



Phishing has always been the most reliable entry point for attackers. But in 2025, something has changed fundamentally: generative AI has industrialised the craft. Where attackers once spent hours crafting a believable lure targeting a specific executive, they can now generate thousands of hyper-personalised, grammatically flawless, contextually accurate spear-phishing emails in minutes—at near-zero cost.
For Indian enterprise IT and security leaders, this is not a theoretical concern. The Indian Computer Emergency Response Team (CERT-In) has flagged a significant uptick in Business Email Compromise (BEC) and credential-harvesting campaigns targeting BFSI, manufacturing, IT services, and government-adjacent organisations. Combined with the Digital Personal Data Protection (DPDP) Act’s strict breach-notification obligations, the stakes of a successful phishing compromise have never been higher.
Traditional email security relied on spotting tell-tale signs: poor grammar, generic salutations, suspicious sender domains, and known-bad URLs. Signature-based filters and static reputation lists worked reasonably well when attackers were humans operating at human speed.
Today’s AI-assisted phishing campaigns break every one of those heuristics:
Indian enterprises face specific structural factors that amplify phishing risk in this new AI era:
Indian manufacturing and IT services companies operate complex supply chains with hundreds of vendors, many of whom communicate via free-tier email domains (Gmail, Yahoo) rather than authenticated corporate addresses. This makes it genuinely difficult for employees to distinguish a legitimate supplier email from an impersonation.
Under the DPDP Act and CERT-In’s 2022 directions, a data breach triggered by a successful phishing attack—leading to credential theft and subsequent data exfiltration—must be reported to CERT-In within six hours of detection. A delayed or incomplete response can trigger regulatory action. The downstream cost of a phishing compromise is therefore not just remediation; it is also regulatory risk, reputational damage, and potential penalties.
Post-pandemic hybrid work has blurred the perimeter. Employees reading corporate email on personal devices with weak endpoint controls, or using personal email on managed devices, create gaps that enterprise email gateways cannot fully close without a layered approach.
While security awareness training has improved, it struggles to keep pace when the phishing emails look indistinguishable from legitimate correspondence. The human layer alone is not a reliable control—it must be backed by technology that removes the decision from employees in the first place.
Combating AI-powered phishing requires moving beyond the traditional Secure Email Gateway (SEG) model. A modern, layered email security stack for Indian enterprises should include the following components:
The security control must match the attacker’s sophistication. Platforms like FortiMail use machine learning to analyse email behavioural patterns, not just signatures—detecting anomalous sender-recipient relationships, unusual sending times, atypical attachment types, and subtle header manipulations that static rules miss.
Email authentication protocols are foundational, yet many Indian organisations still have DMARC in monitoring mode (p=none) rather than enforcement (p=quarantine or p=reject). Without enforcement, domain spoofing attacks succeed even when the organisation has nominally deployed email authentication. A security partner should audit and enforce these records across all sending domains—including marketing automation platforms, CRMs, and transactional email services.
Since attackers now use freshly registered domains, time-of-click URL inspection is essential. Links in emails should be rewritten through a secure proxy that re-evaluates the destination at click time—catching sites that were clean at delivery but weaponised by the time the user clicks.
Traditional AV scanning misses zero-day malware. Sandboxing executes suspicious attachments in an isolated environment to observe behaviour. This capability now needs to extend to QR code scanning—QR phishing (“quishing”) has become a popular technique to bypass email scanners by embedding malicious URLs in images rather than clickable links.
BEC attacks often involve no malicious payload at all—just a fraudulent request from what appears to be the CEO or CFO. Detection requires analysing display name spoofing, lookalike domain variants, reply-to header mismatches, and communication pattern anomalies.
Email security cannot operate in isolation. Alerts from the email security layer should feed into a SIEM for correlation with endpoint, network, and identity telemetry. When a phishing email is detected, SOAR playbooks should automatically quarantine the message across all affected mailboxes, block the sender domain at the firewall (FortiGate), and trigger an incident response workflow—all without waiting for analyst intervention.
Use this checklist to assess your organisation’s current email security posture against the AI phishing threat.
PJ Networks deploys FortiMail as the first line of defence—leveraging Fortinet’s FortiGuard Labs threat intelligence, AI-based detection engines, and built-in sandboxing to catch what static rules miss. FortiMail’s deep integration with FortiGate NGFW means that a malicious domain or IP identified in an email is immediately blocked at the network perimeter, closing the window between detection and containment.
Behind the technology, PJ Networks’ 24/7 NOC/SOC team provides continuous monitoring, alert triage, and incident response. When AI-powered phishing campaigns target multiple employees simultaneously—a common pattern in modern BEC attempts—the SOC team identifies the campaign scope, orchestrates mailbox remediation, and ensures the incident is documented with the precision required for CERT-In reporting.
For organisations that lack the in-house capacity to manage email security at this level of sophistication, a fully managed approach removes the operational burden while ensuring coverage that scales with the threat.
AI-powered phishing is not a future risk—it is the operational reality for Indian enterprise security teams today. The barriers that once slowed attackers (language skill, research time, domain setup) have collapsed. The defenders’ response must be equally modern: AI-native detection, layered authentication enforcement, real-time link analysis, deep integration between email and network security, and a 24/7 human response capability to act when automation flags a campaign.
The DPDP Act has made the stakes explicit: a successful phishing attack that leads to a data breach is now a compliance event with a six-hour reporting clock. Getting email security right is no longer optional for Indian enterprises operating at scale.
PJ Networks helps Indian enterprises deploy, manage, and continuously tune FortiMail and the broader Fortinet email security stack—integrated with FortiGate firewalls, ZTNA, and our 24/7 managed SOC. If you are evaluating your email security posture or need a rapid assessment before your next compliance review, reach out to our team.