Why You Will Click the Phishing Link (And How to Stop)
A practitioner's guide to phishing in India. Why smart people fall for it. Five concrete steps to protect yourself and your family from today onward.
The Thing About Phishing
Phishing is not a failure of intelligence. It is a failure of attention at the exact moment when attention is rarest — when you are tired, in a hurry, or your phone battery is at 8 percent.
I say this because I have been on both sides. Years ago, I received an email that looked like it came from ICICI Bank. The sender address was icici.secure.alert@icici-updates.net. A reasonable person would have noticed the hyphen where a dot should be. I did not. I was between meetings. I had three unread messages in a work chat. I clicked.
Nothing happened that day. But the link I clicked registered my IP, my device type, and the fact that the email was opened from a Mumbai office building. That information was later used to construct a more targeted attack. I was lucky. Others are not.
How Phishing Actually Works in India
Let me walk you through what happened to Priya — a name I have changed, but the sequence is real.
It began with a WhatsApp message. Not email. WhatsApp. The message said: "Dear Customer, your UPI ID has been locked due to suspicious activity. Verify here: bit.ly/icici-verify"
Priya had used ICICI's UPI app that morning. The message felt urgent. The URL had been shortened — she could not see the actual destination. She clicked.
The next page looked like the ICICI login screen. Pixel-perfect. Same blue logo. Same serif font. Same button placement. She entered her user ID and password. The page then asked for her OTP. She typed it in — all six digits.
Within ninety seconds, ₹45,000 was transferred out of her account to an unknown UPI handle. By the time she realized something was wrong — when her phone buzzed with a debit alert — the money was gone. The transfer had already been processed through NPCI rails. There was no pause button. There was no verification call. There was just a confirmation message to her UPI ID, which the scammer now controlled.
When Priya called the bank, the support agent told her: "You should not have entered your OTP." As if she had failed a test. As if the bank had not failed to implement a second factor of authentication that actually works.
But here is the real problem: the attacker did not just take ₹45,000. They had also captured her password. For two weeks after, they logged into her account from different cities — Mumbai, then Bengaluru, then back to Delhi — testing what else they could access. They never touched her savings account. They were mapping her financial footprint for a larger, slower attack.
Why Phishing Works
Phishing works because three things are true at once:
First, the attacker knows something real about you. They know you use ICICI. They know you use UPI. They may know your first name, your phone number, the city where your office is. This information came from a data breach — not necessarily a bank breach, but a breach of a website you signed up for five years ago and forgot about. A healthcare startup. A fitness app. A job portal. The attacker buys this data for ₹500 on a Telegram channel, then sends the message to a million phone numbers. One percent click. That is 10,000 people. Five percent of those click the OTP field. That is 500 credentials. Fifty of those actually transfer money. That is ₹22.5 lakhs in a single afternoon.
The math is so good that even a 99 percent failure rate is still profitable.
Second, urgency is real. A locked account is genuinely frightening. The message says "suspicious activity" — which is true sometimes. Banks DO lock accounts. This is not a lie mixed with truth. It is pure truth, deployed as a weapon. The attacker is not inventing a problem. They are borrowing a real problem that already exists in your mind.
Third, the interface is native. The phishing page does not look like it was designed in a basement in Novosibirsk. It looks like it was designed in ICICI's Mumbai office. The colors match. The fonts match. The button text matches. Your brain sees familiar things and stops checking. This is how cognition works. We do not verify every detail of a familiar environment. We assume. The attacker is betting on your assumption.
The Hard Truth
There is a moment — maybe two seconds long — where you can still step back. You have opened the message. You have read it. You have felt the spike of fear. You are moving your thumb toward the link.
In that moment, most advice fails.
Yes, banks tell you: "Never click links in messages." Then why do they send you messages with links? Customers have learned that ICICI sends SMS messages with links. This advice is not useless, but it is not enough. It is like telling someone not to trust strangers, then having most of their interactions be with strangers who are trustworthy.
Yes, security experts say: "Check the URL." But URLs can be spoofed, shortened, internationalized. A URL that says "icici.secure" is not the same as "icici-secure" — but your eye will not catch it in two seconds, especially on a 5-inch screen, especially under stress.
Yes, the RBI now requires banks to implement a second authentication factor. But that factor is an OTP sent to the same phone number where the phishing message arrived. The attacker is asking you to type in a code that proves you are you — and you do, because the request looks legitimate.
Where does that leave the victim? On hold with the bank. Listening to a hold tone. Waiting for a fraud investigation that will take three weeks. Being told that "unauthorized transactions" are the bank's responsibility — but only if you report them within a certain time, and only if you can prove you did not authorize them, which you did, even though you did not mean to.
What Actually Works
None of this is a reason to give up. But it is a reason to be honest about what protects you.
The first protection is still the oldest one: do not click links in unexpected messages. This includes email. This includes SMS. This includes WhatsApp. When you feel the urgency, that is when you need to slow down. If your bank account is really locked, you can call the bank yourself using a number from a card in your wallet or a number you find by going to the bank's website directly — not by clicking a link. This takes 30 seconds longer. It is worth it.
The second protection is app-based, not link-based. If you have ₹45,000 in a UPI account, use the official UPI app to check its status. Not a link. Not an email. The app. Yes, the app can be compromised. But it is harder to compromise than a web page. Harder is not the same as safe — but it is the direction that safety lies.
The third protection is assuming malice, not stupidity. If an email has a typo or an unusual sender address, assume it is intentional, not a mistake by the bank's IT department. If a message asks you to "verify" your information, assume the person asking has it wrong, not you. If a request comes from a place you trust but through a channel that feels off, call them directly using their main number.
The fourth protection is keeping your passwords strong and unique. If you use the same password for ICICI as you do for Hotmail, and Hotmail gets breached, then the attacker has access to your bank. A password manager like Bitwarden or 1Password costs nothing or ₹999 a year and remembers 100 different passwords so you do not have to. This is not optional for you if you have more than ₹50,000 in any online account.
The fifth protection is telling someone. If you click a phishing link, do not sit with it. Tell your bank within 30 minutes. Change your password within the hour. Check your account activity for the next two weeks. If someone you know got phished, tell them what happened to you. This is not judgment. This is information. Most people who get phished once get phished again within six months, because the attacker sells your compromised details to other attackers. Breaking that cycle means being aware that you are in it.
One Thing to Remember
Phishing is not sophisticated. It is reliable. It does not need to be clever — it needs to be lucky, and it needs to scale. The attacker is not trying to trick a security expert. They are trying to reach a tired person at 9 PM. They are trying to reach someone who trusts their bank. They are trying to reach you on a day when you have too many things in your head.
The person who fell for a phishing email is not stupid. They were human. And being human in a world where thousands of messages arrive each day, where most of them are legitimate, where urgency is often real — that is where the danger lies.
Five Steps to Take Today
-
Set up a password manager. Download Bitwarden (free) or 1Password (₹999/year). Generate a unique 16-character password for every online account that has money attached to it. Take 15 minutes. It is the single highest-impact thing you can do.
-
Register your phone number with your bank. Go to your bank branch or call their main helpline. Ask them to register your phone number as the only number on record for fraud alerts. This way, suspicious activity will be reported to you before it is reported to an attacker who may have a SIM card registered to a dead person.
-
Turn off link previews in WhatsApp. Go to Settings → Chats → Media visibility. This removes the temptation to click shortened links. If you need to check a link, copy and paste it into a search engine instead.
-
Create an "unsure" rule. If you receive a message asking you to verify, enter an OTP, or confirm your identity, do not click. Instead, go to the official website or app of that company and check. If the company is real, the problem will still be there in the official interface. If the problem is not there, the message was phishing.
-
Tell one person this week. Share what you have read here with one family member or colleague. Phishing thrives on silence and shame. Breaking that silence is how you break the cycle for the people around you.
