Phishing, Spoofing & Social Engineering: The Human Side Of Cyber Risk

By Ankit Sharma

Rajesh from Bengaluru still remembers the voice. Calm and authoritative. "Sir, I'm calling from the Cyber Crime Cell. There's a money laundering case linked to your Aadhaar number. We need to verify your details immediately."

For the next three hours, Rajesh sat in front of his laptop on a video call, watching what looked like an official police investigation room. Officers in uniform walked past in the background. Documents with government seals flashed across his screen. By the time he realised something was wrong, ₹18 lakhs had disappeared from his account.

Welcome to the world of "digital arrest", India's newest nightmare. And Rajesh wasn't alone. Indians lost nearly Rs 2,000 crore to these scams in 2024 alone, with over 1.23 lakh cases reported. That's three times more than 2022.

The thing is, Rajesh isn't some technologically challenged uncle who forwards "good morning" messages. He's a 42-year-old software engineer working in the Silicon Valley of India. He knows about malware and antivirus software. But none of that mattered when fear kicked in.

It's Not About Technology Anymore

The weakest link in any security system isn't the firewall or the password. It's us. Always has been, probably always will be.

Phishing, spoofing, social engineering, these fancy terms that basically mean the same thing: tricking humans into doing things they shouldn't. And business is booming. India saw 135,173 financial phishing attacks in just the first six months of 2024. 

Think about how these scams actually work. Nobody's breaking through firewalls or cracking complex codes. They're just talking to people convincingly. That fake "Your package is waiting" SMS? Phishing. The call from someone who sounds exactly like your boss, asking you to transfer money urgently? Spoofing and social engineering. The WhatsApp message that perfectly mimics HDFC Bank's format and knows your last transaction amount? All of the above.

What’s scary, you ask? They're getting really good at this.

Why Smart People Fall For Dumb Tricks

It is exhausting to be vigilant all the time.

Count how many messages you get daily. WhatsApp pings, SMS alerts, email notifications, app updates, bank OTPs, delivery confirmations, work emails, family group forwards. It's easily 50-100 things screaming for your attention.

Scammers leverage this fatigue. They're counting on it. That moment when you're tired, distracted, or just mentally done for the day, that's when they strike.

Research shows social engineering played a role in 17% of data breaches last year. The average cost of a phishing-related breach? $4.88 million. But here's the kicker. In 98% of those cases, it wasn't a technology failure. Someone just clicked something they shouldn't have.

And before you judge Rajesh or anyone else who's fallen for these scams, understand that these aren't the old "You have won a BMW" emails anymore. Today's phishing attempts are sophisticated. Perfect grammar (thanks to AI). Real logos. Actual details about your life pulled from social media or previous data breaches. They know where you work, who your colleagues are, and what you bought last week on Amazon.

Plus, they're weaponising our culture against us. That instinctive respect for authority figures? They pose as police officers, CBI officials, or bank managers. Our willingness to help others? They pretend to be colleagues in urgent trouble. The fear of legal consequences? They threaten arrest or account freezing.

Add to this our specific vulnerabilities: WhatsApp has become everyone's everything, personal chats, work discussions, random forwards, and payment confirmations. The line between legitimate and fake has blurred completely. 

So What Do We Actually Do?

The solution isn't complicated, but it requires fighting our own instincts.

First, slow down. I know, everything feels urgent. But here's the truth: if it's really urgent and really legitimate, they won't mind you taking two minutes to verify. Two minutes could save you years of financial trauma.

Second, recognise urgency as a weapon. Real banks don't threaten to freeze your account in the next two hours. Real government agencies don't ask for immediate payment to avoid arrest. Real colleagues don't send cryptic late-night messages demanding urgent action. If someone's trying to panic you into acting fast, that panic is your cue.

Third, understand that no legitimate organisation, none, will ask you to share your password, OTP, or PIN. Not your bank, not the police, not even god himself if he decided to start a WhatsApp channel. These are the keys to your financial kingdom. Guard them like your life depends on it, because financially, it does.

Fourth, create a verification habit. Before clicking any link, hover over it (on desktop) or long-press it (on mobile) to see where it actually goes. Does hdfc-bank-security.xyz sound like a legitimate HDFC website to you? Check sender email addresses carefully; supportamazon@gmail.com isn't Amazon, no matter how official the email looks.

The Uncomfortable Truth

I wish I could end this with "just follow these steps and you'll be safe forever." But that's not how this works. The scammers are getting smarter. AI is making voice cloning scarily easy. Deepfakes are becoming indistinguishable from reality.

But here's what I can tell you. Awareness matters. That moment of doubt before you click? That hesitation before sharing information? That instinct to verify? These aren't signs of technological incompetence. They're signs of wisdom.

We're all going to make mistakes. The goal isn't perfection, it's building enough scepticism and verification habits that when we do slip up, it's not catastrophic.

(The author is the Senior Director and Head - Solutions Engineering, Cyble)

Disclaimer: The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.