Updated: May 28, 2026
Global voice phishing rose 442% in 2025, and deepfake-enabled vishing surged more than 1,600% in Q1 2025 against the previous quarter. India's ITeS and BPO sector sits at the centre of that wave. Per NASSCOM, the Indian IT-BPM industry directly employs over 5 million people, the world's largest English-language back-office workforce. Those agents sit on Western customer data, run 24x7 shifts, and authenticate into SaaS estates dozens of times a day. Attackers know it.
Volume of access. A single agent often touches the data of thousands of end customers in a shift. A compromised agent is a portable breach.
Western customer data plus principal-driven compliance. Indian BPOs hold US, UK and EU PII and PHI on behalf of foreign principals. Most are bound by SOC 2 Type II, PCI DSS or HIPAA via those principals, so a breach triggers both Indian regulatory reporting and the principal's contractual breach clock.
Shift work and turnover. 24x7 floors with double-digit attrition mean a constant churn of new joiners, contractor laptops and unfamiliar IT-support voices. Vishing thrives on that unfamiliarity.
SaaS-heavy estates. Okta, Salesforce, Zendesk, Microsoft 365 and the client's CRM are the working surface. Spoofed login pages are the weapon of choice.
Supplier-of-supplier risk. A breach of the Indian BPO is often a breach of the brand it serves.
What Are Real Attackers Actually Doing in 2025 and 2026?
| Campaign | Target Pattern | Technique | Outcome |
|---|---|---|---|
| UNC6783 / "Mr Raccoon" | Indian BPO serving Adobe | Phishing email to a support agent, remote access trojan executed | 15,000 employee records and millions of support tickets exfiltrated (attacker claim) |
| ShinyHunters | Global BPOs including Telus Digital | Vishing call impersonating IT support, agent steered to spoofed Okta login | Petabyte-scale data theft claimed by the actor, including call records and customer PII |
| Phishing kits with clipboard capture | BPO agent estates using TOTP MFA | Real-time relay of credentials and OTP entered on a spoofed page; clipboard capture to harvest pasted tokens | Standard MFA bypassed; attacker registers own device |
| Deepfake voice impersonation | Finance and IT-support functions | AI voice cloning from three seconds of audio, used to authorise transactions or password resets | Q1 2025 deepfake-vishing incidents up over 1,600 % versus Q4 2024 |
Source: public-domain reporting and disclosures from Google's Threat Intelligence Group, BleepingComputer, SecurityWeek and DeepStrike. Some figures are attacker claims and may not be fully verified by the victim organisation.
TOTP and SMS-based MFA were designed for a world where the user typed the OTP into the real site. Modern phishing kits sit between the user and the real site, relay everything in real time, and read clipboard contents to grab pasted codes. The mitigation is phishing-resistant authentication: FIDO2 security keys or platform passkeys, plus device trust enforced in the identity provider, plus a vishing-aware helpdesk.
Phishing-resistant MFA at the identity layer. Cisco Duo with passwordless, FIDO2 keys, Verified Push and number matching removes the clipboard-capture exposure and prevents push-bombing.
Cisco Secure Access for SSE and SASE. Agent traffic to SaaS goes through a single inspection layer with DNS-layer threat protection, secure web gateway and CASB controls on Salesforce, Microsoft 365 and Okta tenants.
Cisco XDR for cross-signal detection. Correlates identity, endpoint, network and SaaS signals so a single agent's anomalous login from a new device at 02:30 triggers an investigation, not a buried alert. See our MDR versus in-house SOC blog for the staffing side.
Cisco Secure Email Threat Defense. Inbound and outbound mail screened for credential phishing, BEC and malicious URLs, with retroactive remediation of mail already in inboxes.
Talos threat intelligence. Indicators of compromise published from real campaigns feed the SOC playbook.
If your principal mandates Microsoft Entra ID, the equivalent controls are Entra phishing-resistant MFA, Conditional Access with device trust and number-matching push. The architecture in this piece travels for either stack.
What Does a 30-Day BPO Hardening Plan Look Like?
| Week | Activity |
|---|---|
| 1 | Identity audit. Inventory all agent accounts, MFA factors and admin privileges. Disable SMS-based MFA. |
| 2 | Roll out Cisco Duo with FIDO2 keys and Verified Push to a pilot pod of 50 agents. Disable legacy auth in Microsoft 365 for the pilot. |
| 3 | Stand up Cisco Secure Access for the pilot pod. Enforce CASB policy on Okta, Salesforce and the principal's CRM. Apply network segmentation between the pod and the wider estate. |
| 4 | Tabletop exercise: a vishing call impersonating IT support, a deepfake voice authorising a password reset, a spoofed Okta page. Roll learnings into the floor-wide plan. |
Two operational controls do more than any tool. First, every password reset and every MFA re-enrolment must require a call-back to a number drawn from the HR system of record or the identity provider's directory, never from a ticket the caller has opened or a contact card the caller offers. Second, every supervisor approval that crosses a defined risk threshold (refunds, account merges, data exports) must require a second human in a verified channel.
BPO floors that move to FIDO2 keys, Verified Push and a callback-only helpdesk typically see credential-phishing incidents fall by 80 to 90% inside a quarter, against published Microsoft and Cisco identity baselines. The DPDP and CERT-In reporting workload falls with it. For the wider DPDP picture, see our DPDP Act compliance checklist.
Proactive Data Systems is a Preferred Partner under the Cisco 360 Partner Program across Networking, Security, Collaboration, Cloud & AI, and Services. We secure Indian BPO and ITeS floors against credential phishing, vishing and SaaS account takeover, with the Cisco Duo, Secure Access and XDR stack tuned to shift-pattern operations.
Book a BPO Phishing Resistance Assessment. Ninety minutes. Your identity, mail and SaaS exposure tested against the campaigns named above. A remediation plan in your hands inside ten working days
We'll get back to you shortly.
