AI and Phishing-as-a-Service Drive Increase in Email Attacks, Barracuda Reports — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 14, 2026

Severity: HIGH | View Full Scam Details

AI and Phishing-as-a-Service Drive Increase in Email Attacks in India — Stay Alert in 2026

Email scams using AI and Phishing-as-a-Service are rapidly increasing in India, putting millions at risk of financial loss and data theft.

What Is the AI and Phishing-as-a-Service Drive Increase in Email Attacks, Barracuda Reports?

Barracuda Networks, a global cybersecurity firm, recently reported a sharp rise in email attacks powered by sophisticated AI tools and Phishing-as-a-Service (PhaaS) platforms. This scam uses artificial intelligence to craft highly convincing phishing emails that are difficult to detect. In the Indian context, these attacks often target salaried professionals, small business owners, and even government employees, as email communication remains vital for work and transactions.

Phishing-as-a-Service means cybercriminals sell ready-made phishing kits and infrastructure on darknet forums or hacker marketplaces. This lowers the barrier for criminals to launch large-scale email scams without technical skills. In India, CERT-In (Computer Emergency Response Team – India) has seen a steady rise in phishing cases tied to fake OTP and UPI transaction emails.

With millions of Indians using email to link accounts for Aadhaar services, banking, and UPI apps, this results in a serious national risk. The RBI has issued advisories warning users to remain cautious of unsolicited emails, especially during tax season and festival times when scams spike.

How This Scam Works — Step by Step

1. Initial Email or Message: The victim receives an unexpected email appearing to come from a trusted source such as a bank (e.g., SBI, HDFC), government agency, or UPI app. The email often contains official logos and uses AI-generated personalised content based on data grabbed from social media or previous data breaches.

2. Urgent Call to Action: The email warns of suspicious activity on your account, pending payments, or verification needs, urging you to click a link immediately to avoid account suspension or financial penalty.

3. Fake Landing Page: Clicking the link leads to a fake website that looks identical to the bank or government portal. Here, victims are asked to enter sensitive information — Aadhaar number, bank account details, UPI PIN, or OTP received on WhatsApp or SMS.

4. Data Harvesting and Account Takeover: Once entered, fraudsters capture this data and use it to login, transfer funds via UPI apps, or apply for loans in the victim’s name. They may also use the information for SIM swap frauds or Aadhaar misuse.

5. Phishing-as-a-Service Mass Distribution: Using PhaaS, multiple victims receive these tailored emails simultaneously, increasing the scam’s success rate exponentially.

Real Warning Signs to Watch For

• Unexpected emails claiming “urgent” account action without prior communication.
• Email addresses that mimic official ones but have subtle spelling changes (e.g., sbibank-secure.com).
• Poor grammar or unnatural phrasing despite logos and formatting.
• Requests for OTPs, passwords, UPI PINs, or Aadhaar data via email or links.
• Links that don’t match official bank or government domains when hovered over.
• Lack of personal information only your bank would know (e.g., partial account numbers).
• Pressure tactics like countdown timers or threats of account freeze.

What Happens to Victims

Victims often suffer direct financial loss as money is instantly transferred through UPI apps or net banking. In many cases, the scammer uses the victim’s Aadhaar and personal details to apply for instant loans or SIM swaps, causing extended damage and identity theft difficulties. Victims face the uphill task of reversing UPI payments, which is notoriously difficult once done, as well as freezing compromised bank accounts.

Emotionally, victims often feel betrayed and anxious given the breach of trust and the effort required to restore their financial standing. Many fear damage to credit scores or misuse of their data on darknet markets. Small business owners lose hours and potential customers because of disrupted payment mechanisms.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has issued multiple advisories cautioning customers against email phishing scams, especially those related to UPI and net banking. RBI helpline (1800-11-5678) is available for reporting suspicious transactions. CERT-In regularly updates phishing trends and urges Indians to use updated antivirus software and avoid clicking unknown email links.

India’s I4C (Indian Cyber Crime Coordination Centre) under the Ministry of Home Affairs runs the 1930 cybercrime helpline for victims to report cyber frauds instantly. Both RBI and CERT-In encourage Aadhaar holders to regularly check their authentication and data usage via the UIDAI portal to prevent misuse.

How to Protect Yourself

1. Verify Email Sender: Always check the sender’s address carefully; official emails use domains like @rbi.org.in, @uidai.gov.in, or your bank’s verified domain.
2. Never Share OTP/UPI PIN: Banks and government agencies never ask for OTPs or PINs via email or phone calls.
3. Hover Before Clicking: Hover over links to see the actual URL and avoid clicking suspicious web addresses.
4. Use Multi-Factor Authentication: Enable 2FA for your bank accounts and important services.
5. Update Software: Keep your email, browser, and antivirus software up to date to detect threats.
6. Check for Personalisation: Genuine emails from banks usually mention part of your account number or transaction details.
7. Report Immediately: If you receive a suspicious email, report it to your bank and cybercrime helpline before clicking anything.

What to Do If You’ve Been Targeted

• Immediately block your bank account or UPI ID by calling your bank’s customer service or using their app.
• Report the scam at cybercrime.gov.in — India’s official cyber complaint portal.
• Call the 1930 cybercrime helpline to lodge a complaint and get guidance.
• File a complaint with your local police station’s cyber cell for faster investigation.
• Change all your passwords and notify the UIDAI if you suspect Aadhaar misuse.
• Inform your mobile operator to block SIM swap attempts or fraudulent port requests.
• Keep records of all suspicious emails, messages, and transaction details for authorities.

Frequently Asked Questions

Q: Can AI phishing emails really fool me if I’m careful?
A: Yes, AI enables scammers to personalise emails using your data, making them very convincing. Always verify independently by contacting your bank or agency directly.

Q: What if I accidentally shared my UPI PIN or OTP in response to an email?
A: Immediately block your UPI app through your bank and report the fraud. Quick action is crucial as UPI transactions happen instantly.

Q: How can India’s cyber helpline 1930 help me?
A: The 1930 helpline lets victims file complaints, get advice, and escalate serious cybercrime cases, including phishing scams targeting financial or Aadhaar information.

Email attacks powered by AI and phishing-as-a-service are getting harder to spot in 2026, especially in India where online financial services are booming. Always be cautious and verify suspicious messages before taking any action. When in doubt, check with BharatSecure.app to confirm if a message might be fraudulent — your first step to staying safe online.