Key Takeaways
- Social engineering is the dominant initial-access vector in Indian breaches. Most ransomware and BEC incidents start with a successful social engineering attempt.
- Attack types include: phishing (email), spear phishing (targeted email), vishing (voice), smishing (SMS), pretexting (built scenario), baiting (USB or download), quid pro quo, tailgating (physical), and BEC.
- Humans are not the weakest link by lack of intelligence; they are the most-targeted link because attackers know technical controls are tighter.
- Awareness training works, when structured: baseline assessment, repeated simulations, targeted retraining for repeat clickers, executive-specific BEC training.
- Technical controls reduce exposure: email authentication (SPF / DKIM / DMARC), email security gateway, MFA, password managers, browser isolation.
Why Social Engineering Works
Technical controls have improved dramatically over the past decade. Operating systems are harder to exploit, browsers are sandboxed, networks are increasingly segmented, cloud services are configured more securely. The human layer has improved much less. Humans still process roughly 100 to 300 emails per day, are time-pressured, want to be helpful, follow established workflows and trust contexts that look familiar.
Attackers know all of this. The economics favour social engineering because the per-target cost is low (mass phishing is essentially free), the success rate compounds (large enough campaigns find someone who clicks), and the payoff scales with the value of the compromised account. Indian organisations are increasingly target-rich because they are increasingly digital and increasingly part of global supply chains.
Phishing, Spear Phishing, Vishing, Smishing
Phishing is bulk email impersonating a trusted party (bank, courier, e-commerce site, government office) to extract credentials, payment information or to deploy malware. Indian phishing campaigns commonly impersonate SBI, ICICI, HDFC, India Post, GST, Aadhaar updates, electricity boards and DTH operators. Click rates vary by campaign quality and target awareness; baseline assessments at Indian organisations typically show 10 to 30 percent.
Spear phishing is targeted email customised to a specific recipient or small group. Attackers research the target on LinkedIn, the company website, news articles and previous data breaches; the email references actual projects, named colleagues, real meetings. Spear phishing click rates are 5 to 10 times higher than bulk phishing for the same audience.
Vishing is voice phishing, attacker calls the target pretending to be IT support, bank fraud team, vendor account manager, or auditor. Indian vishing campaigns increasingly use AI-generated voices that imitate executives. Common targets: finance teams (wire fraud), IT helpdesk (credential reset abuse), customer support (account takeover).
Smishing is SMS phishing, often impersonating courier delivery, bank fraud alerts, account verification. WhatsApp-based variants are now common in India given WhatsApp's ubiquity.
Need Help Applying Any of This?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, SOC, compliance and incident response for Indian businesses across every sector. Named consultants, fixed-price proposals, free retest within 90 days.
See Our Services →Pretexting, Baiting and Quid Pro Quo
Pretexting is the construction of a believable scenario to extract information or action. The attacker calls or emails posing as an internal IT employee, an auditor, a vendor account manager, a regulator. The pretext provides cover for unusual requests. Pretexting is the technique behind most successful CEO fraud and helpdesk credential reset abuse.
Baiting uses a tangible lure (USB drive in the parking lot, free software download, pirated content offer) to deliver malware or capture credentials. The classic 'USB in the car park' research showed roughly 50 percent of dropped USB drives get plugged in by finders. The technique still works in 2026.
Quid pro quo offers something in exchange for information or action. 'I am from IT support; I will fix your slow computer if you give me your password.' 'Take this survey and win a prize, just confirm your email and phone.' The exchange creates a sense of fair trade that bypasses suspicion.
Tailgating is physical: following an employee through an access-controlled door. Often combined with a pretext ('forgot my badge', 'delivery guy'). Defends against by training, mantraps, and physical access controls beyond just card readers.
Business Email Compromise (BEC) and CEO Fraud
BEC is the highest-impact social engineering pattern affecting Indian organisations. The attacker compromises or impersonates an executive email account, then instructs the finance team to make a wire transfer, redirect supplier payments, or update payroll bank accounts. Indian BEC incidents cost crores per successful campaign in 2024 and 2025.
Common variants: vendor invoice redirect (attacker compromises vendor email, sends modified invoice to customer accounts payable with new bank account); CEO fraud (attacker impersonates CEO via spoofed or compromised email, instructs CFO to make urgent transfer); payroll diversion (attacker poses as employee asking HR to update direct deposit bank); real estate closing fraud (attacker hijacks property transaction email to redirect down payment to attacker wallet).
Defensive controls: out-of-band verification for any wire instruction change (phone call to a known number, not the number in the email), strict approval workflow for transfers above a threshold, email authentication (SPF, DKIM, DMARC with reject policy) on sending and receiving domains, advanced email security gateway with impersonation protection (Microsoft Defender for Office 365, Mimecast, Proofpoint, Abnormal Security), and executive-specific training that addresses BEC patterns directly.
Security Awareness Training That Works
Security awareness training has a poor reputation because most implementations are bad. Annual compliance-tickbox e-learning videos do not change behaviour; quarterly tabletops that the same people attend year after year do not change behaviour; one-size-fits-all training for every role does not change behaviour.
What works: structured programme with a baseline phishing simulation at start, monthly or bimonthly simulated phishing campaigns of varying difficulty, immediate just-in-time training for clickers (10 minute targeted micro-lesson), role-specific training for high-risk groups (finance, HR, IT helpdesk, executives), executive-specific BEC training that addresses real patterns the executive faces, quarterly metric reporting to leadership, and a culture of safe-reporting (clickers are not punished, they are coached).
Codesecure delivers awareness programmes for Indian organisations including baseline assessment, simulation tooling (KnowBe4, Cofense, Hoxhunt, Microsoft Attack Simulation, Sophos Phish Threat or open-source GoPhish), content design, monthly reporting and executive briefings. The typical outcome: click rates drop from 15 to 30 percent baseline to 3 to 8 percent within 12 months.
Have a Specific Question?
Whether you need a VAPT, SOC design, ISO 27001 certification, DPDP compliance or just a second opinion on a finding, our lead consultant is available for a 30-minute free scoping call. No obligation.
Talk to a Consultant →Technical Controls That Reduce Exposure
Awareness training reduces the rate of successful social engineering. Technical controls reduce the impact of the unavoidable residual clicks. Both are necessary.
Email authentication: SPF, DKIM and DMARC with a reject policy on sending domain make it much harder for attackers to impersonate your domain. Receiving-side enforcement makes it harder for attackers to deliver impersonation messages to your users. Free to deploy, immediate impact.
Email security gateway: Microsoft Defender for Office 365, Mimecast, Proofpoint, Abnormal Security and similar add sandboxing, URL rewriting, impersonation protection and reputation-based filtering. Major reduction in initial delivery rate.
MFA on every account: a credential stolen via phishing is useless to the attacker without the second factor. Modern MFA (FIDO2 / WebAuthn / passkeys) is also phishing-resistant in a way that SMS and TOTP MFA are not.
Password managers: trained users cannot enter their managed password into a phishing site because the manager will not autofill on the wrong domain. Built-in detection of domain mismatch.
Browser isolation: untrusted links open in an isolated cloud browser session, preventing malware delivery to the local endpoint. Increasingly common at security-conscious Indian enterprises.
Phishing-reporting button: easy report flow encourages users to flag suspicious messages, building organisational threat intelligence.
Frequently Asked Questions
How much does social engineering cause Indian breaches?
Estimates vary but most major Indian breach root-cause analyses involve at least one successful social engineering step (phishing, BEC, vishing, pretexting). The pattern is consistent across ransomware, fraud and data theft incidents.
Does awareness training really work?
Yes, when structured properly. Click rates at well-run programmes drop from 15 to 30 percent baseline to 3 to 8 percent within 12 months of structured monthly simulations plus targeted retraining. Annual tickbox training does not produce these results.
How do we protect against AI-generated voice impersonation?
Out-of-band verification through a separate channel (call back on a known number, verify in person or through a chat platform). Process controls (mandatory approval for transfers above threshold) reduce blast radius. Awareness that voice can be faked is itself a useful control.
Can we run simulated phishing in-house?
Yes. Tools like GoPhish (open source), KnowBe4, Cofense, Hoxhunt, Sophos Phish Threat and Microsoft Attack Simulation all support self-service simulations. The challenge is content design and operational discipline. Codesecure runs simulated phishing as a managed service for clients that prefer outsourced operation.
How often should we simulate phishing?
Monthly is the recommended cadence for most organisations. Quarterly is the minimum for the simulation to register in user awareness. Annual simulations are insufficient to maintain behaviour change.
Does DMARC really work against spoofing?
Yes, when configured with a reject policy. DMARC pass / fail signals tell receiving mailservers to reject messages claiming to be from your domain that fail SPF / DKIM. Deployment is free and the impact is meaningful within weeks.
Defend The Human Layer Without Theatre
Codesecure delivers structured security awareness, simulated phishing, BEC defence, email security uplift and technical control integration for Indian organisations. ISO/IEC 27001:2022 certified delivery, fixed-price proposals, measurable outcomes.
