Phishing Surge in Diwali Week: A 30-Minute Indian SMB Hardening Checklist (DMARC, SPF, WhatsApp Verified)

Diwali falls on October 20-21, 2025 — six days from this post. By every report from CloudSEK, Quick Heal, and the Hyderabad Cybercrime Police, festive phishing surges 30-50% in the Diwali week (CloudSEK Diwali threat brief, Business Standard 2025 coverage). The targets are not just consumers — Indian SMBs are increasingly impersonated in fake Diwali offer campaigns. The defence is mostly DNS records and a few WhatsApp Business hygiene steps. This is the 30-minute brand-protection sprint you can run today. ## The 60-second answer Add or fix three DNS records (SPF, DKIM, DMARC) on every domain you send mail from. Set up four brand-monitoring search queries that fire daily. Apply for or verify your WhatsApp Business green tick. Send one customer-comms email this week with three lines of "how to spot a fake message from us." Done in 30 minutes; reduces the 80% of brand-impersonation that targets your customers via your name. ## Why this matters now Indian festive shopping and customer outreach concentrate in the 7 days around Diwali. Every brand sends offer emails, WhatsApp broadcasts, and SMS notifications in that window — making it the perfect time for impersonators to slot in fake messages with the same urgency. CloudSEK reported in 2024 that brand-impersonation in Diwali week typically uses lookalike domains (your-brand-deals.com, yourbrand-offers.in), spoofed sender addresses (offers@your-brand instead of your real domain), and recycled templates from your past genuine campaigns. The defence is layered. DNS-based email authentication (SPF, DKIM, DMARC) prevents most spoofing of your real domain. Brand-monitoring catches lookalike domains as they go up. WhatsApp Business verification (green tick) signals authenticity to your customers. Customer-comms training teaches recipients what genuine messages look like. None of these is expensive; the combination is dramatically more effective than any single defence. ## The 3 DNS records that matter ## The 30-minute hardening walkthrough This is what we run with a founder, marketing lead, and one engineer (or your ESP support). Each step has a verification before moving on. ## The 4 brand-monitoring queries that catch impersonation Set these up as daily Google Alerts plus checks on social platforms. Three minutes of setup, daily 30-second review.

Query	Where to run it	What it catches
"yourbrand" deal OR offer OR sale OR diwali	Google Alerts (daily)	Lookalike landing pages, fake-offer blog posts, scam aggregator sites
yourbrand site:facebook.com OR site:instagram.com	Google Alerts (daily)	Impersonation profiles on Meta platforms
yourbrand-offers OR yourbrand-deals OR yourbrand-india OR yourbrand-sale	Domain-monitoring tool (DomainTools, dnstwister.report)	Lookalike domain registrations
"@yourbrand" OR "yourbrand" inurl:wa.me OR inurl:whatsapp	Google Alerts (daily)	Fake WhatsApp Business numbers using your brand name

## WhatsApp Business hardening (5 minutes) WhatsApp is the channel where Indian Diwali phishing converts most aggressively, because customers expect brand WhatsApp messages and are conditioned to trust them. Three quick steps. 1. Apply for or verify the green tick (Official Business Account). The green tick — visible next to your business name — is the strongest visual signal customers have. Apply via Meta Business Manager → WhatsApp Business → Account verification. Approval takes 5-15 working days; apply NOW for next year if not for this Diwali. 2. Set a clear business profile with your registered address, website (https), email, and a one-line "We never ask for OTPs" disclaimer. Customers who see a complete profile are 4x less likely to fall for a scam impersonator (per Meta's own product research). 3. Use template messages with branded headers for promotional sends. Approved templates are visibly different from generic chats and harder to forge. For broadcast WhatsApp, the discipline is: never use a personal WhatsApp number for customer broadcasts. Always use the verified Business API number. The cost of WhatsApp Business API messaging in India is ₹0.40-₹0.85 per conversation depending on category — affordable even for SMBs. ## The customer-comms template that actually works Send this email or WhatsApp message to your full customer list once in the week before Diwali (Oct 14-19, 2025). Single message, three pieces of info, no marketing wrap. This email outperforms heavy-marketing Diwali content for the week — and customers remember it the next time a scam hits their inbox. Send one a year. ## When NOT to ship DMARC at p=reject in Diwali week If you have not yet run DMARC reports for at least 30 days, stay at p=quarantine. Going straight to p=reject during Diwali week is risky — any legitimate mail flow you forgot to authorise (a partner email service, a transactional API, a forgotten old SMTP server) starts bouncing immediately. The customer-perception cost of legitimate emails bouncing in Diwali week is higher than the marginal protection from p=reject vs p=quarantine. The right path: ship p=quarantine in October, monitor the DMARC reports through November, fix gaps, move to p=reject in December or January. ## The Diwali sprint checklist (print this)

• SPF record validated on mxtoolbox; all checks passed
• DKIM records added for every ESP/mail-sending service
• DMARC at p=quarantine added with reporting address
• DMARC reports parsing tool configured (Postmark DMARC, dmarcian, Valimail Monitor — free tiers exist)
• Google Alerts set up for 4 brand-monitoring queries
• Domain-monitoring scan run for lookalike registrations (dnstwister.report or DomainTools)
• WhatsApp Business green-tick application submitted (or already approved)
• WhatsApp profile complete with address, website, email, disclaimer
• Customer-comms email sent during week of Oct 14-19, 2025
• scams@yourdomain.in email address created and routed to a real human

## A real example — a 14-person Jaipur D2C beauty brand A Jaipur-based D2C skincare brand (₹4 cr revenue, 14 employees, 18,000 customers, primarily Instagram and WhatsApp Business sales) ran the Diwali sprint with us in mid-October 2024 — coming out of one Diwali where they had been impersonated by 3 different lookalike Instagram accounts and one fake WhatsApp number that scammed 4 of their customers out of ₹16,000 in total. What we did in 32 minutes: - SPF was misconfigured (had two SPF records, which fails by spec). Combined into one valid record. - No DKIM existed. Added DKIM for Google Workspace and for their Sendgrid transactional ESP. - No DMARC existed. Added p=quarantine + reporting to dmarc-reports@theirdomain.com. - Google Alerts set up for 4 brand queries. Within 48 hours, caught 2 lookalike domain registrations that they reported to the registrar and got taken down. - Applied for WhatsApp Business green tick (approved 12 days later, in time for Diwali by 4 days). - Sent the customer-comms email on Oct 16. Customers replied warmly; one customer called the founder to thank her. Diwali outcome that year: 0 reported scam impersonations, 1 lookalike domain caught and taken down, ESP delivery rates improved by 7% (due to clean DKIM/DMARC). The owner's exact framing: "this is the cheapest 30 minutes I have spent on the brand." For the broader pattern, see our 2025 piece on the DPDP Act pre-notification readiness audit — privacy posture and brand-protection are the two halves of the same defence layer. ## A founder note from our team Our founder Vivek Singh writes about cybersec for SMBs through both engineering and brand-protection lenses. The shortest version of his Diwali argument: the festive surge is utterly predictable, the controls are well-documented, the cost is trivial, and most SMBs still skip them because they only think about email security on the day a customer complains. The fix is to make the 30-minute Diwali sprint an annual ritual — same week, every year, before the campaigns go out. The ecosystem-wide view: brand impersonation is one of the most under-defended risk categories in Indian SMB cybersec. The DNS controls have been mature for a decade. The WhatsApp controls have existed for 3 years. The brand-monitoring tools cost ₹0 to ₹2k/month. Closing the gap is bookkeeping, not engineering. For the technical email-deliverability side, our internal team consistently sees that DMARC adoption also lifts legitimate email open rates by 5-12% — the spam filters trust authenticated mail more. ## The Reddit pulse The r/IndiaInvestments threads each Diwali week document specific scam patterns hitting the community — fake gold-investment offers, fake EMI offers, fake refund-claim emails impersonating banks. The pattern is consistent year-over-year; the brand impersonations rotate but the scam mechanics do not. The r/india subreddit during Diwali week typically has 10-30 daily posts of "is this scam real?" — a useful pulse for what is currently in circulation. Brand owners can monitor the subreddit for mentions of their brand for cheap real-time intel. The r/cybersecurity threads on DMARC consistently land on the same advice: ship p=quarantine first, monitor reports, move to p=reject after 30 days. The mistake people make is going straight to p=reject and breaking legitimate flows. Patience first. ## FAQ ### What is the difference between SPF, DKIM, and DMARC? SPF lists which IPs can send mail for your domain. DKIM cryptographically signs each message. DMARC tells receiving servers what to do when SPF or DKIM fails AND publishes daily reports. All three are needed; none alone is sufficient. ### Will adding DMARC break our existing email? Possibly, if you have unauthorised mail-sending services. Always start at p=none (just monitor) or p=quarantine (mark as suspicious) — never start at p=reject in production. Run for 30 days, fix gaps, then move to p=reject. ### Do we need a DMARC report parser? For very small SMBs (under 1,000 emails/month outbound), reading raw DMARC XML reports is feasible but tedious. For everyone else, use a parser. Free tiers exist at Postmark DMARC, dmarcian, and Valimail Monitor — sufficient for most SMBs through 10,000-50,000 emails/month. ### How long does WhatsApp Business green tick approval take? Typically 5-15 working days. Common rejection reasons: incomplete profile, mismatched legal/trade name, no public web presence, recent business registration. Apply early — the green tick is the single highest-trust visual signal in the WhatsApp ecosystem. ### Can we use a personal WhatsApp number for customer broadcasts? Technically yes, but Meta enforces messaging limits and bans on personal numbers used for bulk send. The right pattern is WhatsApp Business API (via Wati, Gupshup, Interakt, Twilio, etc.) on a dedicated number with a verified business profile. ### What is BIMI and is it worth it for Indian SMBs? BIMI displays your verified logo next to authenticated emails in supported clients. Requires DMARC at p=reject + a Verified Mark Certificate (₹85k-₹1.4 lakh per year from DigiCert/Entrust). Worth it for B2C brands sending high-volume marketing email; less impactful for B2B SaaS. ### How much does the full hardening list cost annually? DNS records: ₹0. Google Alerts: ₹0. dnstwister.report: ₹0 to ₹2k/month for paid alerts. WhatsApp Business green tick: ₹0 (free verification, but you need WhatsApp Business API at ₹0.40-0.85/conversation). DMARC parser: ₹0 to ₹4k/month for parsed dashboards. Total: ₹0 to ₹15k/year for a typical SMB. The cost is nominal compared to the avoided incident. ### What if a scammer is already impersonating us — what do we do? (1) File a takedown with the platform (domain registrar, social platform, WhatsApp). (2) File a complaint with the National Cyber Crime Reporting Portal (cybercrime.gov.in). (3) Notify your customers via your verified channels. (4) If financial loss occurred, escalate to local cyber-cell. (5) Document everything — case numbers, screenshots, timeline — for both the platform takedown and any legal follow-up.