Complete Guide 5 min read

How to Identify Phishing Attacks: Complete Guide

Recognise phishing emails, SMS, and fake websites. Real examples and what to do if you clicked a phishing link.

what is phishingphishing attack indiahow to identify phishingavoid phishing scam

What Is Phishing?

Phishing is a cyberattack where criminals impersonate trusted organisations — banks, government agencies, popular websites — to trick you into revealing credentials, financial information, or downloading malware.

The term "phishing" uses "ph" because early hackers (phreakers) used this spelling as slang. Modern phishing is highly sophisticated — some attacks are nearly indistinguishable from legitimate communications.

Common Phishing Scenarios in India

Bank phishing: "Your HDFC account has been suspended. Click here to verify." Links to a site that looks identical to HDFC's website but captures your login credentials.

KYC fraud: "Your Paytm/PhonePe/bank KYC is incomplete. Your account will be blocked. Call this number or click this link." Often asks for OTP which lets criminals access your account.

Income tax fraud: "You are entitled to a tax refund of Rs 12,450. Submit your bank details to receive your refund." Indians do not receive tax refunds by submitting bank details to links.

Job offer fraud: "Congratulations! You have been selected for a job at [major company]. Pay Rs 5,000 training fee to confirm your position."

Red Flags That Indicate Phishing

Urgency: "Your account will be closed in 24 hours." Real organisations rarely create artificial urgency.

Generic greetings: "Dear Customer" instead of your actual name.

Suspicious domain: The link goes to hdfc.account-verify.com not hdfc.com. Always check the actual domain.

Request for OTP: No legitimate organisation asks for your OTP over phone or email. Never share OTPs.

Unexpected attachment: Especially .exe, .zip, or .doc files from unexpected senders.

Grammar and spelling errors: Professional organisations proofread communications.

What to Do If You Clicked a Phishing Link

Change the compromised account password immediately from a different device. If banking credentials were entered, call your bank's official number and report immediately. Enable 2FA if not already active. Run a malware scan on your device. Report to CERT-In (India's cyber security authority) at incident@cert-in.org.in.

Frequently asked questions

How do I know if an email is phishing?

Check: Is the sender domain exactly correct (not a lookalike)? Does it create urgency? Does it ask for credentials, OTP, or payment? Hover over links to see the actual URL. When in doubt, go directly to the company website by typing the address rather than clicking links.

My bank is asking for my OTP on a call — what should I do?

Hang up immediately. No legitimate bank, government agency, or company will ever ask for your OTP over phone or email. OTPs are one-time codes only you should see. Call your bank's official number (from the back of your card) if you are concerned.

Try this tool on Lazyblink

Put this guide into practice with our free online tool — no signup required.

Open tool