Most cyber safety guides are written for a generic adult user — someone who banks online, uses WhatsApp, has a smartphone, and works at a computer. That person is real, and the advice written for them is useful. But it leaves out several categories of people who face meaningfully different online threats, require different protections, and are disproportionately targeted precisely because standard advice does not account for them.
Children navigating the internet face threats that have nothing to do with phishing or password hygiene. Elderly users are the primary target of a specific category of scams that exploit trust and authority in ways that generic advice does not address adequately. Remote workers and freelancers operate at the intersection of personal and professional digital environments in ways that create specific vulnerabilities. Small business owners — particularly the crore-plus Indian SMEs now operating on WhatsApp, Instagram, and digital payment platforms — face business-level cyber risks with consumer-level security resources.
This guide addresses each group specifically: what threatens them, why they are targeted, and what protection actually looks like for their situation.
Protecting Children Online: The Threats Most Parents Are Not Watching For
India had approximately 180 million internet-using children and adolescents under 18 as of 2024, according to UNICEF India data. The digital environment they inhabit — dominated by YouTube, Instagram, free fire and other gaming platforms, and increasingly TikTok alternatives — is one where the most significant threats are often invisible to parents who are monitoring for the wrong things.
The Gaming Platform Problem
Free-to-play games — BGMI (Battlegrounds Mobile India), Free Fire, Roblox, and dozens of others — are designed around social interaction, in-game currency, and status markers (rare skins, high ranks, exclusive items) that carry real social value within the game’s community. This creates a specific attack surface.
Fraudsters pose as high-level players, game influencers, or “customer support” for the game and offer children free in-game currency, rare items, or account upgrades in exchange for account credentials, phone numbers, or — in the most concerning cases — gradually escalating requests for personal information or images. The social dynamics of gaming communities — where status-granting figures are looked up to and authority is informal but real — make children particularly susceptible to these approaches.
The protection requires parents to understand specifically how in-game social interactions work rather than applying generic “don’t talk to strangers” advice that children do not experience as relevant in a context where talking to strangers is a normal part of gameplay. Specific conversations to have: legitimate game support never contacts you through in-game chat or Discord; no game gives away premium currency for free through unofficial channels; any offer that requires sharing your account password is an attempt to steal the account regardless of what is promised.
Practical step: Enable the Google Family Link or Apple Screen Time parental controls not primarily to restrict screen time but to receive alerts about new app installations and in-app purchases — two specific signals that something may have gone wrong with online interactions.
Cyberbullying and Digital Social Pressure
The Indian government’s POCSO (Protection of Children from Sexual Offences) Act and the IT Act provide legal frameworks for addressing serious online harm to children, but the more pervasive daily threat is subtler: cyberbullying through group chats, public shaming through screenshots shared in class groups, exclusion from WhatsApp groups as social punishment, and the documented mental health impact of social comparison on Instagram and YouTube.
NIMHANS data from 2023 found that 47% of Indian adolescents reported experiencing some form of online harassment, with higher rates among girls in urban settings. This is a mental health and family conversation topic as much as a cybersecurity one — the digital harm is real even when no financial fraud or data theft is involved.
The most protective factor research consistently identifies is not technical control but open conversation: children who know they can report something wrong online to a trusted adult without fear of consequences — including having their device taken away — are significantly more likely to disclose problems early enough for them to be addressed. Punitive responses to digital incidents (taking phones away as a consequence) are counterproductive because they teach children to hide future incidents rather than disclose them.
Age-Appropriate Digital Literacy by Stage
Different age groups need different cyber education, not the same message at different volumes:
Ages 6–10: Focus on the concept that not everyone online is who they say they are, that private information (home address, school name, phone number) should never be shared online, and that anything that feels uncomfortable online should immediately be shown to a parent — not handled alone.
Ages 11–14: Introduce the concept of digital permanence (screenshots exist forever, images sent “privately” can be shared publicly), the mechanics of how gaming scams and fake giveaways work, and the specific red flags of online grooming (an online acquaintance who asks to keep conversations secret, requests personal photos, or tries to create distance between the child and their family).
Ages 15–18: Add financial awareness (UPI fraud, fake job offers, phishing), privacy settings management across platforms, and the legal dimensions — India’s IT Act criminalises cyberbullying, image-based abuse, and online stalking, and consequences are real.
Protecting Elderly Users: Why They Are the Primary Target and What Actually Works
People above 60 are the most targeted demographic for several categories of cyber fraud, not because they are less intelligent but because specific life circumstances create specific vulnerabilities that attackers deliberately exploit.
Fixed income from pensions and fixed deposits creates liquid savings that can be targeted. Social isolation — particularly following retirement or the death of a spouse — reduces the social verification network that protects against psychological manipulation. Trust in authority figures developed over a lifetime of experience with legitimate institutions transfers to fraudulent impersonators. And the digital interfaces that most Indians now use for banking and communication were designed by and for younger users, creating genuine usability gaps that create accidental security vulnerabilities.
The Specific Scams Targeting Elderly Indians
Grandchild emergency scam: A caller claims to be the victim’s grandchild or a friend of their grandchild, in trouble — arrested, hospitalised, in an accident abroad — and urgently needs money sent to an unfamiliar account. The emotional hook is immediate family danger; the isolation mechanism is “please don’t tell mum and dad yet, they’ll be so upset.” Establishing a family code word for genuine emergencies — a word known only to direct family members that anyone in real distress would use — defeats this scam entirely regardless of how convincing the call sounds.
Pension and government benefit scams: Callers impersonate EPFO, state pension departments, or government scheme administrators and claim that a pension payment, PM-Kisan payment, or other benefit will be stopped unless “KYC is updated” through a link or by sharing details over the phone. Legitimate government schemes have in-person verification processes at post offices, CSCs (Common Service Centres), or bank branches. No government benefit KYC update happens through an unsolicited phone call.
Fake medicine and health product fraud: A particularly targeted attack on elderly users involves unsolicited calls offering discounted medicines, supplements, or health devices for conditions common in older age — diabetes management supplies, blood pressure monitors, joint supplements. The products either never arrive, arrive as counterfeits, or the payment information collected is used for further fraud. Purchases of medical products should only be made through registered pharmacies (in person or through verified platforms like Tata 1mg, PharmEasy, or Apollo Pharmacy) or directly from healthcare providers.
What Effective Protection Looks Like for Elderly Users
Generic cyber safety advice — “don’t click links, use strong passwords” — is poorly matched to how many elderly users interact with technology. More effective approaches:
A designated family contact for financial matters. Establishing with an elderly parent or relative that any financial transaction above a threshold — say ₹5,000 — is discussed with one family member before being executed removes the in-the-moment decision pressure that attackers rely on. This is not about removing financial autonomy — it is about adding a verification layer for high-stakes decisions where manipulation is specifically attempted.
Bank transaction alerts and limits. Ensure that elderly family members’ bank accounts have SMS and email alerts enabled for every transaction. Also work with their bank to establish transaction limits appropriate for their typical usage — if a parent typically makes transactions under ₹10,000, a daily limit of ₹15,000 limits worst-case fraud losses to a manageable number while accommodating normal use.
In-person rehearsal of scam scenarios. Telling an elderly relative “don’t fall for scams” is almost useless. Walking through specific scripted scenarios — “if someone calls saying I’ve been arrested and asks you to send money, here is exactly what to do” — builds procedural memory for the specific situations most likely to be encountered. Include the specific instruction: hang up and call me directly on my number before doing anything.
Protecting Remote Workers and Freelancers: The Blended Environment Problem
India’s remote work population expanded dramatically after 2020 and has stabilised at a level significantly higher than pre-pandemic norms. For IT professionals, consultants, designers, writers, and the rapidly growing community of Indian freelancers working for global clients through platforms like Upwork, Toptal, and direct arrangements, the digital threat landscape has specific characteristics that generic consumer advice does not fully address.
The Home Network as an Attack Surface
A corporate office network has dedicated IT security — firewalls, intrusion detection, security monitoring, VPN enforcement. A home network has whatever the ISP provided by default and whatever the individual user has configured — typically, not much. When a remote worker connects their work laptop to a home router that still uses the factory default password and has not received a firmware update in two years, they are connecting enterprise-level access credentials to consumer-grade security infrastructure.
Minimum necessary home network security for remote workers:
Change the router admin password from the factory default immediately and record the new password somewhere secure. Log into your router’s admin interface (typically 192.168.1.1 or 192.168.0.1) and check for available firmware updates — router manufacturers release security patches just as smartphone manufacturers do, and most routers can check for updates directly in the admin panel. Enable WPA3 encryption if your router supports it; if not, ensure WPA2 is enabled rather than the older WEP. Review the list of connected devices and flag any unrecognised connections.
If your employer provides a VPN, use it consistently for all work activity. If you are a freelancer without employer-provided security infrastructure, a reputable commercial VPN (Mullvad, ProtonVPN, or NordVPN — verify the provider has a certified no-log policy before choosing) encrypts your traffic from your device to the VPN server, which is particularly important when you occasionally work from cafés or coworking spaces.
Client Impersonation and Invoice Fraud
A fraud category specifically targeting freelancers and small business owners has grown significantly in 2025–26: attackers monitor business email communications, identify payment relationships, and then impersonate either the client or the service provider at a payment moment to redirect a wire transfer or UPI payment to a fraudulent account.
This works because freelancers and small business owners frequently conduct business through personal email accounts, WhatsApp, and informal channels where the authentication signals that protect corporate systems are absent. An email from client@gmail.com that looks exactly like previous legitimate emails — because the attacker has read the previous thread — is very difficult to distinguish visually from the real thing.
The protection is a payment verification protocol: any payment instruction change — new account number, different UPI ID, “please pay to this account this time” — is verified through a separate communication channel (a phone call to the known number, a WhatsApp message to the known contact) before the payment is made. The verification must happen through a channel different from the one carrying the instruction, because if the email or WhatsApp account is compromised, verification through the same channel provides no protection.
Platform-Specific Threats for Freelancers
Freelancers working on global platforms face a specific category of fraud: fake job postings that require upfront payment for “equipment,” “training materials,” or “background checks” before work begins. No legitimate remote employer requires a payment from an employee before work starts. This is categorical — there are no legitimate exceptions.
Freelancers working on verified platforms (Upwork, Fiverr, Toptal) have marketplace protections that make outright payment fraud harder. The risk increases significantly when work is taken “off-platform” at a client’s request — a common fraud setup where the platform’s escrow and dispute resolution protection is intentionally removed.
Protecting Small Businesses: Enterprise-Level Threats on Consumer-Level Budgets
India has approximately 6.3 crore registered MSMEs, and the vast majority operate their digital presence and financial transactions through the same personal smartphones and email accounts their owners use privately. This creates enterprise-level cyber risk — because business accounts, customer data, and business payments are at stake — with consumer-level security resources.
WhatsApp Business Account Takeover
WhatsApp Business accounts are increasingly the primary business communication channel for Indian SMEs. They are also a high-value target because they contain customer contact lists, order history, payment discussions, and often direct links to the owner’s banking and UPI accounts.
Account takeover typically happens through one of three mechanisms: SIM-swap fraud (attacker convinces telecom provider to transfer the number to a new SIM), phishing links shared through existing customer contacts whose accounts have already been compromised, or social engineering of the WhatsApp account recovery process.
Protection specific to WhatsApp Business: Enable two-step verification in WhatsApp settings (Settings → Account → Two-Step Verification). This adds a PIN requirement for WhatsApp account registration on a new device, which defeats SIM-swap attacks against the account specifically. Regularly review “Linked Devices” in WhatsApp settings and revoke access for any unrecognised device. Do not click any link claiming to be a WhatsApp account verification or “official notification” — WhatsApp does not send account management links through WhatsApp itself.
Customer Data Responsibility
Under India’s Digital Personal Data Protection Act (DPDPA) 2023, which came into force progressively from 2024, businesses that collect and process customer personal data have legal obligations — including notification requirements in the event of a data breach. While enforcement is being phased in, the direction is clear: businesses of any size that collect customer names, phone numbers, addresses, or payment information are “Data Fiduciaries” with specific obligations.
For a small business, practical compliance means: do not collect customer data you do not need; do not retain it longer than necessary; store it in a way that limits access (do not maintain an unprotected spreadsheet of customer phone numbers and financial details on a shared Google Drive with broad access permissions); and have a basic incident response understanding — know that if a breach occurs, CERT-In and potentially customers need to be notified.
GST and Business Email Fraud
A fraud specifically targeting small businesses involves fraudulent emails or WhatsApp messages impersonating GST authorities, tax consultants, or the business’s chartered accountant. These messages typically claim a discrepancy in GST filing or a pending compliance action and request either payment or sensitive business credential sharing to “resolve” the issue.
GST authorities communicate through the GST portal (gst.gov.in) and through official notices sent to registered correspondence addresses — not through WhatsApp or personal email. Any urgency communicated through informal channels about GST, income tax, or regulatory compliance should be verified directly through the relevant portal or by calling your registered CA on their known number before any action is taken.
Building a Household Cyber Safety System
Rather than treating cyber safety as an individual responsibility, the most effective approach is building it as a household system — a shared set of protocols that the whole family understands and follows, calibrated to each member’s specific risk profile.
The monthly five-minute check. Once a month, each family member does five things: checks their primary email on haveibeenpwned.com for new breach alerts, reviews active app permissions on their phone, checks “active sessions” or “where you’re logged in” on social media accounts, verifies that auto-lock is set on all devices, and confirms that 2FA is active on email and banking apps. This is not a comprehensive security audit — it is a minimum viable hygiene check that catches the most common low-effort attack vectors before they result in damage.
The family financial verification chain. Any unusual financial request — from any source, including apparently from family members — is verified through direct voice call to a known number before action. This single protocol, understood and agreed to by all family members, defeats the entire category of emergency impersonation fraud.
A shared record of official numbers. Maintain a family note — in a password manager, a printed card in the home, or a shared contact group — of the official helpline numbers for your bank, UPI apps, UIDAI (1947), the National Cybercrime Helpline (1930), and the insurance companies your family uses. The habit of looking up official numbers before calling, rather than calling numbers provided in suspicious messages, eliminates one of the most common fraud mechanisms.
A no-blame incident disclosure norm. The most important cultural element in a household cyber safety system is an explicit norm that disclosing a potential cyber incident — having clicked a suspicious link, having shared information that seemed wrong in retrospect, having received a suspicious call — is met with calm problem-solving rather than blame. The cost of undisclosed incidents is always higher than the cost of disclosed ones, because disclosure enables rapid response. Punitive responses to disclosure teach concealment, which allows incidents to escalate into full-scale fraud.
Quick Reference: Protection by Profile
| Profile | Highest Risk | One Most Important Protection |
|---|---|---|
| Child (under 14) | Gaming platform scams, grooming | Open-conversation norm; no punishment for disclosure |
| Teenager (14–18) | Phishing, fake giveaways, image-based pressure | Platform privacy settings audit; digital permanence conversation |
| Elderly user (60+) | Authority impersonation, benefit fraud | Family financial verification chain; designated contact for any transaction |
| Remote worker | Home network breach, invoice fraud | Router security update; payment channel verification protocol |
| Freelancer | Fake clients, off-platform payment fraud | Never pay to start work; verify payment changes through separate channel |
| Small business owner | WhatsApp takeover, GST fraud | WhatsApp two-step verification; verify all compliance contact through official portals |
This article is for educational purposes only. For cybercrime reporting in India, contact the National Cybercrime Helpline at 1930 or file a report at cybercrime.gov.in. For child safety concerns online, contact the Cyber Crime Cell or use the NCMEC CyberTipline. For DPDPA compliance guidance for businesses, consult a qualified legal professional familiar with India’s data protection regulations.
Mahesh is a cybersecurity and digital safety writer covering online fraud prevention, consumer protection, and digital safety for Indian households and businesses.
