link, verify your identity, or take any action on your account.

Before clicking any link in an email, hover your mouse over it (on a computer) or long-press it (on a phone). Your browser or email app will show you the actual destination URL. If the link text says “Click here to verify your SBI account” but the destination URL is something like “verify-sbi.xyz/login,” do not click. And look at the overall quality of the message. Awkward grammar, generic greetings like “Dear Customer” or “Dear User” instead of your actual name, mismatched fonts, low-resolution logos, strange spacing, text that reads like it was translated through multiple languages. Legitimate companies have design teams and professional writers. A message that looks hastily assembled probably was assembled in a hurry, by someone running a fraud operation out of a rented office, not by a bank with a 500-person marketing department.

Phishing Patterns Specific to India and How to Report Them

Certain phishing campaigns are designed specifically for Indian users, and they follow seasonal patterns that repeat every year. Fake bank account suspension messages targeting SBI, HDFC, ICICI, and Axis Bank customers run year-round, but they tend to spike around salary dates (the last week of the month) when people are more likely to check their accounts frequently. KYC expiry scams became widespread after the Reserve Bank of India and individual banks pushed for periodic KYC updates. The scam messages say “Update your KYC immediately or your account will be frozen” and link to a fake portal that harvests Aadhaar numbers, PAN details, bank account numbers, and login credentials. The real KYC process is done in person at the bank branch or through the bank’s own verified app. No bank sends a link for KYC verification through SMS.

Income tax refund phishing peaks between July and September, during and just after filing season. The messages claim you are owed a refund and provide a link to a replica of incometax.gov.in. The fake site asks for your bank account number, IFSC code, PAN, and Aadhaar to “process the refund.” The real Income Tax Department processes refunds automatically based on filed returns. It does not send links asking for bank details. If you are owed a refund, it shows up in your dashboard when you log into the official portal at incometax.gov.in, and the money is credited to the bank account you specified in your return.

Electricity bill disconnection scams have spread heavily through WhatsApp. A message arrives saying your power supply will be cut today unless you pay an overdue amount immediately. It includes a payment link or a phone number to call. Nobody wants their electricity disconnected, so people react before they verify. The actual process for electricity disconnection involves written notices delivered physically, not WhatsApp messages. Your electricity provider will not threaten instant disconnection through a chat app.

Fake delivery notifications are another common pattern. “Your package could not be delivered. Click here to reschedule.” These work because most people in urban India have at least one online order in transit at any given time. The link leads to a page that asks for your address, phone number, and sometimes a “redelivery fee” payment. There are also the prize and lottery scams: “Congratulations! You have won 25 lakhs in the Jio Lucky Draw.” These feel absurd to people who are familiar with internet scams, but they still catch first-time smartphone users, particularly older adults who received their first smartphone during the Jio rollout and are still learning to distinguish legitimate messages from fraudulent ones. I see this mistake all the time among parents and grandparents of people I know, and there is no shame in it. They are learning a new medium, and the scammers are targeting them precisely because of that learning curve.

The tricky part is that your browser can only protect you against known phishing sites. Chrome’s Safe Browsing feature (which you can enable at its strongest level by going to Settings > Privacy and Security > Security and selecting “Enhanced protection”) checks every URL you visit against a real-time database of known threats. If it matches, Chrome throws a full-screen red warning page. Firefox has an equivalent feature under Settings > Privacy & Security (look for “Block dangerous and deceptive content”) and make sure it is checked. Edge uses Microsoft SmartScreen, which is on by default. Safari has “Fraudulent website warning” under Preferences > Security. All of these catch a significant number of phishing sites. But new sites can operate for hours or even days before they are detected and added to the blocklists. A phishing page created today might not trigger a browser warning until tomorrow. That is why browser warnings are a safety net, not a substitute for checking the URL yourself.

When you encounter a phishing attempt, reporting it helps protect other people. In Gmail, click the three dots next to the reply button and select “Report phishing.” You can also submit fake URLs to Google’s Safe Browsing database at safebrowsing.google.com/safebrowsing/report_phish, or to the community-maintained PhishTank database at phishtank.org. For Indian authorities, there are three main channels. First, you can email CERT-In directly at [email protected] with the phishing URL and any screenshots. Second, you can file a report at cybercrime.gov.in, which is the national cybercrime reporting portal. Third, for financial fraud specifically, you can call 1930, which is the helpline run by the Indian Cyber Crime Coordination Centre (I4C), available 24 hours a day. If the phishing email or message impersonates a specific company, forward it to that company’s fraud team as well. SBI uses [email protected]. HDFC Bank uses [email protected]. Every report helps get scam domains taken down faster, and each takedown protects the next person who might have received the same message.

If you have already entered your credentials on a phishing site, or if money has already left your account, speed matters more than anything else. Call your bank’s fraud helpline first. The number is on the back of your debit card. For SBI, it is 1800-11-2211. For HDFC Bank, 1800-1600. For ICICI Bank, 1800-1080. Ask them to block the compromised account or freeze outgoing transactions. Change your internet banking password from the real website (type the URL yourself) or from the bank’s official app. Then file at cybercrime.gov.in or call 1930. File an FIR at your local police station with screenshots of the phishing message, the fake URL, and any transaction details. Banks are required to resolve fraud complaints within 30 days under RBI guidelines. If they do not, escalate to the RBI Ombudsman at cms.rbi.org.in.

Meera filed a complaint within two hours. Called SBI the same night. Went to the police station the next morning. She got about 40% of her money back after four months. She now checks URLs with the kind of attention she used to reserve for exam papers. She told me last month that she has become the person in her school’s WhatsApp group who warns everyone about suspicious links. I think that counts for something.