How to Secure Your Email from Phishing Attacks

Last November, a friend of mine — a software engineer in Pune, someone who should've known better — clicked a link in an email that looked exactly like an SBI account verification notice. Within forty minutes, Rs 4.7 lakh had moved out of his savings account through a chain of UPI transfers. He didn't get a single rupee back. The email had SBI's logo, correct formatting, even a plausible sender name. The only giveaway was a domain that ended in .co instead of .co.in. That's all it took.

I've been thinking about that incident a lot, mostly because it could've happened to me. It probably could've happened to you. Phishing isn't some abstract cybersecurity topic reserved for IT departments — it's the single most common way people in India lose money online right now. CERT-In logged over 500,000 phishing complaints in 2025. That number, by most estimates, represents maybe a tenth of actual incidents because so many go unreported. And the attacks keep getting better. They've moved way past the old "Nigerian prince" format. Today's phishing emails are polished, localized, and designed to exploit specifically Indian banking habits, payment apps, and government services.

So let's talk about what actually works for keeping your email safe. Not the generic advice you've already heard a thousand times, but the stuff that makes a real difference when someone's actively trying to steal from you.

How Phishing Emails Reach You

The first thing to understand is how these emails get to you in the first place. Attackers don't just blast random addresses anymore — though some still do. The more effective ones buy leaked databases from previous breaches. If your email was in the MobiKwik leak from a few years back, or the Domino's India breach, or any of the dozens of smaller incidents, your address is floating around on Telegram channels and dark web marketplaces. Paired with your name, phone number, maybe your approximate location, attackers can craft emails that feel personal. An email that says "Dear Customer" is easy to dismiss. One that says "Dear Rajesh, regarding your HDFC account ending in 4523" is a different story entirely. That specificity comes from data already compromised in earlier breaches.

Here's the thing people get wrong about phishing: they think it's about technology. It isn't, not really. The technology is just the delivery mechanism. Phishing is about psychology — about catching you in a moment when you're distracted, anxious, or in a hurry. The email arrives at 6 PM on a Friday claiming your PAN card has been flagged for irregularities by the Income Tax Department. You're tired, you're worried, and you click before you think. That two-second window of panic is what the attacker is banking on. Literally.

The Psychology of Phishing Attacks

So the most important defense isn't a tool or a setting — it's a habit. When you get an email that asks you to do something urgently, stop. Close the email. Open a separate browser tab and go directly to the website of whatever organization supposedly sent it. Don't click the link in the email. Don't even copy-paste the URL. Type it yourself. If there's genuinely a problem with your bank account or your tax filing or your Aadhaar, you'll find out by logging in directly. This one habit, if you actually follow it consistently, blocks probably 80% of phishing attempts on its own.

But habits aren't perfect, and we all have bad days. That's where technical defenses come in, and the single most impactful one is two-factor authentication — 2FA. If you haven't turned this on for your email account, stop reading this and go do it right now. Gmail, Outlook, Yahoo — they all support it. The idea is straightforward: even if an attacker gets your password through a phishing page, they still can't log into your account without the second factor. Now, there's a catch. SMS-based OTP, which is what most Indians default to, isn't great. SIM-swap fraud has been growing in India since at least 2023, and it's surprisingly easy for attackers to get a duplicate SIM issued in your name through social engineering at a telecom store. Authenticator apps — Google Authenticator, Microsoft Authenticator, or Authy — are significantly more secure because the codes are generated on your physical device and can't be intercepted remotely. If your email provider supports hardware security keys like YubiKey, even better, though that's probably overkill for most people.

Essential Technical Defenses

Let me get into something that doesn't get talked about enough: email client settings. Most people use Gmail's web interface or the default mail app on their phone and never touch the settings. But there are a few things buried in there that can help. In Gmail, go to Settings, then "Forwarding and POP/IMAP." Make sure no forwarding address has been set up that you don't recognize — this is a common post-compromise tactic where attackers set up silent forwarding of all your emails to their address. Also check "Filters and Blocked Addresses" for any rules you didn't create. Attackers sometimes set up filters that automatically delete security alerts so you won't notice they're in your account. These are five-minute checks that can catch a compromise early.

Password managers deserve a mention here because they protect against phishing in a way most people don't realize. When you use a password manager like Bitwarden or 1Password, the autofill only works on the correct domain. If a phishing page is hosted at sbi-secure-login.com instead of onlinesbi.sbi.co.in, the password manager won't offer to fill in your credentials. That mismatch acts as an automatic warning. Contrast this with typing your password manually — you're not going to carefully compare URLs every single time, but the password manager does it for you without fail. Bitwarden's free tier is genuinely good enough for personal use, and it works on Android, iOS, and all major browsers.

There's a newer category of phishing that specifically targets Indian users and it's worth its own discussion: WhatsApp and SMS phishing that drives you to email. You get a text saying "Your electricity bill payment failed, check email for details." Then you open your inbox already primed to look for that email, and there it is — a beautifully crafted fake from "BSES Rajdhani" or "Tata Power." The multi-channel approach makes it feel more legitimate because the information seems to be coming from two independent sources. It isn't. Both the SMS and the email are from the same attacker. Being aware that this pattern exists is itself a defense.

Domain spoofing has gotten alarmingly sophisticated. In early 2025, there was a wave of phishing emails impersonating DigiLocker that used internationalized domain names — replacing the English letter 'i' with a visually identical character from a different script. The URLs looked perfect to the naked eye. This is where email authentication protocols matter, and while you as an individual can't set them up for banks and government services, you can check whether incoming emails pass authentication. In Gmail, click the three dots on any email and select "Show original." Look for lines that say SPF, DKIM, and DMARC. If any of these say "FAIL," the email is almost certainly spoofed, regardless of how legitimate it looks. It takes ten seconds to check, and it's close to foolproof.

What to Do After a Phishing Attack

Let's talk about what happens after you've been phished, because pretending it'll never happen isn't realistic. If you've entered credentials on a suspicious page, immediately change the password for that account from a different device — not the one you clicked the link on, because it might have malware. Then go through your account's security settings and revoke all active sessions. In Gmail, scroll to the bottom of your inbox and click "Details" under "Last account activity" to see all devices currently logged in. Kick out anything you don't recognize. Change passwords for any other accounts where you used the same password. Yes, password reuse is still surprisingly common, and attackers know it — they'll try your compromised credentials across banking sites, social media, and shopping platforms within minutes.

For financial losses, time matters enormously. Call your bank's fraud helpline immediately — not the number in the phishing email, obviously, but the one on the back of your debit card or on the bank's verified website. Under RBI guidelines from 2017, if you report unauthorized transactions within three working days, your liability is capped at Rs 25,000 for most account types. Wait longer, and the bank has much less obligation to refund you. File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in and note the complaint number. Also consider filing a complaint with your local cyber crime police station — the online portal alone sometimes doesn't get fast action.

QR code phishing — sometimes called "quishing" — has become another vector worth knowing about. You'll find QR codes on restaurant menus, parking meters, and event posters across Indian cities. Attackers have started placing fake QR code stickers over legitimate ones, redirecting scans to phishing sites. A similar technique has been used in phishing emails — instead of including a clickable link that email filters might catch, the attacker embeds a QR code image that the recipient scans with their phone, bypassing desktop-level email security entirely. Since QR codes are opaque (you can't tell where they point just by looking at them), they're a near-perfect phishing delivery mechanism. The only defense is being cautious about scanning QR codes from untrusted sources and checking the URL your phone resolves to before entering any information.

There's a particularly nasty phishing variant I've seen targeting small business owners and freelancers in India. The email claims to be from the GST Network or the Income Tax e-filing portal, saying there's a discrepancy in your returns. It includes an attachment labeled as a "notice" — usually a PDF that either contains malware or links to a credential-harvesting page. These work because the anxiety around tax compliance in India is very real, and the attackers know that a small business owner who gets a supposed IT department notice at 11 PM isn't going to wait until morning to check. If you ever get something like this, remember: the Income Tax Department doesn't send notices via random emails with attachments. They send them through your registered e-filing account. Same with GST notices — they come through the GST portal. Anything that arrives outside those channels should be treated as suspicious by default.

Advanced Phishing Techniques to Watch For

I should probably mention anti-phishing browser extensions since they can catch things you miss. Netcraft's extension and Bitdefender TrafficLight both maintain real-time databases of known phishing URLs and will block the page before it loads. They're free, lightweight, and don't noticeably slow down browsing. They won't catch brand-new phishing pages that haven't been reported yet, but they'll catch the majority of campaigns since most phishing infrastructure gets reused across multiple attacks. Think of them as a safety net, not a primary defense.

One more thing that might seem minor but actually matters: separate your email accounts by purpose. Have one email for banking and financial services, another for shopping and subscriptions, and a third for general use and social media. If your shopping email gets leaked in a data breach — and it probably will eventually — your banking email remains uncompromised. This limits the blast radius of any single incident. It's a small amount of extra management for a meaningful reduction in risk. Keep the banking email strictly private — don't use it to sign up for anything, don't share it with anyone who doesn't need it.

India-Specific Phishing Threats

There's something I haven't touched on yet that specifically affects Indian users: language-based phishing. English-language phishing emails are the ones that get talked about most, but there's a growing wave of phishing in Hindi, Tamil, Telugu, Bengali, and Marathi targeting users who primarily operate in regional languages online. These emails mimic government portals like the PM-KISAN scheme, state electricity boards, regional transport offices, and state-level welfare programs. The grammar in these emails tends to be better than you'd expect because attackers are now using AI translation and generation tools that produce natural-sounding regional language content. A phishing email in Hindi claiming to be from the UP Power Corporation about an overdue electricity bill is going to catch a lot of people who might be more skeptical of an English-language email from "Microsoft Support." If you have family members who primarily use the internet in a regional language, this is worth a conversation with them — the same principles apply regardless of language, but awareness of the threat is lower among non-English internet users in India.

Workplace phishing deserves a separate mention because the stakes are often higher and the attacks are more targeted. Business Email Compromise — BEC — is a category of phishing where the attacker specifically researches an organization, identifies key personnel, and crafts emails that mimic internal communications. An email that appears to come from your company's HR department asking you to update your bank details for salary disbursement. A message from "IT Support" asking you to reset your password through a provided link. An email from the "CEO" asking a finance team member to process a payment urgently and confidentially. These attacks work because they exploit organizational trust and hierarchy — in many Indian workplaces, questioning an email that appears to come from a senior authority figure isn't culturally comfortable. Companies can mitigate this with technical measures like DMARC enforcement on their email domains, but the human element requires active training and a culture where verifying unusual requests is seen as diligent rather than insubordinate.

Practical Steps You Can Take Today

Email forwarding scams have been increasingly reported in India since late 2025. The attacker gains access to someone's email account — often through a phishing attack on that person — and then sets up a forwarding rule that silently copies all incoming emails to the attacker's address. The victim has no idea their emails are being mirrored. The attacker then monitors the forwarded emails, waiting for something valuable: a bank statement, a tax document, a business contract, an OTP that gets sent via email. This can go on for weeks or months. The way to check for it is straightforward but nobody does it routinely: in Gmail, go to Settings, click on "Forwarding and POP/IMAP," and verify no forwarding address is set that you don't recognize. Also check "Filters and Blocked Addresses" for any filter rules you didn't create. If you find either, someone has already been in your account. Change your password immediately from a different device and review all your security settings.

I'll be honest: you can do everything right and still get caught by a really well-crafted phishing email. The technology gap between attackers and defenders isn't closing, and AI-generated phishing content is making the emails harder to distinguish from legitimate ones. But the goal isn't perfection — it's making yourself a harder target than the next person. Attackers, like most people, take the path of least resistance. If your accounts have 2FA, your passwords are unique and managed, you check email headers when something feels off, and you never click links in urgent messages, you've made yourself dramatically harder to phish than the average Indian internet user. That's the realistic goal.

Your one next step today: open your primary email account, go to security settings, and turn on authenticator-app-based 2FA if you haven't already. That single action, done right now, is worth more than everything else in this article combined.