Enterprise cybersecurity budgets run into crores. Indian SMEs have ₹0 to ₹5 lakhs per year — and attackers know it. The threat landscape for small and medium businesses is not a scaled-down version of enterprise attack surfaces; it is a distinct set of techniques optimised for under-resourced, under-defended targets. Attackers are not sophisticated state actors deploying zero-day exploits against Indian small businesses. They are organised criminal groups running high-volume, low-effort operations — and they are profitable because most SMEs have no defences at all.
These 10 threats account for the overwhelming majority of cybersecurity incidents affecting Indian SMEs, drawn from CERT-In (Computer Emergency Response Team India) incident reports, cybercrime data from the National Cyber Crime Reporting Portal, and cases I have personally assisted with across Kerala businesses over the past three years.
1. Business Email Compromise (BEC)
Business Email Compromise is the single highest-value attack targeting Indian SMEs by financial loss. Attackers impersonate a company's CEO, a known vendor, or a bank — sending payment transfer requests from lookalike domains that pass casual inspection.
A Kerala textile exporter received an email from what appeared to be their CEO's address requesting ₹14 lakhs be transferred to a "new vendor account" before end of business. The domain was spelled with a Cyrillic "е" substituted for the Latin "e" — visually identical in most email clients. The accountant complied without calling to verify. The money was transferred to a mule account and withdrawn within hours.
CERT-In data shows BEC losses in India exceeded ₹1,700 crore in 2024. The attack requires no malware, no hacking, and no technical sophistication — just a convincing email and a target without verification procedures.
Defence: Mandatory voice call verification for any payment instruction above ₹50,000 — no exceptions regardless of apparent urgency or the requester's seniority. Implement a DMARC policy on your domain so attackers cannot spoof your exact domain. Train staff to check actual email headers, not just the display name that appears in their inbox.
2. Phishing via WhatsApp and SMS
WhatsApp has over 500 million Indian users. The platform's personal, conversational feel makes phishing far more effective than email — recipients let their guard down because the message arrives in the same channel as family conversations.
Attack patterns in 2026 include: messages impersonating HDFC, SBI, and ICICI banks claiming account suspension; fake TRAI disconnection notices threatening number deactivation within 2 hours; GST refund or IT notice impersonations with links to credential-stealing pages. The evolution in 2026 is AI-generated voice calls — attackers clone a colleague's or manager's voice from available audio and call with real-time synthesised speech requesting urgent fund transfers.
Defence: Never click links in unexpected WhatsApp messages, regardless of the apparent sender. Verify by calling the institution's official number (found on their website, not in the message). Enable WhatsApp's "Silence Unknown Callers" setting for numbers not in contacts. For voice calls requesting financial action — hang up and call back on a number you already have for that person.
3. Ransomware Targeting Windows Servers
Indian SMEs running aging Windows Server 2008, 2012, or 2016 installations without current security patches are the primary ransomware target in 2026. Two entry points account for the majority of incidents: exposed Remote Desktop Protocol (RDP) on port 3389 with weak or reused passwords, and unpatched vulnerabilities in legacy Windows installations.
Ransomware-as-a-service has changed the economics completely. Attackers no longer need technical skill — they rent the malware from criminal organisations and split the ransom proceeds. Average ransom demands for Indian SMEs run ₹3–30 lakhs. Most operators also exfiltrate data before encrypting, creating double extortion — they demand payment to decrypt and additional payment to not publish the stolen data.
Defence: Disable RDP from the public internet entirely — use a VPN for legitimate remote access. Upgrade to Windows Server 2019 or later with automatic security updates enabled. Maintain daily off-site backups to a separate storage account the server itself cannot reach (so ransomware cannot encrypt the backup).
4. Credential Stuffing on Business Accounts
Billions of username and password combinations from past data breaches — LinkedIn 2016, Zomato 2017, BigBasket 2020, MobiKwik 2021 — are freely traded on dark web markets. Attackers run automated tools to test these credentials against Gmail, Google Workspace, Zoho Mail, banking portals, and accounting platforms like Tally.
The attack succeeds because Indian employees routinely reuse passwords across work and personal accounts. An employee whose personal Zomato account was in the 2017 breach — and who uses the same password for their work email — has exposed the entire business email system to anyone who purchased that breach database.
Defence: Mandatory multi-factor authentication on all business accounts — this single control stops credential stuffing even when the password is known. Implement a password manager (Bitwarden is free for individuals, Teams plan costs ₹250/user/month; 1Password is ₹2,600/year per user) so every account gets a unique password. Check breach exposure at haveibeenpwned.com for all staff email addresses.
5. Invoice Fraud and Payment Redirection
A vendor's email account is compromised through phishing or credential stuffing. The attacker reads the ongoing email conversation, identifies an upcoming payment, and at the moment of invoicing sends a "please note our bank account has changed" email that appears to come from the legitimate vendor contact.
The business pays the fraudulent account believing they are settling a legitimate invoice. By the time the real vendor follows up on non-payment, the funds have been withdrawn through multiple mule accounts. This is particularly common in Kerala's construction, trading, and logistics sectors where large irregular payments to multiple vendors are routine.
Defence: Verify any bank account change request by calling the vendor on a number you already have — not a number provided in the email requesting the change. Add a bank change verification clause to all vendor contracts. Set a payment threshold above which any account change requires verbal confirmation from a named senior contact at the vendor.
6. Fake IT Support Scams
Attackers call posing as Microsoft, Google, or an internet service provider, claiming the business's computer has been flagged for virus activity. They request the owner or staff member install AnyDesk or TeamViewer for remote support. Once connected, they navigate directly to banking portals, email accounts, and business management systems.
Common targets are Tier 2 Kerala businesses where the owner manages their own computer without dedicated IT support. The 2026 variant uses browser pop-ups displaying a fake "Windows Defender Security Alert" page with a toll-free number — the number connects to a scam call centre running this operation professionally.
Defence: Microsoft, Google, and internet providers never make unsolicited support calls — this is not a practice any of these companies follow. No legitimate support technician needs remote access tools installed during an unexpected call. If you receive such a call, hang up immediately and call the official support number published on the company's actual website.
7. Supply Chain Attacks via Compromised Software
Large-scale supply chain attacks — the SolarWinds style — are not exclusively an enterprise problem. Indian SMEs using pirated Windows, cracked Office 365, or nulled WordPress plugins are directly installing malware concealed inside the modified software.
In 2026, two additional vectors are significant: malicious browser extensions that appear legitimate (ad blockers, grammar checkers, PDF converters) but silently steal saved passwords and active banking session cookies; and typosquatting attacks on software repositories where developers install packages named "requets" instead of "requests" and receive malware instead of the intended library.
Defence: Use only licensed software from official sources — the cost of a genuine Microsoft 365 Business Basic at ₹135/user/month is far less than a ransomware recovery. Audit browser extensions quarterly and remove any you cannot account for. In Node.js projects, use lock files and audit dependencies with npm audit. Enable Google Safe Browsing on all business browsers.
8. Social Media Account Hijacking
Business Instagram, Facebook, and YouTube accounts represent real monetary assets — accumulated audiences, ad spend access, and brand value. Attackers target them specifically because access gives immediate financial value through fraudulent ad spending and extortion ("pay us to get your account back").
Attack methods include SIM swapping (convincing a telecom operator to transfer your mobile number to an attacker-controlled SIM, bypassing SMS-based MFA), phishing login pages mimicking Meta's design, and cookie theft through malicious browser extensions that capture authenticated sessions. A Kerala photography studio lost a 47,000-follower Instagram account and ₹80,000 in pre-loaded Meta ad credits in a single incident.
Defence: Use a dedicated email address — separate from any personal Gmail — for all business social media accounts. Enable authentication app-based MFA (Google Authenticator, Authy) rather than SMS-based MFA on all Meta and Google accounts. Configure a Meta Trusted Contact recovery as a backup access method. Never install browser extensions you did not actively seek out and install from the official Chrome Web Store.
9. Data Exfiltration by Departing Employees
Employee resignation triggers a predictable window of data theft risk. Customer lists, pricing databases, supplier contact sheets, and proprietary process documents move to personal Google Drive accounts or get emailed to personal addresses in the days before the final working day. Indian labour law offers limited enforceable non-compete protections, so the data frequently becomes the foundation of a competing business or gets sold to a direct competitor.
This threat is internal and does not require any attacker sophistication — just a motivated employee and systems that do not monitor or restrict large data exports.
Defence: Implement an offboarding checklist that includes immediate account revocation on the employee's last day (not after notice period — access ends when employment ends). Before deleting any departing employee's Google Workspace account, conduct a data export audit to review recently shared or exported files. Google Workspace Business Plus includes DLP (Data Loss Prevention) policies that alert administrators when large volumes of files are shared externally.
10. Insecure Public WiFi in Client Meetings
Kochi and Trivandrum's cafe culture and growing co-working space ecosystem mean many Kerala business meetings happen on networks outside the business's control. Financial transactions, email access, and CRM logins over unsecured public WiFi create interception risks.
HTTPS has eliminated most passive sniffing attacks on encrypted sites. But evil twin attacks — where an attacker creates a fake WiFi hotspot named "Starbucks_Free" or "WeWork_Guest" that proxies traffic while recording credentials — remain effective. Public WiFi also exposes devices to attacks from other connected devices on the same network segment.
Defence: Use a mobile data hotspot for any sensitive work in public locations — the cost of mobile data is negligible compared to the risk. Install a commercial VPN on all business laptops and phones: Mullvad costs approximately ₹570/month, ProtonVPN approximately ₹480/month. Enable Private DNS set to 1.1.1.1 on all business Android and iOS devices for DNS-layer protection.
Building Your SME Security Baseline
A credible baseline for a 10-person Kerala business does not require a dedicated security team or a crore-rupee budget. The controls that prevent 80% of the incidents listed here cost less than ₹80,000 per year for a 10-person team:
- Google Workspace Business Starter with MFA enforced (₹21,600/year for 10 users at ₹180/user/month)
- Bitwarden Teams password manager (₹30,000/year for 10 users at ₹250/user/month)
- Annual staff awareness session including simulated phishing test (₹8,000–15,000 from a local IT consultant)
- DMARC, SPF, and DKIM setup on your business domain (one-time ₹5,000–15,000)
- Payment verification written policy (no cost — just documented procedure)
The most expensive control on this list is also the most effective: the payment verification phone call. That 2-minute call has prevented more financial loss for Kerala businesses I work with than any technical control. It costs nothing to implement and stops BEC, invoice fraud, and payment redirection entirely when followed consistently.
Frequently Asked Questions
Does CERT-In's 6-hour incident reporting rule apply to my Kerala SME?
CERT-In's April 2022 directive requires organisations to report cybersecurity incidents within 6 hours of detection. The directive applies to any entity with a "significant cyber security incident" — which includes ransomware, data breaches, and business email compromise. In practice, the rule currently targets government organisations, critical infrastructure, internet service providers, data centres, and entities processing personal data of Indian citizens (which covers most e-commerce and fintech). For a small Kerala business with no internet-facing infrastructure beyond a WordPress website, the rule applies if you suffer a breach of customer data. Report to incident@cert-in.org.in with incident type, affected systems, and actions taken.
What is the minimum cybersecurity investment for a 10-person Kerala business?
For a 10-person team, a ₹50,000–80,000 annual baseline covers: Google Workspace Business Starter with MFA enforced (₹21,600/year), Bitwarden Teams password manager (₹30,000/year), an annual cybersecurity awareness training session for all staff (₹8,000–15,000), and one-time DMARC configuration on your business domain (₹5,000–15,000). This combination addresses credential stuffing, email spoofing, phishing, and the human layer — the four attack vectors responsible for the majority of SME incidents. It does not require a full-time IT hire or enterprise security tooling.
Our business email was hacked and sent spam to our contacts. What do we do in the first hour?
First 5 minutes: change the email account password immediately from a different, clean device. Revoke all active sessions in Gmail (Security → Your devices → Sign out all other devices). First 15 minutes: enable 2FA if it was not already active. Check all mail forwarding rules and filters — attackers routinely add a forwarding rule to monitor ongoing email after regaining the account. Review the Sent folder for every email sent during the compromise period. First hour: contact your most important clients and partners via WhatsApp to inform them your email was compromised and they should disregard any unusual emails received from your address in the past several hours. Check the Google Workspace admin console for any new accounts created or external forwarding rules applied across the organisation. File a report with the National Cyber Crime Reporting Portal at cybercrime.gov.in for documentation — this is needed if you pursue a police complaint later.