Deepfake Vishing in Hindi, Marathi, Tamil: Mirror’s Regional Lure Engine
A branch manager at a public-sector bank in Nagpur gets a WhatsApp voice note. It’s in Marathi. The voice sounds like the regional head — tone, cadence, the little throat-clearing cough he’s known for. The ask is routine: approve a pending UPI merchant onboarding before end-of-day, the paperwork will follow tomorrow. The manager approves it. The money moves. The regional head never recorded anything.
This is the scam that actually targets Indian bank staff. Not a Nigerian-prince email. Not a fake Microsoft password reset in corporate English. A voice call or WhatsApp forward, in the local language, from a “familiar” person, with a bank-flavoured pretext. If your phishing simulation program is 100% English text emails, you’re training people against a threat they aren’t facing.
Why English-only simulations miss the real threat
Most phishing-simulation tools were built for US and European enterprises. The templates are English, the lures are Outlook-style password-reset emails, the “bad guys” are spelled-out typos and suspicious URLs. That’s fine for a multinational head office in Gurgaon. It’s useless for a mid-level operations officer in Raipur who mostly uses WhatsApp for internal coordination and speaks Hindi on calls.
Regional workforces face regional attacks. The pretexts are different:
- A fake “bank manager” calling in Marathi to reconfirm an OTP because “the system is showing an error.”
- A QR code shared in a WhatsApp group, labelled as a gift from the branch, that silently authorizes a UPI debit.
- A Devanagari brand impersonation — the domain looks like Paytm or SBI at a glance because the attacker used homoglyphs from the Devanagari block that render close to the Latin letters.
- A synthesized voice of a senior officer asking for a file to be re-sent on personal email.
No amount of English password-reset drills will prepare staff for this. We built Mirror because we kept walking into banks where the security team knew the issue but had no product to address it.
What Mirror does
Mirror is the security-awareness agent in the Kavach platform. It generates phishing, vishing, and deepfake drills in the languages the workforce actually speaks, using the lures that match Indian fraud patterns. The first launch languages are Hindi, Marathi, Tamil, and Telugu. Kannada, Malayalam, Bengali, and Gujarati are in the phase-two queue.
Regional lure generation
The template library is authored by people who speak the language, not machine-translated from English. A Marathi lure about a pending GST filing uses the words an actual CA’s office would use. A Tamil voice lure impersonating a branch manager carries the expected honorifics. This matters. A bad translation is its own red flag — employees learn to spot “AI-sounding Marathi” instead of learning to spot pretexting.
Deepfake voice synthesis
Mirror can synthesize a target voice from a short reference sample — typically a public keynote, an internal all-hands recording the CISO authorizes, or a scripted read. The synthesized clip is then used in a vishing drill, delivered through WhatsApp, SMS, or a direct call. This is consented, region-locked, and scoped to the enterprise that signed up for it.
Devanagari homoglyph impersonation
Mirror can register and serve brand-lookalike domains using Devanagari characters that render near-identically to Paytm, SBI, UPI, HDFC, or whatever brands the customer wants to test against. The drill page is a harmless landing with telemetry. Employees who enter credentials are not punished — they see a teaching moment.
UPI scam templates
The UPI attack surface is unique to India and we treat it that way. Mirror ships templates for QR-fraud flows, OTP-forwarding scams, “gifting” scams where the victim scans a collect request thinking it’s a gift, and merchant-onboarding pretexts. These get refreshed as the CERT-In advisories and RBI notes evolve.
Org-profile ingest — how Mirror knows who to target
A good drill is targeted. The branch manager shouldn’t get the same lure as the junior operations officer. Mirror ingests the org profile from the identity systems the customer already runs:
- Active Directory groups and OUs, mapped to departments and seniority.
- Okta, for enterprises that have moved to SSO-first.
- Google Workspace and M365 group memberships, for org-chart context.
- SAP HR data, where the customer has a clean HCM pipeline.
From this, Mirror builds departmental risk heatmaps. Finance and operations get UPI and payment-fraud lures. L&D and HR get CV-tampering and fake-interview lures. IT admins get MFA-fatigue and help-desk reset lures. Senior officers get deepfake voice drills impersonating board or regulator contacts. The heatmap updates as the org changes.
DPDP compliance is not optional
Running phishing drills on 20,000 Indian employees means processing a lot of personal data. The DPDP Act treats that as processing requiring consent and purpose limitation. Mirror is built to the spec:
- PII consent-gated. Employee data is only used for the declared purpose — security awareness — and the customer’s DPO signs off on scope before drills start.
- Region-locked. Drill telemetry stays in the Indian data-residency zone. For BFSI customers we offer a VPC-resident deployment so nothing leaves the customer’s cloud.
- Auto-purged. Click data, recording responses, and voice-sample artifacts are purged on a defined schedule. The customer sets the retention; we enforce it.
If your phishing-simulation vendor can’t tell you where the data lives and when it’s deleted, that’s a DPDP problem waiting to happen.
What a good regional program actually looks like
We’ve seen enough bad phishing programs to know what ruins them. The failure mode is culture, not technology. A program that shames people who click turns into a compliance theatre where employees hide failures and the real attacker walks right through.
A Mirror program is built around three principles:
Difficulty that adapts
A new employee starts on easy drills — obvious pretexts, clear red flags. As they build pattern recognition, Mirror raises the difficulty. By month six, a mid-level officer sees drills that are genuinely hard to spot: a deepfake voice that matches a real internal speaker, a Devanagari domain that’s pixel-close to the real one. This keeps the program honest and measurable.
Teaching moments after failure, not blame
When an employee fails a drill, they get a short, specific walkthrough — what the lure was, what the tell was, what to do next time. No manager notification on the first fail. Repeated failure on the same category triggers a targeted micro-training, not a disciplinary notice. The customer’s HR team can configure the escalation rules; we default to gentle.
Metrics that mean something
Click rate alone is a vanity metric. Mirror reports on reporting rate (how many employees flagged the lure to the security team), time-to-report, and department-level trend lines. A 20% click rate with a 60% report rate is a healthy program. A 5% click rate with a 2% report rate means your employees are quiet, not trained.
Tying into the training stack
A drill without a follow-up is wasted. Mirror integrates with the learning systems enterprises already run, so a failed drill routes the employee into the right course automatically:
- LearnDash for organizations running WordPress-based LMS portals.
- Moodle for PSUs and educational institutions with existing deployments.
- Native tie-ins for Microsoft Teams and Slack channels so the teaching moment lands where the employee already works.
- WhatsApp and SMS gateways for staff who don’t live on desktop — branch operations, field sales, retail floor.
The goal is that by the time your next external red-team or a real attacker calls, the finance officer in Coimbatore has heard a fake Tamil vishing lure before and knows exactly what “wait, let me call you back on the listed number” sounds like.
Where to start
If you run security for an Indian bank, PSU, or large distributed enterprise, the first question isn’t “which language packs do we need.” It’s “what are the top three scams our people are actually hit with?” Start there. We can stand up a region-scoped pilot — one state, one business unit, one language — before committing to a national rollout. That’s usually the fastest way to get the board comfortable with the DPDP and consent posture before going wide.