Even though the awareness has increased, the numbers still make for worrying reading. Indians receive 13 scam communications on an average, everyday, across text, social media, emails, phone calls and even malicious QR codes. Online security firm McAfee’s 2026 State of the Scamiverse report for India, released today, makes a worrying trend clearer still — the scams look and sound more realistic than ever before. That means the scam messages such as the fake motor vehicle challan notifications with a link to make a payment, look more realistic to the casual users, unless analysed closely. That’s just one example.
McAfee’s 2026 State of the Scamiverse report points out that scams have become such a part and parcel of all the communications we receive on a daily basis, that an average person spends as many as 102 hours a year trying to determine between an SMS, email, WhatsApp message or an incoming phone call, whether it is genuine or fake. Two in five Indian users (the report’s survey sample size was 7,592 adults) surveyed as part of this report say they feel less confident about spotting scams than they could an year earlier, and 82% of surveyed Indians say they are now certainly more cautious about opening messages from unknown senders.
But not everyone seems equally on guard. The report details that more than 1 in 5 people admit to receiving suspicious social messages now contain no link (nothing to hover over, no URL to question) and 66% of these recipients go ahead and reply to those linkless DMs, often triggering the scam’s next step. That could include a compromised social media account, or landing on a fake QR code that may seem authentic but aren’t sending the payment where you expect it to reach.
Realism defines scam attempts
There is a need to sharpen an attention to detail and rely on identifying the smallest of indications that’d separate a scam attempt now, than probably a year ago, when poor grammar and poor attempts at obvious impersonation, underlined such communication. That is no longer the case, with scammers increasingly using professional language (this could be one of the drawbacks of having an AI chatbot within everyone’s reach), polished branding of the brand being impersonated, and believable scenarios such as fake car challan notifications, fake delivery notices, account verification requests, subscription renewals, or reminders to pay tax. People see an average of 4 deepfakes every day, the report specifically touches on this aspect of user behaviour.
The scope has widened, with previously common themes including job offers including remote job profile offers, charity appeals, and bank alerts that closely resembled actual messages from a bank. Voice communications over phone calls and WhatsApp calls have an additional element of realism, as do seemingly harmless payment methods designed to siphon money from your bank account. “They layer in deepfake videos and voice calls and hide malicious sites behind QR codes that appear on menus, parking meters, posters, and emails that otherwise look innocuous,” states the report.
Battle is far from over
The latest data from Indian Cyber Crime Coordination Centre (I4C) indicates that Indians lost ₹19,813 crore to fraud and cheating cases in 2025, with 21.77 lakh complaints registered on the National Cyber Crime Reporting Portal. Around 77% of these losses stemmed from fraudulent investment schemes, making scams increasingly sophisticated and harder to spot.
McAfee also points to the use of AI, as you may already suspected, in making scam communications more refined and realistic looking. Some context is necessary.
In the past 12 months, AI has become part of the everyday internet culture, with AI-generated content figuring prominently particularly via social media, and that includes politician and celebrity impersonations to bears dancing to a in-vogue music track. This has rightly been classified as low-effort ‘AI-generated slop’, which was duly called Merriam-Webster’s 2025 Word of the Year.
Unfortunately, constant and regular exposure (more often by choice, than otherwise) to AI-generated slop has the effect of subtly retuning the brain, resulting in a blunt reaction to when the same AI tools are used to create malicious communication. “And that’s dangerous as scammers are increasingly borrowing the same AI tools and techniques to make their schemes more convincing,” the report notes.
It goes on to add, “Phishing scams have upped their game, with scammers able to quickly and easily craft a malicious site that looks almost identical to a legitimate company or carry on a conversation that feels real, luring recipients into a false sense of security.”
What’s the next frontier for scammers?
In case you’re wondering what scammers will target after text and voice based messaging as well as impersonating websites and payment QR codes, McAfee predicts cloud storage impersonation, job scams, malicious advertising, and financial scams revolving around trading apps, will become commonplace.
“Millions of consumers use cloud storage services, such as Google Drive, iCloud or Dropbox to store and share everything from important documents to a treasure of photos, making it a target-rich environment for scammers to exploit. In October and November of 2025, McAfee Labs observed a significant increase in scams mimicking cloud service providers,” the company warns users.
These messages attempt to replicate familiar messaging, such as “Your account storage is full” or “Your password expired” or “A file has been shared with you”, which users always always would tap on as a habit — a simple sign in on an impersonated page, will allow hackers access to the cloud storage credentials (often even worse, your email and payment apps too).
“Scams are becoming systemic, adaptive, and embedded in the tools people use every day. Instead of relying on obvious warning signs, consumers are increasingly asked to evaluate alerts, messages, and prompts that look and behave like the real thing. The takeaway for 2026 is simple: scams will become harder to recognize as they increasingly resemble the trusted digital workflows people use without thinking twice,” the report says.
In a broader context, India has implemented several measures in the past year, as it battles the exponential rise in scam attempts on unsuspecting users. Telecom operators including Bharti Airtel followed by Reliance Jio and Vi have rolled out network-level spam detection for calls and messages, to warn users. The Reserve Bank of India (RBI) directed banks to adopt a secure numbering scheme for official communication — they must now use 1600 series for service and transaction communication and 1400 series for promotional calls. In January, the Supreme Court directed the Department of Telecommunications to propose tougher SIM issuance norms to fight the increase in ‘digital arrest’ scams.
Taken together, data suggests the fight against scams is no longer one where ignorance is bliss. Even informed users are now being tested by communications that mirror legitimate messaging or app notifications, with almost precise accuracy. While regulators, banks and telecom operators are tightening controls, the worrying reality is that fraud methodology is evolving faster than safeguards meant to stop it.
Indians, for now, must navigate an internet where trust is in short supply, and where every unidentified notification demands a second look.The burden, at least for the moment, remains with individuals, but for regulators and institutions, the challenge is not just blocking bad actors but building awareness and rebuilding confidence.