India continues to see a surge in cybercrime affecting both citizens and businesses, with cyber fraud against citizens jumping 51% over the past year and cyberattackers targeting businesses in volumes significantly higher than global averages.
Overall, Indian citizens filed more than 1.7 million cybercrime complaints in 2024, up from 1.1 million complaints in 2023, according to the latest data from India’s National Cyber Reporting Platform (NCRP) released in early February. While many of those cyber scams came from domestic sources, about 45% of the cyberattacks came from cybercriminal havens in Cambodia, Myanmar, and Laos, according to the report.
The problem underscores the dark side of increasing access to online services. While the country is digitizing many of its government services — giving citizens easier access — crime has followed online, President Droupadi Murmu said during a speech to Parliament on Jan. 31.
“[I]n an increasingly digital society, cybersecurity has become a crucial issue of national importance,” Murmu said. “Digital fraud, cybercrime, and emerging technologies like deepfakes pose challenges to our social, economic, and national security.”
India’s citizens are not the only targets of cybercriminals — business sites increasingly face online attacks. Cyber-risks and digital/technology risks are the most pressing concerns for companies in India, with businesses in the region prioritizing those issues more than their global counterparts, according to PricewaterhouseCoopers’ “2025 Global Digital Trust Insights — India Edition.”
Source: PricewaterhouseCoopers, “2025 Global Digital Trust Insights — India Edition”
“Over the next 12 months, Indian organizations are prioritizing the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation,” PwC India stated in the report. “This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter rising costs and ensure resilience and sustained growth.”
Businesses See Different Threat Profile
Compared with other regions of the world, India is seeing a greater volume of attacks. The average website in India sees about 6.9 million unwanted requests — often referred to as “attacks” by vendors — every year, with 26% more attacks per site compared with the global average, according to Indusface. Denial-of-service attacks are also more common against Indian targets, compared with the global average, says Venky Sundar, founder and president for the Americas at Indusface.
The threat actors have gone mobile-first, with API servers for mobile applications targeted with 43% more requests per host compared with websites, he says.
There is “a shift in attack strategies towards disrupting mobile and connected services,” Sundar says. “Cybercrime is increasingly targeting external-facing APIs associated with mobile apps rather than just traditional web platforms.”
The attacks are split fairly evenly between domestic sources and global ones, he adds. Overall, about half of the malicious traffic targeting company sites and API servers are domestic, with much of the rest coming from four countries: US, France, UK, and Singapore.
The government is currently taking steps to make life harder for attackers. The Reserve Bank of India (RBI), for example, has created exclusive Internet domains for banks (bank.in) and for non-bank financial institutions (fin.in), which will be run by the Institute for Development and Research in Banking Technology (IDRBT). India also passed its first privacy and data-protection law in 2023, and drafted implementation rules last month, which together define the rights of Indian citizens and requirements for companies handling data.
India and the US also recently signed a memorandum of understanding (MoU) that allows the two countries to cooperate on intelligence gathering, the exchange of information on cybercrime cases, and collaborative training. India has also fought to rescue and repatriate its citizens from forced labor camps for criminal syndicates in Cambodia, Myanmar, and Laos, where they are forced to conduct a variety of online scams.
Yet the country still faces a shortage of cybersecurity professionals. In September, the government announced an effort to train 5,000 “cyber commandos” over the next five years, to help national and state governments with cyber investigations.
Training citizens in cybersecurity can have additional benefits, President Murmu said in her remarks to Parliament.
“My government has taken numerous measures to control these cyber threats, creating opportunities for employment in the field of cybersecurity for the youth [and] is continuously working to ensure competence in cybersecurity,” she said, noting that the country has reached Tier 1 status in the International Telecommunication Union’s Global Cybersecurity Index.
