Phishing

Why You Click: The Psychology Behind Phishing and How to Stop

A practitioner's guide to phishing psychology. Why smart people fall for fake emails, and the five habits that actually work to keep you safe.

CyberSathi DeskAI-assisted ยท editorially reviewed
Share๐•inWA
Why You Click: The Psychology Behind Phishing and How to Stop

The Email That Almost Broke Me

Mumbai, 2019. I received an email that looked like it came from my bank's UPI support desk. The logo was perfect. The email address was almost correct โ€” upi-support@icici-bankk.in instead of icici-bank.in. The message said my account had been flagged for suspicious activity and I needed to "verify my identity" by clicking a link.

I did not click it. But only because I had made that same mistake two years earlier and lost โ‚น43,000 to a phishing attack dressed up as a payment gateway alert. That money came from my freelance work. Three weeks of work, gone in thirty seconds.

I tell you this not to absolve myself of carelessness, but to say: phishing works on people who know better. It works on practitioners. It works on bank employees. It works because it does not ask you to be stupid. It asks you to be human โ€” rushed, trusting, distracted, afraid.

The question is not "how do I become a person who never falls for phishing?" That person does not exist. The question is: "How do I become the person who catches the mistake before the damage lands?"

Why This Works: The Mechanics of Phishing

A phishing attack is not a trick. It is impersonation. Someone creates a fake version of something you already trust โ€” your bank's login page, Google's password reset form, your company's HR portal โ€” and asks you to hand over credentials or install malware on your device.

The genius of phishing is this: it exploits the gap between what you see and what is actually there.

Your brain has been trained by years of legitimate emails to trust senders that look official. A well-crafted phishing email arrives with:

  • A logo that matches your bank's brand identity
  • Professional formatting and language
  • A subject line that creates urgency ("Suspicious login detected", "Your account has been compromised", "Immediate action required")
  • A link that appears to go to your bank but actually redirects to a fake website that mirrors the real one pixel-for-pixel

I have watched this unfold dozens of times. The victim is not careless. The victim is busy. They are on a call with a client. They are transferring money to pay a bill. Their phone buzzes. They glance at the notification. The sender looks right. The language sounds right. And in that moment of context-switching and mild stress, they click.

Then they type their username and password into a field that looks like it belongs to their bank but does not.

Then โ€” if the scammer has set it up well โ€” they are asked for their OTP. And they type that too.

And in those three actions, the attacker now has what they need: your login credentials and a one-time password that allows them to drain your account or steal your identity.

The Indian Landscape: Why Phishing Works Here

India's phishing problem is acute because our digital infrastructure has grown faster than our collective skepticism.

UPI has made banking frictionless. That is beautiful โ€” it means a farmer in Haryana can send money to her daughter in Bangalore in seconds. It also means that when someone impersonates your bank over WhatsApp or email, your instinct is to comply quickly. Friction is not a feature; it feels like an obstacle.

RBI and NPCI have done good work on OTP-based fraud, but phishing attacks have evolved. Scammers now:

  • Clone your bank's entire login portal and host it on domains that differ by a single character from the real address
  • Send WhatsApp messages that look like they come from your bank's official number (they do not; the spoofing is remarkably easy)
  • Create fake UPI apps that harvest your credentials before you realize they are not the real Paytm or Google Pay
  • Call you posing as bank staff and ask you to open a link while on the call, so they can guide you through compromising your account

I have interviewed victims whose accounts were drained while they were on the phone with someone they thought was a bank employee. The caller sounded professional. He had the victim's name, account number, and recent transaction history. All of that information is publicly available if you know where to look.

What Almost Never Gets Said

Here is the uncomfortable truth: your bank cannot fully protect you because the moment you type your password into a phishing page, the game is over. The bank's security is only as strong as your ability to distinguish a real login page from a fake one.

Yes, multi-factor authentication helps. Yes, transaction alerts help. But if someone has your username, password, and OTP, they can transfer money in seconds โ€” faster than a text alert can reach you.

I believe the real defense is not technological. It is psychological. You need to rewire how you respond to urgency.

The Five Habits That Actually Work

These are not tips. They are habits. They require practice, and they will slow you down. That slowness is the point.

Not "be careful about links." Never. Full stop.

If your bank sends you an alert, do not click the link in the message. Open your banking app directly. Or go to the bank's website by typing the URL in the address bar yourself. I know this sounds paranoid. I know it feels slow. Do it anyway.

The scammer is counting on you to click. You are the link's entire power. Do not give it away.

2. Assume Every Login Request Is a Phishing Attempt Until Proven Otherwise

When someone asks you to "verify your identity" or "confirm your credentials," your default response should be skepticism, not compliance.

Legitimate institutions rarely ask you to log in via a link in an email. They ask you to log in through their official app or website. If you receive an email asking you to log in, assume it is fake. Call your bank on the number printed on your debit card. Ask if they sent that message. They almost certainly did not.

3. Learn to Read a URL Like Your Life Depends on It

Because it does.

A phishing URL might look like: https://icici-bankk.in/login or https://icicibank-secure.in/verify or https://www.icici.bank.in/login (note: .bank.in is a real domain, but it is not your bank's domain).

The real ICICI Bank domain is https://www.icicibank.com.

Do not skim the URL. Read it carefully. If there is any character you are unsure about โ€” a dash instead of a dot, an extra letter, a different top-level domain โ€” assume it is a fake.

I have a habit now: I hover my mouse over every link before I click it. The actual URL appears in the bottom-left corner of my browser. If the URL does not match the text of the link, I do not click it.

4. Treat Your OTP Like Your Bloodtype: Tell Nobody, Not Even "Your Bank"

Your OTP is a one-time password. It exists for exactly one purpose: to authorize a single transaction. A legitimate bank employee will never ask you for your OTP. Not over the phone. Not in an email. Not in a call.

If someone asks for your OTP, they are a scammer. Hang up. Do not explain. Just hang up.

I once received a call from someone claiming to be from my bank's fraud department. They had my name, my card number, my recent transactions. They asked me to read out my OTP so they could "verify the suspicious transaction." I refused. They became insistent.

I hung up. I called my bank directly on the number on the back of my card. The fraud department had never called me. They confirmed: that call was a scammer.

5. Use Your Brain's Skepticism Muscle or It Will Atrophy

Every phishing email you receive is practice. Every suspicious message is an opportunity to ask yourself: "Does this feel right?"

Your gut is not always accurate, but it is almost always worth listening to. If an email creates a sense of urgency, if it uses language that feels slightly off, if it asks you to verify something you have never been asked to verify before โ€” pause. Your instinct is telling you something.

Cultivate that instinct. Question it sometimes. But do not ignore it.

After the Click: What to Do If You Think You Have Been Phished

If you have already clicked a link or typed your credentials into a suspicious page, here is what to do โ€” now, not later:

  1. Do not close your browser and hope it goes away. You need to act.
  2. Log into your actual banking app (not through any link) and check your account. Look for recent transactions. If money has been moved, call your bank's fraud helpline immediately.
  3. Change your password from a different device (not the one you used to access the phishing page). Use a strong, unique password.
  4. Enable two-factor authentication on every important account if you have not already.
  5. File a complaint with CERT-In (cert-in.org.in) if you believe you have been targeted by a phishing attack. This data helps track patterns.
  6. Monitor your credit profile for the next few months. Check your CIBIL score and your bank statements. A phishing attack today can turn into an identity theft tomorrow.

The Deeper Truth

Phishing works because it exploits the fact that trust is faster than skepticism. Evolution built us to trust quickly โ€” to accept information from figures of authority and move on. That reflex kept us alive for thousands of years.

Now it costs us money.

You cannot rewire evolution. But you can create new habits that run parallel to your trust reflex. You can train yourself to pause. To double-check. To be slightly more skeptical than feels natural.

It is not glamorous. It is not a technological fix. It is just the work of being careful in a world where the cost of carelessness has become very high.

Action Steps

  1. Audit your important accounts right now. Bank, email, UPI app, investment platform. Check your login history. If you see logins from places you do not recognize, change your password immediately.
  2. Set up alerts on your bank account for every transaction above โ‚น500. This gives you real-time notice if someone is using your credentials.
  3. Write down the phone numbers for all your banks (the ones printed on the back of your cards) and store them in your phone. If you receive a suspicious message from "your bank," call this number, not the one in the message.
  4. Do not save your passwords in your browser. Use a password manager (like Bitwarden or 1Password) instead. It is slower. It is also much harder to compromise.
  5. Install a DNS-level ad blocker on your home WiFi (like Pi-hole) or on your phone. Many phishing links are delivered through ad networks. Blocking ads reduces your exposure.
  6. Practice reading URLs. Every day, hover over a link before you click it. After two weeks, it becomes second nature.
  7. Tell your family about this. Your parents, your grandparents, your cousins. Phishing attacks target everyone, and the elderly are especially vulnerable because they are more trusting and less likely to question authority.

Read next

Online Banking Fraud: How It Happens and Why Your Bank Won't Call You Back

Phishing

Online Banking Fraud: How It Happens and Why Your Bank Won't Call You Back

Why You Click That Link: A Phishing Autopsy

Phishing

Why You Click That Link: A Phishing Autopsy

Online Banking Fraud: How โ‚น84,000 Disappeared in 90 Seconds

Phishing

Online Banking Fraud: How โ‚น84,000 Disappeared in 90 Seconds